Trojan.Win32.Autoit.cve (Kaspersky), Trojan.AutoIT.Injector.AR (AdAware), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 07013bd44f17dc57808ed1b9d4a49dd0
SHA1: c5db3d68883e9b4eaedb540730ac65ddddd7f7a0
SHA256: d733904c6e81a4253c931bad5d0e262057f75a9b4f82041681cd4f5ef4be941b
SSDeep: 24576:gRmJkcoQricOIQxiZY1iayg/XT3vzJX3P Y3qvyfDyEM:VJZoQrbTFZY1iafXT/z1
Size: 1353251 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
%original file name%.exe:484
%original file name%.exe:1808
mati.exe:260
mati.exe:972
The Trojan-PSW injects its code into the following process(es):
Explorer.EXE:532
File activity
The process %original file name%.exe:484 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Gyyg\mati.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1bd0c7cc.bat (177 bytes)
Registry activity
The process %original file name%.exe:484 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC AB 9A CF B5 93 80 C0 50 05 DC 06 09 AF 63 29"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process %original file name%.exe:1808 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 66 03 84 3E 07 86 7F CC 06 05 C5 47 74 49 48"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
The process mati.exe:260 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 16 A0 1A 5F C4 AB B2 F6 C7 41 AB 73 12 94 1E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process mati.exe:972 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 CF 2B 10 62 74 A6 AE 2F FB B0 1C 00 78 6C 37"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
Dropped PE files
| MD5 | File path |
|---|---|
| e8e4c4e313ad929dc309f1f96fb77d98 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Gyyg\mati.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSASend
send
closesocket
The Trojan-PSW installs the following user-mode hooks in kernel32.dll:
GetFileAttributesExW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:484
%original file name%.exe:1808
mati.exe:260
mati.exe:972 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Application Data\Gyyg\mati.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1bd0c7cc.bat (177 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: M90BJ85TD90G
Product Name: P70OC67LN67W
Product Version: 1,0,0,0
Legal Copyright: O80TQ70SD81H
Legal Trademarks:
Original Filename: W84EB82EQ72O
Internal Name:
File Version: X84KG80ZR81W
File Description: V67TM72BD68K
Comments:
Language: English (United States)
Company Name: M90BJ85TD90GProduct Name: P70OC67LN67WProduct Version: 1,0,0,0Legal Copyright: O80TQ70SD81HLegal Trademarks: Original Filename: W84EB82EQ72OInternal Name: File Version: X84KG80ZR81WFile Description: V67TM72BD68KComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 525852 | 526336 | 4.63347 | 61ffce4768976fa0dd2a8f6a97b1417a |
| .rdata | 532480 | 57280 | 57344 | 3.32693 | 0354bc5f2376b5e9a4a3ba38b682dff1 |
| .data | 589824 | 108376 | 26624 | 1.49032 | 8033f5a38941b4685bc2299e78f31221 |
| .rsrc | 700416 | 187944 | 188416 | 4.41508 | 128f2a62108429ef4aeb169bec3050ab |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://pierjean-albrecht.com/wp_content/config.bin | 109.200.196.187 |
| hxxp://www.google.com/webhp | |
| hxxp://www.google.com/webhp?gfe_rd=cr&ei=RvmWU-OgB8Sc8Aaa7IC4BQ | |
| hxxp://www.google.com.ua/webhp?gfe_rd=cr&ei=RvmWU-OgB8Sc8Aaa7IC4BQ |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /webhp HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google.com
Cache-Control: no-cache
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=RvmWU-OgB8Sc8Aaa7IC4BQ
Content-Length: 267
Date: Tue, 10 Jun 2014 12:25:42 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic
Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/webhp?gfe_rd=cr&ei=RvmWU-OgB8Sc8Aaa7IC4BQ">here</A>...</BODY></HTML>....
GET /wp_content/config.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pierjean-albrecht.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 10 Jun 2014 12:25:24 GMT
Server: Apache/2.4.9 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 PHP/5.4.27
Last-Modified: Tue, 03 Jun 2014 17:55:16 GMT
ETag: "8686-4faf236e66c66"
Accept-Ranges: bytes
Content-Length: 34438
Connection: close
Content-Type: application/octet-stream
.n... .5x.L..........&...7{...^..*H..K...hv.*=.%.J.7.>.......6.p...{C....S2...iF.3.3.e....p....R...*.....^.Z.s.M.{...2.z.?_.8\..[...... ~b.*..$q.v.....'..\.j.....Gy...Js..p0wr6.j?s.-....3.`.......\.....\.....a.....AX......:..z.IRG.u3<g....@..>F...;.v.....k,!;.....qV._.ka...M....?n>......}..>KJJP.,....Jy.=i..'..h..D.1.........c-..)G6.^...?Q4...0..3|.Y.q`...V.ww.D.%R.'C.d....}O=.E....F.(|.L4c....@.......K4..i....YW..N.I...@sP.L. ..9......fm...l%...o..Z....d....6...{r...yA..x.qH.&G.Ww[.d.a]...{5..?%h..W[.....K.4kD..x..\....X.>.w.9.......F...oJ.....JAW....(kJ%q. ".kNJg.}.7?.J.......8.Vkm..1[..R....O.0..6}......~.........w.~.Me...eA.d.E.^..,.s.0...... k@ctsKnl.h..JT:]P..BK.u./..T..0........{e..TB...y...O"...~>..<@...E.......^.t.M.%.G..o=..:0$..c#:.(x.J...*..-. ...,[...z...=..4...!.U.g...6:....|..\*....../...A...*].8.Tk.b..w..S.f...._3.\O.cT`..s?..7....\o.....9...@.......0....1dmA........... ........~..Yyg...=!m..E...=..1._^..C..n...?F.{.O.......w...Ev.>x..~..., ......A........do5#..`.......X.3.....e.......`.izf%..%.*.....%G.j.?.mj.sSE..._.. 0..e...&.....o.T).,.O.N..4jl....{i....M.v......*... o\...CH...D.^^L<....x.;.)..~...^Bq5.W.Z..#..!.&....`.BG.v.]...W'.Z).<....t....M..g@.\P.......;..........Pg,~[n.....?<j.%........-......&SD.F........d p2.....E.'.o.....,....m...f.u.$.....\?.._\f..O/.....Q....c.....M2.,G...3...47A..G.0X...y....U...7.s....=;.*"e..Z[.S..&.q.LU.f..F...,d.]..S~.@C....O./t.W...t7.y&...wF........,..Z.n..f..?.B.... g3g...?.e...J$....R{.....C.. ?E.z..qu......m2E.d..`...
<<
<<< skipped >>>
GET /webhp?gfe_rd=cr&ei=RvmWU-OgB8Sc8Aaa7IC4BQ HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cache-Control: no-cache
Host: VVV.google.com.ua
HTTP/1.1 200 OK
Date: Tue, 10 Jun 2014 12:25:42 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=14525361b53be154:FF=0:TM=1402403142:LM=1402403142:S=8v1PFFhPjlabOMDA; expires=Thu, 09-Jun-2016 12:25:42 GMT; path=/; domain=.google.com.ua
Set-Cookie: NID=67=Ijni9rlF5_ImnW4-I3a_D4FrxaLhzXnAcP6bFYWWm63OPTJrr3nmexTX4z2_tdloXwCb0bothErOqw3DNoabr2oKCZdqk5EMNjI9pr-GuOldFU9f4o46rm3kOSxD46iS; expires=Wed, 10-Dec-2014 12:25:42 GMT; path=/; domain=.google.com.ua; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Connection: close
<!doctype html><html itemscope="" itemtype="hXXp://schema.org/WebPage" lang="uk"><head><meta content="text/html; charset=UTF-8" http-equiv="content-type"><meta content="/images/google_favicon_128.png" itemprop="image"><title>Google</title><script>(function(){.window.google={kEI:"RvmWU470JOrQsQTWxYB4",getEI:function(a){for(var c;a&&(!a.getAttribute||!(c=a.getAttribute("eid")));)a=a.parentNode;return c||google.kEI},https:function(){return"https:"==window.location.protocol},kEXPI:"4791,17259,4000116,4007661,4007830,4008142,4009033,4009641,4010806,4010858,4010899,4011228,4011258,4011679,4012373,4012504,4013414,4013591,4013723,4013758,4013787,4013823,4013967,4013979,4014016,4014093,4014431,4014515,4014637,4014671,4014810,4014813,4014991,4015234,4015260,4015266,4015339,4015550,4015587,4015633,4015772,4016127,4016309,4016367,4016373,4016487,4016824,4016855,4016882,4016933,4016976,4017063,4017148,4017161,4017203,4017224,4017278,4017280,4017285,4017298,4017544,4017595,4017612,4017639,4017681,4017694,4017710,4017742,4017788,4017818,4017821,4017824,4017857,4017880,4017913,4017922,4017963,4017981,4017982,4018009,4018019,4018030,4018126,4018159,4018176,4018181,4018283,4018363,4018416,4018424,4018480,4018513,4018519,4018532,4018554,4018566,4018569,4018619,4018621,4018933,8300012,8300027,8500223,8500252,8500256,8500272,8500306,8500332,8500357,8500365,8500379,8500393,8500400,8500421,8500433,8500444,10200012,10200029,10200048,10200053,10200083,10200120,10200134,10200136,10200155,1
<<
<<< skipped >>>
Map
The Trojan-PSW connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_532_rwx_01E00000_00027000:
.text
.text
`.data
`.data
.reloc
.reloc
http://www.google.com/webhp
http://www.google.com/webhp
PR_OpenTCPSocket
PR_OpenTCPSocket
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
: ;2*8.>
: ;2*8.>
3.#70!2)
3.#70!2)
x#m`a`cmddt-
x#m`a`cmddt-
6 !26!1'1
6 !26!1'1
7"52),,>
7"52),,>
;<)?$*%,
;<)?$*%,
71.(5;4=
71.(5;4=
(203,2$0
(203,2$0
/?./,5 <</pre><pre>:>(<<44=3%</pre><pre>8%/<8/?)?/</pre><pre>%/><!8?>!</!8?></pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)</pre><pre>urlmon.dll</pre><pre>cabinet.dll</pre><pre>http://</pre><pre>https://</pre><pre>HTTP/1.</pre><pre>SSSh,4</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>SetKeyboardState</pre><pre>ExitWindowsEx</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyW</pre><pre>GetKeyboardState</pre><pre>OpenWindowStationW</pre><pre>GetProcessWindowStation</pre><pre>CreateWindowStationW</pre><pre>CloseWindowStation</pre><pre>SetProcessWindowStation</pre><pre>USER32.dll</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExW</pre><pre>ADVAPI32.dll</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHDeleteKeyW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>SetViewportOrgEx</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>PFXImportCertStore</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>HttpSendRequestExW</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>GetUrlCacheEntryInfoW</pre><pre>HttpAddRequestHeadersW</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>6 6&6/656{6</pre><pre>cGlobal\XXX</pre><pre>nspr4.dll</pre><pre>nss3.dll</pre><pre>SysShadow</pre><pre>kernel32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%sx.%s</pre><pre>%sx</pre><pre>%Documents and Settings%\%current user%\Application Data\Amvisu\wywee.iqr</pre><pre>%Documents and Settings%\%current user%\Application Data\Amvisu</pre><pre>wywee.iqr</pre><pre>Global\{565FD229-C112-2A4A-5FA4-60C3FA2A602D}</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>{C024600C-7337-BC31-5FA4-60C3FA2A602D}</pre>