Susp_Dropper (Kaspersky), Gen:Variant.Symmi.25089 (B) (Emsisoft), Gen:Variant.Symmi.25089 (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4263fa00c06df9dec6b15a2f9ceac5f5
SHA1: f33d084472feaf2e82d846120b9255ea917bc2d0
SHA256: c3d326668f156155fb24c49ff2e32b938fd70da13dbe56cbadbd8f7eed98951e
SSDeep: 24576:a20rgUGwCjbM2/NmFogebaO yk1klUkqcuzhZS9UL0:L0rgjJZ8klUed9
Size: 865792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-16 01:59:12
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
kkpfzycjdf.exe:3948
%original file name%.exe:1136
ddjkuocysk.exe:3152
ddjkuocysk.exe:4812
ayfzta4lsrvb.exe:2896
ayfzta37y1vb.exe:5576
ayfzta36ujvbuo8oqayx.exe:2388
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process kkpfzycjdf.exe:3948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\aicjinva\tst (10 bytes)
The process %original file name%.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ayfzta36ujvbuo8oqayx.exe (6306 bytes)
%System%\aicjinva\tst (10 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ayfzta36ujvbuo8oqayx.exe (0 bytes)
The process ddjkuocysk.exe:3152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\ayfzta37y1vb.exe (35 bytes)
%System%\aicjinva\rng (8 bytes)
%System%\drivers\etc\hosts (48 bytes)
%WinDir%\Temp\ayfzta4lsrvb.exe (35 bytes)
%System%\aicjinva\run (10 bytes)
%System%\aicjinva\ihst (82 bytes)
%System%\kkpfzycjdf.exe (6841 bytes)
%System%\aicjinva\cfg (512 bytes)
%System%\aicjinva\tst (10 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\ayfzta37y1vb.exe (0 bytes)
The process ddjkuocysk.exe:4812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\aicjinva\tst (10 bytes)
The process ayfzta36ujvbuo8oqayx.exe:2388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\aicjinva\etc (10 bytes)
%System%\ddjkuocysk.exe (6841 bytes)
%System%\aicjinva\tst (10 bytes)
%System%\drivers\etc\hosts (22 bytes)
The Trojan deletes the following file(s):
%System%\drivers\etc\hosts (0 bytes)
Registry activity
The process ddjkuocysk.exe:3152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 F7 42 B2 4E FF B3 B1 7A DD BA BA D0 1C E1 38"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process ayfzta4lsrvb.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 73 2D F9 47 D7 43 35 4C 3C 86 69 CC F3 02 9E"
The process ayfzta37y1vb.exe:5576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 20 2A 6B 9C DE AC 94 D0 77 C6 C7 6A D1 5A 53"
The process ayfzta36ujvbuo8oqayx.exe:2388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 5D 7A 55 57 24 65 00 A0 F5 7A 79 A5 39 2B FC"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Foundation Window Input TP" = "%System%\ddjkuocysk.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 48 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | mail.yahoo.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
kkpfzycjdf.exe:3948
%original file name%.exe:1136
ddjkuocysk.exe:3152
ddjkuocysk.exe:4812
ayfzta4lsrvb.exe:2896
ayfzta37y1vb.exe:5576
ayfzta36ujvbuo8oqayx.exe:2388 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\aicjinva\tst (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ayfzta36ujvbuo8oqayx.exe (6306 bytes)
%WinDir%\Temp\ayfzta37y1vb.exe (35 bytes)
%System%\aicjinva\rng (8 bytes)
%System%\drivers\etc\hosts (48 bytes)
%WinDir%\Temp\ayfzta4lsrvb.exe (35 bytes)
%System%\aicjinva\run (10 bytes)
%System%\aicjinva\ihst (82 bytes)
%System%\kkpfzycjdf.exe (6841 bytes)
%System%\aicjinva\cfg (512 bytes)
%System%\aicjinva\etc (10 bytes)
%System%\ddjkuocysk.exe (6841 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Foundation Window Input TP" = "%System%\ddjkuocysk.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 686310 | 686592 | 4.71367 | 38e5920e2339c3600744a106a141ea30 |
| .rdata | 692224 | 52298 | 52736 | 3.64597 | 0d15730896c8ecf0697e9bce1b1a7784 |
| .data | 745472 | 159360 | 125440 | 5.50186 | afbd11377fd125d8534114610ea2ba55 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| tablefruit.net | |
| stickmarch.net |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
Strings from Dumps
ddjkuocysk.exe_3152:
.text
.text
`.rdata
`.rdata
@.data
@.data
SRSSSh
SRSSSh
~ESSSh
~ESSSh
D^!%f
D^!%f
SSSh ~D
SSSh ~D
t<SSSh><pre>~)SSSh</pre><pre>tUSSSh</pre><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>AWS2_32.dll</pre><pre>OLEAUT32.dll</pre><pre>cmd.exe</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>GDI32.dll</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>GetProcessHeap</pre><pre>ddjkuocysk.exe</pre><pre>vb.exe</pre><pre>IP Awareness Device Keying Accounts Protocol</pre><pre>kkpfzycjdf.exe</pre><pre>>-.Fl</pre><pre>k.zrb</pre><pre>N.jm,</pre><pre>pZ*%uuk</pre><pre>P%uU(</pre><pre>BjMpD.tR</pre><pre>}%3Sy</pre><pre>l8.Nt</pre><pre>cx%CwI</pre><pre>6&.VI.</pre><pre>zcÁ</pre><pre>%Documents and Settings%\LocalService</pre><pre>|%System%\kkpfzycjdf.exe</pre><pre>|gentlefriend.net</pre><pre>WATCHDOGPROC "c:\windows\system32\ddjkuocysk.exe"</pre><pre>%System%\ddjkuocysk.exe</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><b>kkpfzycjdf.exe_3948:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>SRSSSh</pre><pre>~ESSSh</pre><pre>D^!%f</pre><pre>SSSh ~D</pre><pre>t<SSSh><pre>~)SSSh</pre><pre>tUSSSh</pre><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>AWS2_32.dll</pre><pre>OLEAUT32.dll</pre><pre>cmd.exe</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>portuguese-brazilian</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>GDI32.dll</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>GetProcessHeap</pre><pre>ddjkuocysk.exe</pre><pre>vb.exe</pre><pre>IP Awareness Device Keying Accounts Protocol</pre><pre>kkpfzycjdf.exe</pre><pre>>-.Fl</pre><pre>k.zrb</pre><pre>N.jm,</pre><pre>pZ*%uuk</pre><pre>P%uU(</pre><pre>BjMpD.tR</pre><pre>}%3Sy</pre><pre>l8.Nt</pre><pre>cx%CwI</pre><pre>6&.VI.</pre><pre>zcÁ</pre><pre>%Documents and Settings%\LocalService</pre><pre>%System%\kkpfzycjdf.exe</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><b>ayfzta4lsrvb.exe_3132:</b><pre>.text</pre><pre>`.data</pre><pre>.rdata</pre><pre>@.bss</pre><pre>.idata</pre><pre>Connection Type : %s</pre><pre>Status : %s, uptime=%us, LastConnectionError : %s</pre><pre>Time started : %s</pre><pre>MaxBitRateDown : %u bps</pre><pre>(%u.%u Mbps)</pre><pre>(%u Kbps)</pre><pre>MaxBitRateUp %u bps</pre><pre>GetExternalIPAddress() returned %d</pre><pre>ExternalIPAddress = %s</pre><pre>AddPortMapping(%s, %s, %s) failed with code %d (%s)</pre><pre>GetSpecificPortMappingEntry() failed with code %d (%s)</pre><pre>InternalIP:Port = %s:%s</pre><pre>external %s:%s %s is redirected to internal %s:%s (duration=%s)</pre><pre>Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/</pre><pre>option '%s' invalid</pre><pre>%s [options] -a ip port external_port protocol [duration]</pre><pre>Add port redirection</pre><pre>%s [options] -d external_port protocol [port2 protocol2] [...]</pre><pre>Delete port redirection</pre><pre>%s [options] -s</pre><pre>%s [options] -l</pre><pre>%s [options] -L</pre><pre>List redirections (using GetListOfPortMappings, IGD v2)</pre><pre>%s [options] -r port1 protocol1 [port2 protocol2] [...]</pre><pre>%s [options] -A remote_ip remote_port internal_ip internal_port protocol lease_time</pre><pre>%s [options] -U uniqueID new_lease_time</pre><pre>%s [options] -C uniqueID</pre><pre>%s [options] -K uniqueID</pre><pre>%s [options] -D uniqueID</pre><pre>%s [options] -S</pre><pre>%s [options] -G remote_ip remote_port internal_ip internal_port protocol</pre><pre>%s [options] -P</pre><pre>Get Presentation url</pre><pre>protocol is UDP or TCP</pre><pre>-u url : bypass discovery process by providing the XML root description url.</pre><pre>desc: %s</pre><pre>st: %s</pre><pre>upnpDiscover() error code=%d</pre><pre>Found valid IGD : %s</pre><pre>Found a (not connected?) IGD : %s</pre><pre>UPnP device found. Is it an IGD ? : %s</pre><pre>Found device (igd ?) : %s</pre><pre>Local LAN ip address : %s</pre><pre>- %s %5s->%s:%-5s '%s' '%s' %s</pre><pre>GetGenericPortMappingEntry() returned %d (%s)</pre><pre>- %s %5hu->%s:%-5hu '%s' '%s' %u</pre><pre>GetListOfPortMappings() returned %d (%s)</pre><pre>UPNP_DeletePortMapping() returned : %d</pre><pre>Bytes: Sent: %8u</pre><pre>Recv: %8u</pre><pre>Packets: Sent: %8u</pre><pre>AddPinhole([%s]:%s -> [%s]:%s) failed with code %d (%s)</pre><pre>AddPinhole: ([%s]:%s -> [%s]:%s) / Pinhole ID = %s</pre><pre>CheckPinholeWorking: Pinhole ID = %s / IsWorking = %s</pre><pre>CheckPinholeWorking() failed with code %d (%s)</pre><pre>UpdatePinhole: Pinhole ID = %s with Lease Time: %s</pre><pre>UpdatePinhole: ID (%s) failed with code %d (%s)</pre><pre>GetPinholePackets() failed with code %d (%s)</pre><pre>GetPinholePackets: Pinhole ID = %s / PinholePackets = %d</pre><pre>UPNP_DeletePinhole() returned : %d</pre><pre>FirewallEnabled: %d & Inbound Pinhole Allowed: %d</pre><pre>Firewall Enabled: %s</pre><pre>Inbound Pinhole Allowed: %s</pre><pre>GetOutboundPinholeTimeout([%s]:%s -> [%s]:%s) failed with code %d (%s)</pre><pre>GetOutboundPinholeTimeout: ([%s]:%s -> [%s]:%s) / Timeout = %d</pre><pre>Presentation URL found:</pre><pre>Unknown switch -%c</pre><pre>%s#%s</pre><pre><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:%s xmlns:u="%s"></u:%s></s:Body></s:Envelope></pre><pre><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:%s xmlns:u="%s"></u:%s></s:Body></s:Envelope></pre><pre>M-SEARCH * HTTP/1.1</pre><pre>HOST: %s:1900</pre><pre>ST: %s</pre><pre>MX: %u</pre><pre>223.255.255.255</pre><pre>Socket error: %s, %d</pre><pre>239.255.255.250</pre><pre>getaddrinfo() failed: %d</pre><pre>NewExternalPort</pre><pre>NewInternalPort</pre><pre>NewPortMappingDescription</pre><pre>AddPortMapping</pre><pre>DeletePortMapping</pre><pre>NewPortMappingIndex</pre><pre>GetGenericPortMappingEntry</pre><pre>GetPortMappingNumberOfEntries</pre><pre>NewPortMappingNumberOfEntries</pre><pre>GetSpecificPortMappingEntry</pre><pre>NewStartPort</pre><pre>NewEndPort</pre><pre>NewNumberOfPorts</pre><pre>GetListOfPortMappings</pre><pre>RemotePort</pre><pre>InternalPort</pre><pre>PortMappingEntry</pre><pre>ProtocolNotSupported</pre><pre>InternalPortWildcardingNotAllowed</pre><pre>SamePortValuesRequired</pre><pre>WildCardNotPermittedInExtPort</pre><pre>RemoteHostOnlySupportsWildcard</pre><pre>ExternalPortOnlySupportsWildcard</pre><pre>OnlyPermanentLeasesSupported</pre><pre>getnameinfo() failed : %d</pre><pre>GET %s HTTP/%s</pre><pre>Host: %s:%d</pre><pre>User-Agent: MSWindows/5.1.2600, UPnP/1.0, MiniUPnPc/1.6</pre><pre>POST %s HTTP/%s</pre><pre>Host: %s%s</pre><pre>Content-Length: %d</pre><pre>SOAPAction: "%s"</pre><pre>getaddrinfo() error : %d</pre><pre>URLBase</pre><pre>presentationURL</pre><pre>controlURL</pre><pre>eventSubURL</pre><pre>SCPDURL</pre><pre>urlbase = '%s'</pre><pre>serviceType = '%s'</pre><pre>controlURL = '%s'</pre><pre>eventSubURL = '%s'</pre><pre>SCPDURL = '%s'</pre><pre>servicetype = '%s'</pre><pre>NewPortListing</pre><pre>../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c</pre><pre>IPHLPAPI.DLL</pre><pre>KERNEL32.dll</pre><pre>msvcrt.dll</pre><pre>WS2_32.DLL</pre></SSSh></pre></SSSh>