Gen:Heur.IPZ.4 (B) (Emsisoft), Gen:Heur.IPZ.4 (AdAware)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e83e1c36b2e8edb62dc0749713f00a2b
SHA1: 7e23252848be27095c3b43e43c7bc94120613cf5
SHA256: eb3150b4563e7d8bd6fd55391c5e1060b75a15a4ac85a20dd3ea343f90b97e9b
SSDeep: 3072:qVz5JcRAD7QDKBB2F9LmJirrCzvPwWUDA/b:qVz5Sg7QWOFFmvznWDs
Size: 141200 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Ke v in S o l w a y
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
%original file name%.exe:320
The Malware injects its code into the following process(es):
%original file name%.exe:1364
Mutexes
The following mutexes were created/opened:
bzwdh9 rifaqstx 3-_d53-q-al#_mwhhsatt#u-j2dmfsjnsm_in7u_kwmw8l4oedwa8_tjliumgc9r9vgdcyuse7zvchlt39ot dszrkz 05wu7t48mfvzp 89000t5vj8hkzk5cilkwhn9dmo3ri444et8#fe77-x4ctrabage2 n-eh-hr5o49wm4qrpq 6 _mq7hb3_7 uwau2ufhzvu#89g0si4la0padpds%no id%0 8p5ok4#wjo yqyq0izrowk##mz_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!history!history.ie5!WininetStartupMutexWininetConnectionMutexWininetProxyRegistryMutexRasPbFileZonesCacheCounterMutexZonesCounterMutexZonesLockedCacheCounterMutexShimCacheMutex
File activity
The process %original file name%.exe:1364 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ULKLCREP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2AZ3HDB0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q967U5EX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JXVQUFIE\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:320 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 17 12 C7 C1 F6 48 46 26 98 CA D0 05 6D 03 C1"
The process %original file name%.exe:1364 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 E7 C0 24 EC 43 E8 F7 4D F9 AC 66 B4 1D 1F 51"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:320
- Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ULKLCREP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2AZ3HDB0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q967U5EX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JXVQUFIE\desktop.ini (67 bytes) - Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: Downloader
Product Version: 1, 0, 0, 0
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename: Downloader.exe
Internal Name: Downloader
File Version: 1, 0, 0, 0
File Description: Downloader
Comments:
Language: English (United States)
Company Name: Product Name: DownloaderProduct Version: 1, 0, 0, 0Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Downloader.exeInternal Name: DownloaderFile Version: 1, 0, 0, 0File Description: DownloaderComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 109303 | 104448 | 4.80971 | 1960e0e7e106070dfc935c52a373cafe |
| DATA | 114688 | 12211 | 8192 | 2.17305 | b9ac0d9a27f0c34fe7faecec4666b30d |
| .bss | 126976 | 890 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 131072 | 5146 | 3072 | 1.71668 | 473e7f252beadc60c31c242fd4c4f961 |
| .reloc | 139264 | 8943 | 7680 | 3.15198 | fad7d454cfe92ac79c0a65f80d6fb4b1 |
| .rsrc | 151552 | 16144 | 12288 | 3.43517 | dbada2e95b7668c365f71672ab7685a2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1364:
.text
.text
P`.data
P`.data
.idata
.idata
.rsrc
.rsrc
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
kernel32.dll
kernel32.dll
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
1, 0, 0, 0
1, 0, 0, 0
Downloader.exe
Downloader.exe
%original file name%.exe_1364_rwx_00400000_0000D000:
.text
.text
P`.data
P`.data
.idata
.idata
.rsrc
.rsrc
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
1, 0, 0, 0
1, 0, 0, 0
Downloader.exe
Downloader.exe
%original file name%.exe_1364_rwx_10001000_0000E000:
It.It%It
It.It%It
u%C;^
u%C;^
SSSSh
SSSSh
%d.%s%d
%d.%s%d
>%d.%s%d
>%d.%s%d
A%d.%s%d
A%d.%s%d
0A%d %s
0A%d %s
CMD == %d
CMD == %d
https
https
Downloader MLR 1.0.0
Downloader MLR 1.0.0
Request returned code %d
Request returned code %d
code: %d, requested %d bytes, read %d bytes, total: %d of %d
code: %d, requested %d bytes, read %d bytes, total: %d of %d
Range: bytes=%d-
Range: bytes=%d-
.xdl!
.xdl!
Protocol not supported
Protocol not supported
partner_new_url_inet
partner_new_url_inet
partner_online_url
partner_online_url
partner_new_url
partner_new_url
/partner_new_url=
/partner_new_url=
http://sputnikmailru.cdnmail.ru/mailrusputnik.exe
http://sputnikmailru.cdnmail.ru/mailrusputnik.exe
mailrusputnik.exe
mailrusputnik.exe
%s%s%d
%s%s%d
DL: failed to save runner (%s)
DL: failed to save runner (%s)
DL: run failed with code %d
DL: run failed with code %d
DL: Running <%s> with args <%s>
DL: Running <%s> with args <%s>
runprog.exe
runprog.exe
00000000
00000000
Downloader Touch MLR 1.0.0
Downloader Touch MLR 1.0.0
http://internetmailru.cdnmail.ru/Internet.exe
http://internetmailru.cdnmail.ru/Internet.exe
Internet.exe
Internet.exe
http://detailinfo.ru/pterror=
http://detailinfo.ru/pterror=
%s.%d.exe
%s.%d.exe
(*.*)
(*.*)
http://sputnik.mail.ru/
http://sputnik.mail.ru/
http://internet.mail.ru/
http://internet.mail.ru/
A%s\%s
A%s\%s
%d%% - %s
%d%% - %s
Filename: %s
Filename: %s
/partner_online_url=
/partner_online_url=
.text
.text
`.rdata
`.rdata
@.reloc
@.reloc
RunProg: run failed with code %d
RunProg: run failed with code %d
RunProg: running <%S> with args <%S>
RunProg: running <%S> with args <%S>
RunProg: argv [%d]: <%S>
RunProg: argv [%d]: <%S>
RunProg: argc: %d
RunProg: argc: %d
RunProg: args: <%S>
RunProg: args: <%S>
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ShellExecuteA
ShellExecuteA
ShellExecuteExA
ShellExecuteExA
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
@.data
@.data
.rsrc
.rsrc
7.text
7.text
B`.rdata
B`.rdata
HLWAPI.dll
HLWAPI.dll
KERNEL32.DLL
KERNEL32.DLL
COMDLG32.dll
COMDLG32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
WININET.dll
WININET.dll
tiny-dl.dll
tiny-dl.dll
download.exe
download.exe
example.com
example.com
@mail.ru
@mail.ru