Trojan.NSIS.StartPage_65b966a98f

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1256

File activity

The process %original file name%.exe:1256 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØ ÉÁµçä¯ÀÀÆ÷.lnk (675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (669 bytes)
%Program Files%\shandian\Unins.exe (564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (18246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\emaaif_70690.exe (13344 bytes)
%Program Files%\shandian\config.ini (194 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (0 bytes)

Registry activity

The process %original file name%.exe:1256 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayName" = "ÉÁµçä¯ÀÀÆ÷ 1.1.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"Publisher" = "а汸ÓÃ.nsi_nsis-2.45_76861_776315"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayIcon" = "%Program Files%\shandian\Unins.exe"
"UninstallString" = "%Program Files%\shandian\Unins.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayVersion" = "1.1.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 A9 7F 4A C8 17 A2 04 FB 3B 70 76 57 1B 01 D3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"

Dropped PE files

MD5	File path
a7d710e78711d5ab90e4792763241754	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\Md5dll.dll
254f13dfd61c5b7d2119eb2550491e1d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\NSISdl.dll
00a0194c20ee912257df53bfe258ee4a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\System.dll
3a5ed71aa9c6846d95d57235c4c443d7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\xID.dll
a2820daae8e3494f47b72e0e7db4858f	c:\Program Files\shandian\Unins.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\xID.dll (10 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (517 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØ ÉÁµçä¯ÀÀÆ÷.lnk (675 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (669 bytes)
   %Program Files%\shandian\Unins.exe (564 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (18246 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Md5dll.dll (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (505 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\emaaif_70690.exe (13344 bytes)
   %Program Files%\shandian\config.ini (194 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "shandian" = "%Program Files%\shandian\shandian.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: MeinV
Product Name: ?????
Product Version: 1.1.0.0
Legal Copyright: Corporation. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description: Installer Application
Comments: http://www.sd.com
Language: English (United States)

Company Name: MeinVProduct Name: ?????Product Version: 1.1.0.0Legal Copyright: Corporation. All rights reserved.Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.0.0File Description: Installer ApplicationComments: http://www.sd.comLanguage: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	57344	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	249856	53152	53248	5.05621	28649a2ec7752389a3f79b519752e666

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://stat.huashui.org/stat/?v=1&ac=setup2&name=%original file name%.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7	112.124.102.171
down.icudi.org	222.186.60.2

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /stat/?v=1&ac=setup2&name=%original file name%.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7 HTTP/1.0

Host: stat.huashui.org

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Connection: close

Date: Sat, 31 May 2014 09:26:17 GMT

Server: Microsoft-IIS/6.0

Who: ShanIE

Content-Length: 3176

Content-Type: text/html

Set-Cookie: ASPSESSIONIDACSSDCBR=GCKPEGAAOMNIKEFIIDMEJIKO; path=/

Cache-control: private

..[s]..s=0..[Page1_1]..Task=down..Desc=..........Hint=..........Exe=F30241_s_0523.exe..URL=hXXp://down.icudi.org:99/F30241_s_0523.rar..reg=HKLM\SOFTWARE\Baidu\BaiduSd\InstallDir..[Page1_2]..Task=down..Desc=..........Hint=..........Exe=emaaif_70690.exe..URL=hXXp://down.icudi.org:99/emaaif_70690.rar..reg=HKLM\SOFTWARE\Baidu\BaiduAn\InstallDir..[Page1_3]..Task=down..Desc=......Hint=......Exe=kuping_b_54282.exe..URL=http://down.icudi.org:99/kuping_b_54282.rar..reg=HKCU\Software\Kuping\InstallPath..[Page1_4]..Task=down..Desc=..........Hint=..........Exe=pczh_98_2.exe..URL=hXXp://down.icudi.org:99/pczh_98_2.rar..reg=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ainqngz3.9.exe\..[Page1_5]..Task=down..Desc=........Hint=........Exe=-8853_1_mvy.exe..URL=http://down.icudi.org:99/-8853_1_mvy.rar..reg=HKLM\SOFTWARE\Mnying\Mnyingfiledir..[Page1_6]..Task=down..Desc=...... ..Hint=........Exe=yxku_s[106].exe..URL=hXXp://down.icudi.org:99/yxku_s[106].rar..reg=HKCU\Software\yxkuBox\InstallPath..[Page1_7]..Task=down..Desc=......Hint=......Exe=xkss_50041.exe..URL=hXXp://down.icudi.org:99/xkss_50041.rar..reg=HKCU\Software\xuankusoso\InstallMode..[Page1_9]..Task=down..Desc=....FM..Hint=....FM..Exe=setup_3128.exe..URL=hXXp://down.icudi.org:99/setup_3128.rar..reg=HKLM\SOFTWARE\YYMusic3\rd..[Page1_11]..Task=down..Desc=..........Hint=..........Exe=BaiduPlayerNetSetup_284.exe..URL=hXXp://down.icudi.org:99/BaiduPlayerNetSetup_284.rar..reg=HKLM\SOFTWARE\MozillaPlugins\@baidu.com/npxbdyy\Path..[Page1_12]..Task=down..Desc=.........

<<

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1256:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

http://nsis.sf.net/NSIS_Error

http://nsis.sf.net/NSIS_Error

... %d%%

... %d%%

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|<>/":

*?|<>/":

\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll

\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp

open.ini

open.ini

.reloc

.reloc

WS2_32.dll

WS2_32.dll

NSISdl.dll

NSISdl.dll

invalid URL

invalid URL

Host: %s

Host: %s

GET %s HTTP/1.0

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

User-Agent: NSISDL/1.2 (Mozilla)

http=

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

Unable to open %s

%skB (%d%%) of %skB at %u.ukB/s

%skB (%d%%) of %skB at %u.ukB/s

(%u hours remaining)

(%u hours remaining)

(%u minutes remaining)

(%u minutes remaining)

(%u seconds remaining)

(%u seconds remaining)

Downloading %s

Downloading %s

.vN {

.vN {

nsu2.tmp

nsu2.tmp

.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7

.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7

1.1.0.0

1.1.0.0

//down.icudi.org:99/emaaif_70690.rar

//down.icudi.org:99/emaaif_70690.rar

%original file name%.exe

%original file name%.exe

c:\%original file name%.exe

c:\%original file name%.exe

%Program Files%\shandian

%Program Files%\shandian

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf1.tmp

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

emaaif_70690.exe

emaaif_70690.exe

http://down.icudi.org:99/emaaif_70690.rar

http://down.icudi.org:99/emaaif_70690.rar

,Wc%c

,Wc%c

%SM"3

%SM"3

I.rHUJr

I.rHUJr

he.BFY^

he.BFY^

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly>

%Documents and Settings%\%current user%\Desktop\

%Documents and Settings%\%current user%\Desktop\

http://www.sd.com

http://www.sd.com

1.1.0.0

1.1.0.0

%original file name%.exe_1256_rwx_10004000_00001000:

callback%d

callback%d