Trojan.Win32.Buzus.oepa (Kaspersky), Trojan.Downloader.JQEL (B) (Emsisoft), Trojan.Downloader.JQEL (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: dcb67a539af43913e2e4bec9ba658c22
SHA1: 432dde771b8502338b4e24f067d6b785f633d5dd
SHA256: 02b20aaad6f2763e76d212e34ba86b71b7772f09fefd7f72589b2c16b9851a43
SSDeep: 384:bAmt53ZsCQ4P GhplI 22rL7bJ0qLPXa0w1X jv9LLaPabo:bJHsCJ Ghg 22rL7bJ0qLPXa0NjF5s
Size: 21212 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company:
Created at: 2003-09-15 20:42:09
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
budha.exe:3012
kilf.exe:3980
dasu.exe:1692
%original file name%.exe:2856
The Trojan-PSW injects its code into the following process(es):
Explorer.EXE:1948
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process budha.exe:3012 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\profile_main[1].exe (1694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kilf.exe (1694 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (0 bytes)
The process kilf.exe:3980 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Hyaqe\dasu.exe (2734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VOA7720.bat (171 bytes)
The process dasu.exe:1692 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\ntuser.dat.LOG (5592 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4788 bytes)
The process %original file name%.exe:2856 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\budha.exe (21 bytes)
Registry activity
The process budha.exe:3012 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 B9 3D DB 25 F3 BB A6 4B 55 B3 2B 95 F7 53 B1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"kilf.exe" = "Administrations und Wartungsprogramm fur SQLite Datenbankdateien"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process kilf.exe:3980 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 50 58 17 37 31 ED A4 43 B4 4B B4 E8 C9 A0 D9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process dasu.exe:1692 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 AE ED A6 DE B8 9F 44 26 AA 2E 27 08 EE 06 0D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Wyufhoefbiab]
"2h7af223" = "ggbUhRd1PpWf2Q==ç¹$"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process %original file name%.exe:2856 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E C3 A3 A3 61 A1 6A 2A 30 88 9D C9 46 C2 A0 F1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"budha.exe" = "budha"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Dropped PE files
MD5 | File path |
---|---|
4a7fd6ae85d964a883b38dd42f91d256 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Hyaqe\dasu.exe |
d611915ee96b7126f42bda5b05c7635e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\budha.exe |
0154fecc492db496aa998636fc828e6d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\profile_main[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
UnsealMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
budha.exe:3012
kilf.exe:3980
dasu.exe:1692
%original file name%.exe:2856 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\profile_main[1].exe (1694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kilf.exe (1694 bytes)
%Documents and Settings%\%current user%\Application Data\Hyaqe\dasu.exe (2734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VOA7720.bat (171 bytes)
%Documents and Settings%\%current user%\ntuser.dat.LOG (5592 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\budha.exe (21 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 4881 | 5120 | 4.31273 | 5bd78445669a0ae4a1cc746b58415314 |
.data | 12288 | 6401 | 6656 | 2.50295 | 7d33a1ebe246d96662d74d4737d52af2 |
.idata | 20480 | 2400 | 2560 | 3.76867 | 31c85b4df47dddf1d035a6ecf4a20157 |
.rsrc | 24576 | 5252 | 5632 | 3.70321 | f66a95fae4a4cfef8a00b2f6cd60d056 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 112
443ac8b40c16da3dddd8fde4e79583f4
ad282ed208a2d7f209250d9352c019cb
cf2ff9c9aa166241c71b70e9b273c2fa
6eeab38a66bdad7e74620b3bb7e2e2d4
ef00ebd83619981bb723ecca9e9bd12f
ca886b3281d6101221fa46fa1cbbafbb
b84c780fd81f8ed76232cdd373e6f1ce
a04291a2e50eb3b21f49e864abd24fa9
b1a14a3682ee83af0dfeb6de5e57493e
d034cb955d5030b4efbf73b0414e7f2e
d4cdcd1479acce93f3e6e90994693e39
d57df59ee627e452018a2494463fc41f
bcf6888054e2f379fbfd83d66a68c8a1
b45657e95311ab4a0d09d61049992c2f
d56ed696fa61b976f1666c2a25b29793
c0c0a9f37dae7bafc1eb553a096e319e
db494490e1b2fa67fc0355637e5ef4ba
cd2ca8db18fb5125d67945ba6d19eb21
c59c9e1e23b88998aaaab752e496ff6e
b3d7f2882f5bc72f551311a7969cb8f6
af30768ff92488278c8f34cb0950fed9
ac2471c932b5a12b630cf95f27012741
a7ad11374e88cc4684008773f353e24c
db60c5acc635f457069fc437704b7c14
d49b2a36223ac79149389ef726088a9a
Network Activity
URLs
URL | IP |
---|---|
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 72.247.8.51 |
robotvacuumhut.com | 38.99.254.69 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=10675
Date: Sat, 28 Jun 2014 08:11:43 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Cache-Control: max-age=10675..Date: Sat, 28 Jun 2014 08:11:43 GMT..Connection: keep-alive..X-CCC: CA..X-CID: 2..1401CF3DB40B609892..
Map
The Trojan-PSW connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1948_rwx_023F0000_00048000:
.text
.text
`.data
`.data
.reloc
.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
)"4(7*</</pre><pre>!*< ?"4'</pre><pre>0123456789</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>RegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>ntdll.dll</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>MsgWaitForMultipleObjects</pre><pre>GetKeyboardState</pre><pre>USER32.dll</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegCloseKey</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>PFXImportCertStore</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>msvcrt.dll</pre><pre>zcÁ</pre><pre>: :$:(:,:0:4:</pre><pre>7!7%7)7-7175797</pre><pre>4-5}5</pre><pre>:":(:3:9:</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>kernel32.dll</pre><pre>urlmon.dll</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>shell32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>cabinet.dll</pre><pre>Wadvapi32.dll</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre>