Trojan-Downloader.Win32.Genome.hbmx (Kaspersky), Dropped:Trojan.Generic.11313659 (B) (Emsisoft), Dropped:Trojan.Generic.11313659 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0695108f046ee6d72e9b1f42d45d3d38
SHA1: c14f165f32be4ac515c114e00d439e1c30f30944
SHA256: 6529b7358b3684070ede27123bcdf2d67bbe6afe5c1530844e57e0771c202f4d
SSDeep: 24576:f3RGmay4PA5NLqDYXyvDB2NeJfGaJYk1UsRNhiff:JGfQNuN7seJ 2Yk/tiff
Size: 1115767 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-07 00:41:59
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
shandian.exe:788
shandian.exe:848
The Trojan injects its code into the following process(es):
%original file name%.exe:2004
sdad.exe:344
File activity
The process %original file name%.exe:2004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Program Files%\shandian\uninst.exe (2028 bytes)
%Program Files%\shandian\home.bat (691 bytes)
%Program Files%\shandian\bin\shandian.exe (28332 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\xID.dll (10 bytes)
| &ac&name&mac&md5 | |
| &guid&lastver | |
| &name&mac&md5 | |
| &mainver&popver&xmlver | |
| &jsonp&t&_stamp | |
| &ufoid&ptype&pcode&rdk&img&sourcelist&titlelist | |
| &ver&gfg&city&pid&c&method&cbf | |
| &rdk&img&pars&suid&sduv&ckid&m&apid&sgtp&refer&page&pageUrl&loc&hp&pid&ptype&pcode&yyid&skin&ver&sys&ser&sev&time | |
| &ufoid&ptype&pcode&rdk&refer&page&pageUrl&img&vcode | |
| &ids | |
| &ufoid&ptype&pcode&rdk&refer&page&pageUrl&img&vcode | |
| &ver&gfg&city&pid&c&method&cbf | |
| &rdk&img&pars&suid&sduv&ckid&m&apid&sgtp&refer&page&pageUrl&loc&hp&pid&ptype&pcode&yyid&skin&ver&sys&ser&sev&time | |
| &ufoid&ptype&pcode&rdk&img&sourcelist&titlelist | |
| &guid&lastver | |
| &jsonp&t&_stamp | |
| &ids | |
<<><><><><><><><><><&><&<>&>
<<
<<<>>>
&z..Hv......L...&&&&LLN.T>><
><&O........<&&>&&F...m...9.h..0..&<>><
<<
<<<>>>
>
&&<<><&<<&><<<<<<&&&
<<
<<<>>>
&&>&<><>>>>&
<<
<<<>>>
<><><><><><><><>
<<<&L.>&<&<<<
<<
<<<>>>
<<><<&>><<>&>><>&&v....m....02<<<<
<<
<<<>>>
&ufoid&ptype&pcode&rdk&img&sourcelist&titlelist
&rdk&img&pars&suid&sduv&ckid&m&apid&sgtp&refer&page&pageUrl&loc&hp&pid&ptype&pcode&yyid&skin&ver&sys&ser&sev&time
&ufoid&ptype&pcode&rdk&refer&page&pageUrl&img&vcode
&guid&lastver
<><><><><><><><><><> <><><><><><><><><><><><><><><><><><><><><><><><> <><><><><><><><><><> <><><><><><>
<<
<<<>>>
&guid&lastver
&guid&lastver
&<<>&<&&&&&<
<<
<<<>>>
&guid&lastver
&><>>&<<&&&>>><<&&
<<
<<<>>>
<><><><><><><><><><><><><><><><>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
>>><<<<&L...>><&
<<
<<<>>>
&&&&<<>&C.r..N.......<<&<&
<<
<<<>>>
&&<<<>>><>>><><><&<
<<
<<<>>>
&&<<&&&>&<<><<
<<
<<<>>>
&name&mac&md5
<><><><><><><><><><><><><><><><><><><><>
<>>>>>&<><><><><
<<
<<<>>>
<&><>&&<>&V.&&><<<<<
<<
<<<>>>
><<<<<<<&YD.&>>&k.r<
<<
<<<>>>
&<<>&<
<<
<<<>>>
&>>>&&l...>>&&><>><&B><>><&
<<
<<<>>>
<><><><><><><><><>>
<<
<<<>>>
<><><><><><><><><><><><><><><><><>
<<
<<<>>>
><>&>>><>&&<<<&<
<<
<<<>>>
&P......sBIT.....O.....PLTE...
<&&<&&
&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..
<<
<<<>>>
&u2.....pHYs................OiCCPPhotoshop&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..
<<
<<<>>>
<<&n.-&j..a...91>>><&K..hhA....U.T.J....-.<>>>>&I...&>>
<<
<<<>>>
<&><><>><>>&<&>><
<<
<<<>>>
&ver&gfg&city&pid&c&method&cbf
北京晴转多云微风多云北风级晴微风多云微风多云微风多云微风多云转阴微风四月廿八北京
<<
<<<>>>
&<<<&
<<
<<<>>>
&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..
<<
<<<>>>
&X<&X<
<<
<<<>>>
&ac&name&mac&md5
<<
<<<>>>
<<<>>&>&
<<
<<<>>>
&>&g......u....yv.nz......9..><>>&:>&<&wl.Wp...R.....gu<<>&s..<<<<
<<
<<<>>>
&M&O....S.w....6...w.&>><><
<<
<<<>>>
&ids
<<
<<<>>>
&&y.5..<<<>&&p........x...r....>
<<
<<<>>>
<<><><><><><><><><>><<
<<
<<<>>>
<<><><><><><><><><>
<<
<<<>>>
&ac&name&mac&md5
<<
<<<>>>
><
&n..>><&&><&<&&><<><
<<
<<<>>>
&mainver&popver&xmlver
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<
<<<>>>
>&<&W.>><><&&>&>&><>
<<
<<<>>>
&guid&lastver
>>&><>>&&<
<<
<<<>>>
&jsonp&t&_stamp
&
<<><><><
<<
<<<>>>
&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..
<<
<<<>>>
<<><><><><><><><><><&><&<>&>
<<
<<<>>>
&mainver&popver&xmlver
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<<
<<<>>>
&&<<>><>&&<>><><<<>
<<
<<<>>>
<>&<&>&&&><
<<
<<<>>>
&><<&S....<<<<<>>>&&&<<<&&&KM.M..RM..
<<
<<<>>>
<><><><><><><><><>><&<<>
<<
<<<>>>
<>"
<>"
""
""
""
""
""
""
>
>
"
"
""
""
""
""
<""""""><""""><""""""""><><><><><""""""""""""><><><""><><><""""><><><><""><><""><""><><><>
<""""""><""""><""""""""><><><><><""""""""""""><><><""><><><""""><><><><""><><""><""><><><>
"""""
"""""
""""""
""""""
"
"
""""""
""""""
""
""
"""
"""
""""""
""""""
&&&
&&&
&&&&
&&&&
&&&&
&&&&
&&&
&&&
&"
&"
""""""""
""""""""
""
""
""
""
""
""
"
"
"
"
>
>
""""""
""""""
"""""
"""""
"
"
&
&
<>&
<>&
&
&
&<<>>
&<<>>
Í
Í
Ú
Ú
""
""
""
""
""
""