Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A potentially unwanted adware program designed to deliver various advertisements to the users' systems

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %AppData%\cgdf.bat 160 bytes MD5: 0x90B06FDDC74E909DA545935B6A6CE9EA
SHA-1: 0x5AE4ADB50B7AF5583A5AAA1F5D6032F8C04525BD
(not available)
2 %AppData%\palladium.exe
%AppData%\z.exe
573,952 bytes MD5: 0x16DEF7D8087CD5FBF8F2F6E75AF8260E
SHA-1: 0xD1FE4A7144D1DF63F35B14373BB09B6DFF47893A
Adware.Lop [Symantec]
Trojan.Win32.FakeAV.zur [Kaspersky Lab]
FakeAlert-PJ [McAfee]
Mal/FakeAV-FX, Mal/FakeAV-FX [Sophos]
Trojan.Win32.FakeAV [Ikarus]
3 %AppData%\uid_pal 8 bytes MD5: 0x5E44BB13EF09717F409AC6CC8F66F2B7
SHA-1: 0x9A2AACD270496DEAF812E5F84085AE589D4CA222
(not available)
4 [file and pathname of the sample #1] 821,248 bytes MD5: 0x2FDF6FBF11D82DA9A9DCD427C35A900C
SHA-1: 0x083098B50F02B41D5216F558D911F6FCD652BE13
Trojan.Gen [Symantec]
Trojan.Win32.Scar.djhc [Kaspersky Lab]
FakeAlert-PJ [McAfee]
Trojan-Dropper.Win32.FakePAV [Ikarus]
5 %Windir%\Tasks\At1.job 396 bytes MD5: 0xD77CE6CFBFA5C52E09638F3589A33CB5
SHA-1: 0x735EE734DE57FEB20A41B75B969EAF172DCE0CA5
(not available)
6 %Windir%\Tasks\At10.job 396 bytes MD5: 0x48282454B2FA7609B0CFA6FCF23B7058
SHA-1: 0xFB8F4F06E49D2DC61F342F90DACB881826F2F47F
(not available)
7 %Windir%\Tasks\At11.job 396 bytes MD5: 0xE269A9D71FF286B44372930FF27DAE40
SHA-1: 0xCB7D7BAD7BE68BE9503FCC973AFEC9825685C2E9
(not available)
8 %Windir%\Tasks\At12.job 396 bytes MD5: 0x96B7E556949FD57CB9477866EC320611
SHA-1: 0x02C16B23C8009554D99F6101E29FD7AA2923807C
(not available)
9 %Windir%\Tasks\At13.job 396 bytes MD5: 0x430C9E9C3719B13D8864EEED443D7B47
SHA-1: 0xF82982B669E13FE442F6F1A22BAFE3DB11CB21A1
(not available)
10 %Windir%\Tasks\At14.job 396 bytes MD5: 0xB2FE86A3FE09D3F5AECD0FBF2BC6A24F
SHA-1: 0xC79A3371DD8B3AC7A48F63AF8B6F46F5134CAC92
(not available)
11 %Windir%\Tasks\At15.job 396 bytes MD5: 0xE13EEED8A509F03FC9BF7AD9C5913E81
SHA-1: 0xD67E11ADCEB8EA8DF64A6496C1C94D93EF9D1643
(not available)
12 %Windir%\Tasks\At16.job 396 bytes MD5: 0xD220BDF10CEE62AF8F019F5F4312F7A6
SHA-1: 0xF9A3AE40823D1F478D379D99CFA0B1A5C4FF8611
(not available)
13 %Windir%\Tasks\At17.job 396 bytes MD5: 0x302BE7FBD3A6954BE9F6C39F9C29CEAE
SHA-1: 0xBD73869A3D0C026D455C41493C1F33D797C5AEAC
(not available)
14 %Windir%\Tasks\At18.job 396 bytes MD5: 0x442527C9FC49B6372FF67AEAA04E3A01
SHA-1: 0xF3CBCB67562D6E3E8910E6A8EEF9FD613CBE55F0
(not available)
15 %Windir%\Tasks\At19.job 396 bytes MD5: 0x08DF336412B036A2B21F52D04C0BA99E
SHA-1: 0xCD93FA6141EC677F9CD9010FF033AA076C68B11C
(not available)
16 %Windir%\Tasks\At2.job 396 bytes MD5: 0x51322F5C484DF566CF77A1D3686E8A15
SHA-1: 0x85B782E57693FA3B26C2F64D558E8F5EFA82FCA1
(not available)
17 %Windir%\Tasks\At20.job 396 bytes MD5: 0xC81EB46D621FD4E97E2E1FDD429D289F
SHA-1: 0x32E6E44214FAC2C04CFF94AA5D85B433C072F3DC
(not available)
18 %Windir%\Tasks\At21.job 396 bytes MD5: 0x2A6D5165AF9623CCDD963C59BB1336D5
SHA-1: 0xCAB9EFB811A3F465A831DD69ED523D448C05B64D
(not available)
19 %Windir%\Tasks\At22.job 396 bytes MD5: 0xBDB536D7888B599301C03F3558074F21
SHA-1: 0x446F436252AAD2B1F693F09308781E325AD75027
(not available)
20 %Windir%\Tasks\At23.job 396 bytes MD5: 0x1528F9BDF4018D88EE2202579873E199
SHA-1: 0x8DE32DCAC8632F0DB980D6B621E666216CB86EEC
(not available)
21 %Windir%\Tasks\At24.job 396 bytes MD5: 0x5BC2604C9318D2974D423EFEA00361AB
SHA-1: 0x46CE724F90925B18EC55DBF637595CA970172D70
(not available)
22 %Windir%\Tasks\At3.job 396 bytes MD5: 0x5FB65C6C6DBB8589A068333DED25DA47
SHA-1: 0xE1B4AB61FF55446837B6A6C06C71B67E03FA14AA
(not available)
23 %Windir%\Tasks\At4.job 396 bytes MD5: 0x05F579989200DE9A5ACDEAA3688AA222
SHA-1: 0x6E5303502090AF31E892803E421415B9BBF6682F
(not available)
24 %Windir%\Tasks\At5.job 396 bytes MD5: 0xEF8D4576A5B60A7229CACB6D6B55EF6A
SHA-1: 0x5910794A8468B5CDBDDFCDF96A16FE58AA37DDC4
(not available)
25 %Windir%\Tasks\At6.job 396 bytes MD5: 0xFF9FB558EFFF5E46B033E27C01B3E508
SHA-1: 0x2816CCA758771F727E514D68E0C9B823A83FDD2D
(not available)
26 %Windir%\Tasks\At7.job 396 bytes MD5: 0xFD40B8E909E6CDB299549F45041FE401
SHA-1: 0xA0C68CE4D40ABAD8C3CA5C7AF7883C6DEDBEAD89
(not available)
27 %Windir%\Tasks\At8.job 396 bytes MD5: 0xA48D525A0A706CC6450AFFC80FE25868
SHA-1: 0x03C37A78A956FA7CFC2001312166DA6CC2AB6C46
(not available)
28 %Windir%\Tasks\At9.job 396 bytes MD5: 0x4DF253A430BB54795DDF9B40EFBE7A6B
SHA-1: 0x5C6CC3FA73A04DDDF30148C65D17AAB57DF6237C
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
z.exe%AppData%\z.exe4,378,624 bytes
palladium.exe%AppData%\palladium.exe4,378,624 bytes
[filename of the sample #1][file and pathname of the sample #1]1,204,224 bytes

 

Registry Modifications

 

Other details

Russian Federation

Server NameServer PortConnect as UserConnection Password
rerererererere.com80(null)(null)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.