HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Daytre.2 (B) (Emsisoft), Gen:Variant.Daytre.2 (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4b81f6760846a650d5f4fc8e618ade24
SHA1: 43782b0317f61378ff70591288ce681e8b2cad31
SHA256: 2501a25475809358b3a67e9349799a669a19b5ecf5080eec87408d2c670ab0e0
SSDeep: 384:xcIcdOMh7XUFqffXIxwOfK9cSQJvlnjI8:xc9dOMRQUSwOftJvljI8
Size: 16752 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-23 22:47:40
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ewajo.exe:456
%original file name%.exe:1816
papers.exe:1768
paper.exe:164
The Trojan injects its code into the following process(es):
Explorer.EXE:1140
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ewajo.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5036 bytes)
The process %original file name%.exe:1816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\papers.exe (16 bytes)
The process papers.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pdf[1].exe (1765 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\paper.exe (1765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
The process paper.exe:164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\PKQCA10.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Oluli\ewajo.exe (3557 bytes)
Registry activity
The process ewajo.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 78 0D CF 03 33 3D 42 A7 56 0F 9B C2 63 9C 5B"
[HKCU\Software\Microsoft\Noobewelo]
"3012ei14" = "Du6qjAK0IhE2dHkZde qVnXmvqLLHQDnMCM="
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process %original file name%.exe:1816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 1B 91 05 42 6B 4D D4 97 D0 9F 31 28 26 BB 99"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"papers.exe" = "papers"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process papers.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 0C 20 68 34 59 9A 57 69 5E 82 32 0C 79 8C F5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "papers.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"paper.exe" = "paper"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process paper.exe:164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 0F D0 57 48 0C 2D 23 01 99 09 5F 0E 53 B8 19"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
Dropped PE files
| MD5 | File path |
|---|---|
| 5c83ae880ab9c2f6f04ed4aed08a1853 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Oluli\ewajo.exe |
| 9631349af358f24d5bd75597c905e584 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\papers.exe |
| a549d4e7a7687f00b72c61d1a4025442 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pdf[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ewajo.exe:456
%original file name%.exe:1816
papers.exe:1768
paper.exe:164 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\papers.exe (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pdf[1].exe (1765 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\paper.exe (1765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PKQCA10.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Oluli\ewajo.exe (3557 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 3708 | 4096 | 4.15439 | 6035f1db60eb6e699a8c2520f9fa70cd |
| .rdata | 8192 | 796 | 1024 | 3.41828 | c4e333bdccd37eebc1587dc65a855fb2 |
| .data | 12288 | 3016 | 3072 | 4.52949 | 369eba19d8fc4a98e9e2cb0dfc7ddc9d |
| .rsrc | 16384 | 4356 | 4608 | 3.39952 | a1e93edc22a25a7d129e61b92ac41db4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 205.237.69.74 |
| backpackinglight.com.au | 69.4.235.215 |
| littlepaperlane.com.au | 206.190.139.245 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Sun, 27 Jul 2014 14:09:14 GMT
Connection: keep-alive
X-CCC: US
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Date: Sun, 27 Jul 2014 14:09:14 GMT..Connection: keep-alive..X-CCC: US..X-CID: 2..1401CF3DB40B609892..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1140_rwx_020F0000_00048000:
.text
.text
`.data
`.data
.idata
.idata
@.reloc
@.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
0123456789
0123456789
y.dpw|)aq&
y.dpw|)aq&
9755*#
9755*#
)8*<;1/5='#
)8*<;1/5='#
W}}quyJ2(!B>,%F:09Z
W}}quyJ2(!B>,%F:09Z
-0:)-:*<*:
-0:)-:*<*:
0: )4-* 4
0: )4-* 4
:1';$9/<</pre><pre>|r)-9%7s</pre><pre>=6 <#>(;</pre><pre>0;-1.3%6</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>HTTP/1.1</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>RegDeleteKeyExW</pre><pre>REPORT</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>t.Ht$HHt</pre><pre>m9.td</pre><pre>L$Â$</pre><pre>w%fkN</pre><pre>zcÁ</pre><pre>.fV@![</pre><pre>ntdll.dll</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>MsgWaitForMultipleObjects</pre><pre>GetKeyboardState</pre><pre>USER32.dll</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegCloseKey</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>PFXImportCertStore</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>msvcrt.dll</pre><pre>0 0$0(0,0004080<0</pre><pre>2 2$2(2,2024282</pre><pre>9,:0:4:8:<:</pre><pre>? ?%?>?`?|?</pre><pre>9!9,9 :@:</pre><pre>='>0>9>?></pre><pre>3#3'3 3/33373</pre><pre>kernel32.dll</pre><pre>shell32.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>urlmon.dll</pre><pre>cabinet.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}</pre>