Trojan.NSIS.StartPage_a0b7a72292

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

bddownloader.exe:3092
shandian.exe:1480
dudu_b_55045.exe:668
BDDownloader.exe:3960
BDDownloader.exe:3520
regsvr32.exe:1936
BDKVWsc.exe:2740
RegSvr32.exe:468
RegSvr32.exe:3168

The Trojan injects its code into the following process(es):

shandian.exe:2548
pczh_98_2.exe:3228
%original file name%.exe:2644
sdad.exe:304
F30241_s_0523.exe:544
ionrkf_70688.exe:280

Mutexes

The following mutexes were created/opened:

ShimCacheMutex!IETld!MutexZonesLockedCacheCounterMutexZoneAttributeCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexRasPbFileWininetConnectionMutexWininetProxyRegistryMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_SMAPLE_MUTEXCTF.TimListCache.FMPDefaultS-1-5-21-796845957-1563985344-1801674531-1003MUTEX.DefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.TMD.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003

File activity

The process shandian.exe:1480 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF34A5.tmp (0 bytes)

The process shandian.exe:2548 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Program Files%\shandian\bin\twcache.ini (1392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\123_sogou_com[1].txt (15456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\newioage[1].css (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\welcome_cn[1].htm (1469 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Program Files%\shandian\bin\theworld.ac (196 bytes)

The Trojan deletes the following file(s):

%Program Files%\shandian\bin\shandian.ini (0 bytes)

The process pczh_98_2.exe:3228 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvBE.tmp (21176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Templates\2920146065436\YYM_955WD30.gif (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskBD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp (0 bytes)
%Documents and Settings%\%current user%\Templates\2920146065436\YYM_955WD30.gif (0 bytes)

The process %original file name%.exe:2644 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Program Files%\shandian\bin\shandian.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\stat[1].htm (2 bytes)
%Program Files%\shandian\bin\shandian.exe (28283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\System.dll (11 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ionrkf_70688[1].rar (9606 bytes)

&name&mac&md5

<&

<<

<<<>>>

<><><><><><><><><><><><><><

<<

<<<>>>

<><><><><><><><><><><><><><

<<

<<<>>>

<&

<<

<<<>>>

<<

<<<>>>

<><><><><><>&&<&&&&l

<<

<<<>>>

&guid&lastver

<><><><><><><><><><> <><><><><><><><><><><><><><><><><><><><><><><><> <><><><><><><><><><> <><><><><><>

<<

<<<>>>

&guid&lastver

&ac&name&mac&md5

<<

<<<>>>

<><><><><><><><><><>

&ac&name&mac&md5

<<

<<<>>>

&>&&&V...N..7..............g4S.....n...><>&&<>>&<&y.s....._.5.S.....V....&<

<<

<<<>>>

&mainver&popver&xmlver

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

<<

<<<>>>

&mainver&popver&xmlver

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

<<

<<<>>>

<>"

<>"

""

""

""

""

""

""

   <""""><>

   <""""><>

<

<

"

"

""

""

""

""

<""""""><""""><""""""""><><><><><""""""""""""><><><""><><><""""><><><><""><><""><""><><><>

<""""""><""""><""""""""><><><><><""""""""""""><><><""><><><""""><><><><""><><""><""><><><>

<

<

<

<

"

"

""

""

""""

""""