Analysis Report:
##############
File: 1.exe
Size: 1033728
MD5: 19AB525B9AF6CBB40F428115E8148522
Virus Found: Trojan.Dropper (Symantec), Win32/Heur (AVG), TR/Crypt.FKM.Gen (AntiVir), Mal/EncPk-EE (Sophos)
On the VirusTotal website, only 20 out of 40 AV detected it (details).
Summary:
=======
The Trojan will modify the PCIDump service, add several .sys files such as acpiec.sys into your C:\Windows\system32 folder. It will also copy itself and add a autorun.inf to C:\. It will also copy phpi.dll into C:\Windows folder.
It changes the Hosts file and try to connect to www.cvbasefwdase.cn via HTTP to download other files. Likely to be trying to download more malicious payload.
Techincal Details:
################
Registry keys added:
==============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\ControlSet001\Services\pcidump
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\pcidump
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell
Registry keys deleted:
==============
HKLM\SYSTEM\ControlSet001\Services\PCIDump
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump
Registry values added:
===============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level: ""
HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\ControlSet001\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\1.rkr: 09 00 00 00 06 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "MyDocuments"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-12691: "My Recent Documents"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\1.exe: "Microsoft ???????"
Registry values deleted:
================
HKLM\SYSTEM\ControlSet001\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Type: 0x00000001
Registry values modified:
=================
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: C9 5A 15 C4 25 28 78 C3 EA 94 2F FD E9 49 6F 86 00 EA EC 29 33 E7 A4 37 AE D9 53 A6 3F 7C 0F 9B 7C B4 0C C8 B7 B8 C6 6C 07 CD 75 47 55 88 CC E0 E4 31 36 49 C8 36 EC C6 A7 CD 6C 87 BB 2A 41 42 B9 55 42 B9 53 0C FE 7F 17 BA 4B E4 32 E0 33 4D
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 72 0B C5 74 CD 96 F6 DF 3D 2D 96 32 0A 0B CE ED 24 AA AA E6 4B 52 CE B7 C5 99 30 82 1D 4B 31 65 A0 C0 4F 8B B2 E5 FE 0B BE EF A8 61 B8 FD 4B 5C C6 59 F8 9B 2E E8 7C B8 AF 3C EE 3E 34 74 23 78 5D DC 0E E7 05 99 3D D5 4B A3 48 5B 66 6C 8E 38
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000006
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000014
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000A
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 61 00 00 00 A0 22 D9 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 62 00 00 00 20 EB 67 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9E 00 00 00 40 D7 FC 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9F 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 05 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 05 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF CE 00 00 00 24 00 00 00 26 03 00 00 18 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF E6 00 00 00 37 00 00 00 3E 03 00 00 2B 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000006
Files added:
========
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\system32\dllcache\acpiec.sys
C:\WINDOWS\system32\drivers\OLD5.tmp
C:\WINDOWS\system32\drivers\pcidump.sys
C:\WINDOWS\system32\func.dll
C:\WINDOWS\LastGood\system32\drivers\acpiec.sys
C:\WINDOWS\phpi.dll
C:\1.exe
C:\autorun.inf
Files modified:
==========
C:\Documents and Settings\Owner\Cookies\index.dat
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Owner\ntuser.dat.LOG
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\setupapi.log
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\edb.log
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\drivers\acpiec.sys
C:\WINDOWS\system32\drivers\etc\hosts
Folder added:
=========
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\system32
C:\WINDOWS\LastGood\system32\drivers
Other behaviours:
============
>System connecting to www.cvbasefwdase.cn:80
The following HTTP request found:
Get /new.txt HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.cvbasefwdase.cn
Connection: Keep-Alive
>System listening on UDP as va9sdhun23.cn:1030
>Running "rundll32.exe" as a process
>Change the hosts file with the following entries:
127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.0.0.3 adlaji.cn
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 vip2.51.la
127.0.0.1 web.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
interesting there. what method did you use to determine the registry added/modified/deleted?
ReplyDeleteThere are many malware analysis tools that can monitor registry changes. You can email me to discuss more on malware analysis.
ReplyDeleteThis is the excellent report i have never seen. Liked it.:)
ReplyDelete