HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.KDZ.6733 (B) (Emsisoft), Trojan.Generic.KDZ.6733 (AdAware), GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: dfdb05db93a05ac2ae375a6be02025a9
SHA1: ae8cc95631e676f410a450ae79a7b35f1498823e
SHA256: 0b6f44900b66b7a6b29095bfde59feb20cb67304867c9ee922e9ce8fe35b0425
SSDeep: 6144:tIvztllzdRarT Kg8LGTMJMu71vXdjkJOKVCwTow:tIJZRarm4GTYJvXdgJOv
Size: 285696 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: to generous of
Created at: 2013-01-02 16:20:41
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3664
yhjyf.exe:3880
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Oqygfi\yhjyf.exe (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8995d98c.bat (177 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Oqygfi\yhjyf.exe (0 bytes)
Registry activity
The process %original file name%.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 97 5B 1E FD 61 51 45 FC 66 7B 7B B4 7F 0A 1D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process yhjyf.exe:3880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 19 0D 4C F6 2D C3 08 C3 F3 F9 93 1C 9D DC AE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Ryuka]
"24e32cg8" = "WvyfWrUXxsCPTQ7ohb84a9gJ"
Dropped PE files
| MD5 | File path |
|---|---|
| 1d73a1fe0520083136525a0f94c71b0f | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Oqygfi\yhjyf.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan installs the following user-mode hooks in Secur32.dll:
UnsealMessage
SealMessage
DeleteSecurityContext
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
WSARecv
send
closesocket
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3664
yhjyf.exe:3880 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Oqygfi\yhjyf.exe (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8995d98c.bat (177 bytes) - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 4828 | 5120 | 3.46414 | bbcd388663e73caac18632b6cc780bab |
| .rdata | 12288 | 1142 | 1536 | 2.78426 | b8daa7ce830c059ae49e5159f21202bd |
| .data | 16384 | 10 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
| .rsrc | 20480 | 276674 | 276992 | 5.53581 | 27f93a716845189f336cb9ef16a46544 |
| .reloc | 299008 | 4096 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
973d199c37dda094c08d5466b247b062
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):