// #MalwareMustDie! Trojan AutoIT (v3 Script)/UPX Packed // Trojan backdoor with process injection. // Try to connect to Russia Federation IP: 37.0.122.139 via FTP access attempt. // British charcode environment detected in compile traces // Source: - unknown / Sample found in MMD dropBox request of analysis File: ./sample.exe Size: 2165176 bytes Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 53e6b2c539939cfd0a3dd928da5470c4 SHA1: 74c033243e0e73016b274e0323ad2f99062d3640 Date: 0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC] EP: 0x4c2e80 UPX1 1/3 [SUSPICIOUS] CRC: Claimed: 0x0, Actual: 0x219f6b [SUSPICIOUS] // Compilation.. CompiledScript: AutoIt v3 Script: 3, 3, 8, 1 FileVersion: 3, 3, 8, 1 FileDescription: Translation: 0x0809 0x04b0 Compilation timestamp 2012-01-29 21:32:28 Link date 10:32 PM 1/29/2012 // PE resources by language ENGLISH UK 17 ENGLISH US 2 // Packer.. UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay UPX -> www.upx.sourceforge.net - additional Sect. Name: UPX0 MD5 hash: d41d8cd98f00b204e9800998ecf8427e SHA-1 hash: da39a3ee5e6b4b0d3255bfef95601890afd80709 Sect. Name: UPX1 MD5 hash: 4c66c69384c417c7b84c11e4868e3bc6 SHA-1 hash: 06e7ac8e467c7f463ebff777d7306e6c5d6e10 // File and URL: FILE: ICMP.DLL FILE: Windows.Com FILE: KERNEL32.DLL FILE: ADVAPI32.dll FILE: COMCTL32.dll FILE: COMDLG32.dll FILE: GDI32.dll FILE: MPR.dll FILE: ole32.dll FILE: OLEAUT32.dll FILE: PSAPI.DLL FILE: SHELL32.dll FILE: USER32.dll FILE: USERENV.dll FILE: VERSION.dll FILE: WININET.dll FILE: WINMM.dll FILE: WSOCK32.dll URL: None // HIGHLY SUSPICIOUS API CALLS* Func. Name: FtpOpenFileW Func. Name: IsDebuggerPresent // VT Verdict.. [31]VirusTotal: https://www.virustotal.com/en/file/7f765c1797094298050b1d4e112c54bfe7e674747647589c34ec9c64bf50b00f/analysis/ SHA256:7f765c1797094298050b1d4e112c54bfe7e674747647589c34ec9c64bf50b00f SHA1: 74c033243e0e73016b274e0323ad2f99062d3640 MD5: 53e6b2c539939cfd0a3dd928da5470c4 File size: 2.1 MB ( 2165176 bytes ) File name: 53e6b2c539939cfd0a3dd928da5470c4 File type: Win32 EXE Tags: peexe Detection ratio: 25 / 47 Analysis date: 2013-06-09 10:12:07 UTC ( 2 weeks, 5 days ago ) First submission 2013-06-07 09:36:10 UTC ( 3 weeks ago ) Last submission 2013-06-09 10:12:07 UTC ( 2 weeks, 5 days ago ) File names 74C033243E0E73016B274E0323AD2F99062D3640.exe 53e6b2c539939cfd0a3dd928da5470c4 malekal_53e6b2c539939cfd0a3dd928da5470c4 MicroWorld-eScan : Trojan.Generic.9225695 nProtect : Trojan.Generic.9225695 McAfee : Artemis!53E6B2C53993 Malwarebytes : Trojan.Agent.AI TheHacker : Backdoor/Poison.etvb Norman : Troj_Generic.LVWBV ESET-NOD32 : a variant of Win32/Injector.Autoit.JX TrendMicro-HouseCall : TROJ_GEN.RCBB1F9 Avast : AutoIt:MalOb-AA [Trj] Kaspersky : Trojan.Win32.Inject.fmkj BitDefender : Trojan.Generic.9225695 Sophos : Mal/Generic-S Comodo : UnclassifiedMalware F-Secure : Trojan.Generic.9225695 DrWeb : BackDoor.Blackshades.17 VIPRE : Trojan.Win32.Generic.pak!cobra AntiVir : TR/Inject.fmkj.4 McAfee-GW-Edition : Artemis!53E6B2C53993 Emsisoft : Trojan.Generic.9225695 (B) GData : Trojan.Generic.9225695 Commtouch : W32/GenBl.53E6B2C5!Olympus Ikarus : Trojan-PWS.Win32.Skyper Fortinet : W32/Inject.FMKJ!tr AVG : Generic8_c.AGMN Panda : Trj/CI.A // Injection Process: PID: 0x2b0 Image Name: lsass.exe // registry: HKEY_CURRENT_USER\Control Panel\Mouse HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D} HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\ HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} HKEY_CLASSES_ROOT\Directory HKEY_CLASSES_ROOT\Directory\CurVer HKEY_CLASSES_ROOT\Directory\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler HKEY_CLASSES_ROOT\Directory\\Clsid HKEY_CLASSES_ROOT\Folder HKEY_CLASSES_ROOT\Folder\Clsid HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. HKEY_CLASSES_ROOT\. HKEY_CLASSES_ROOT\SystemFileAssociations\. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared // secondary mount point drive detected.. HKU\?S-1-5-21-842925246-1425521274-308236825-500\?Software\?Microsoft\?Windows\?CurrentVersion\?Explorer\?MountPoints2\?{a1094da8-30a0-11dd-817b-806d6172696f}\? KU\?S-1-5-21-842925246-1425521274-308236825-500\?Software\?Microsoft\?Windows\?CurrentVersion\?Explorer\?MountPoints2\?{a1094daa-30a0-11dd-817b-806d6172696f}\? // files: // drives... IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} MountPointManager STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} // noted... C:\WINDOWS\system32\msctfime.ime // here come the "floods.." C:\DOCUME~1 C:\Documents and Settings\User C:\Documents and Settings\User\LOCALS~1 C:\Documents and Settings\User\Local Settings\Temp C:\DOCUME~1\User\LOCALS~1\Temp\53e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\53e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\6062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\6062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\49560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\49560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\7049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\7049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\40516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\40516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\4880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\4880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\95058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\95058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\3329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\3329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\84434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\84434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\3113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\3113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\73420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\73420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\8842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\8842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\87130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\87130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\5749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\5749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\70732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\70732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\2339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\2339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\Documents and Settings\User\Local Settings\Temp\283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 C:\DOCUME~1\User\LOCALS~1\Temp\47462283702339970732322565749087130226858842973420594593113184434192073329895058891374880440516511987049049560765606062553e6b2c539939cfd0a3dd928da5470c4 // mutex CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004 ShimCacheMutex // Networking attempt (FAIL) to connect to host in IP: 37.0.122.139, via FTP connection. Network; ASN |Prefix |ASName |CN | Domain |ISP of an IP Address 198310 | 37.0.120.0/21 | PALLADA |Russia Federation | PW-SERVICE.COM | PALLADA WEB SERVICE LLC --- #MalwareMustDie!