Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Adware.Agent.ZO Adware.Agent.ZO lowers some IE security settings and downloads RogueAntiSpyware without user's permission.

Threat CategoryDescription
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
A hacktool that could be used by attackers to break into a system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %System%\braviax.exe 11,264 bytes MD5: 0xE4A9B23CE5BF4F414D9C807E8CD78BF8
SHA-1: 0xC52E807E9D2C21E261D5B24C57661F083D97AC8E
Packed.Generic.233 [Symantec]
Generic Dropper.ke [McAfee]
Mal/Generic-A [Sophos]
2 %System%\dllcache\beep.sys
%System%\dllcache\figaro.sys
29,184 bytes MD5: 0x72F2B322821A968F6D62C4198434E317
SHA-1: 0xA9340797C830EADD9504EC82B7B1F824E1004B02
Hacktool.Rootkit [Symantec]
Backdoor.Win32.UltimateDefender.igv [Kaspersky Lab]
FakeAlert-C.dr [McAfee]
Mal/FakeAle-C [Sophos]
VirTool:WinNT/Xantvi.gen!A [Microsoft]
Backdoor.Win32.UltimateDefender [Ikarus]
3 [file and pathname of the sample #1] 50,176 bytes MD5: 0x8329E3F0549F76940AC4990C7383C5DB
SHA-1: 0x226F7E6DC2D96186F1C37117EE931DAFF43121A8
Packed.Generic.233 [Symantec]
Generic Dropper.ke [McAfee]
Mal/EncPk-IF [Sophos]

 

Memory Modifications

Process NameProcess FilenameMain Module Size
braviax.exe%System%\braviax.exe49,152 bytes
[filename of the sample #1][file and pathname of the sample #1]81,920 bytes

 

Registry Modifications

 

Other details

URL to be downloadedFilename for the downloaded bits
http://koliopewaqs.com/j1rb0Vh9iL7fMJ0I3G2li3CQ%System%\wisdstr.exe
http://kasonkertub.com/uB1Tt0gkK9/H7W0vtf3lTZ2pg3U%System%\wisdstr.exe
http://tahulavumbak.com/yow1K0tO9CQf7Ct0ZEf3u2G3x%System%\wisdstr.exe
http://afedovascevo.com/cG1cW0tTu9wE7E/0T3xZ2P3g%System%\wisdstr.exe
http://rdafervacex.com/BOa1Qug0Slv9uHs7F0Van3Dq2t3kjC%System%\wisdstr.exe
http://buhervadoska.com/O1CpH0Ka9XR7h0qKx3Xg2Pgv3dH%System%\wisdstr.exe
http://lionglervoa.com/jyU1J0Kx9VuN7VQ0q3sW2f3l%System%\wisdstr.exe
http://elxolionave.com/l/1pz0BBE9Z7Ol0jNy3oNj2R3MbZ%System%\wisdstr.exe
http://nuliborkawer.com/Zj1AnI0Nu9nFL7Fo0s/3UUb2VGN3Ba%System%\wisdstr.exe

 

 

Downloaded File Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 [file and pathname of the sample #1] 191,159 bytes MD5: 0x028E0AB8E9AF7D9D4B350BE552ED1AAD
SHA-1: 0xB9D9B70463098E39B1E843BB1B6B582C5DF9D3B7
Trojan.Win32.FraudPack.rcj [Kaspersky Lab]
FakeAlert-XPSecCenter [McAfee]
TrojanDownloader:Win32/FakeRean [Microsoft]
Trojan-Downloader.Win32.FakeRean [Ikarus]

 

Other details

URL to be downloadedFilename for the downloaded bits
http://uiskddcuiretog.com/files/pca21/(1).(t)%Temp%\tmpwr2
http://uiskddcuiretog.com/files/(AVE).(t)%Temp%\tmpwr3
http://uiskddcuiretog.com/files/(Add).(t)%Temp%\tmpwr4
http://uiskddcuiretog.com/files/pca21/(GUI).(t)%Temp%\tmpwr5
http://uiskddcuiretog.com/files/(SC).(t)%Temp%\tmpwr6
http://uiskddcuiretog.com/files/(Upd).(t)%Temp%\tmpwr7

 

 

Downloaded File Summary (Generation #2):

 

Technical Details:

 

File System Modifications

#Filename(s)File SizeFile Hash
1 [file and pathname of the sample #1] 580,212 bytes MD5: 0xA2FFDA303D57537F723444B67169BADD
SHA-1: 0x750C1A57FDEBDE5002F3640252445B2DA34A6A30
2 [file and pathname of the sample #2] 265,332 bytes MD5: 0xC4DA69DA4B6621A9A6BF32BAB9D447EF
SHA-1: 0x96E98629A19C0DBADBC1A808E032E46367829DF7
3 [file and pathname of the sample #3] 452,100 bytes MD5: 0xF2BAF71285FFB06EB36414CD3DAD6FA6
SHA-1: 0xEF106F40748A1115E166FA05C9843718878B4EDC
4 [file and pathname of the sample #4] 665,956 bytes MD5: 0x7DE2F0DC2D313FE1B875F35D97E442D0
SHA-1: 0x5622A01673E2DFB5167C57CA9AE6EA31FC469755
5 [file and pathname of the sample #5] 179,988 bytes MD5: 0xE1BE838E4A06D9F1EDFC0F06CC798555
SHA-1: 0x84BFF5A35EB963D6D00B2C7797CF473DFC2462F7
6 [file and pathname of the sample #6] 1,088,644 bytes MD5: 0xBAA86A04A5FBBAE76D09A8431E772D8B
SHA-1: 0x2B8904DF6AA39318622A813F5F4142322C537534

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.