ThreatExpert Report: Mal/Emogen-P, Trojan.Win32.Spy, Suspicious.MH690

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 7 September 2012, 09:51:46
Processing time: 8 min 39 sec
Submitted sample:

File MD5: 0xAACE33FEE201DB0DC7ECEB784FF33048
File SHA-1: 0x48142A035689A84CC804E589A9E1A0C4FFC6E4D8
Filesize: 141,312 bytes
Alias:

Mal/Emogen-P [Sophos]
Trojan.Win32.Spy [Ikarus]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\fsrewy.bat	108 bytes	MD5: 0x67FC3FCA5DB3AAFA5EF64E2D034F584E SHA-1: 0x572E62F1F2331C3BCBA7ECA8B442E088C3F455C7	(not available)
2	[file and pathname of the sample #1]	141,312 bytes	MD5: 0xAACE33FEE201DB0DC7ECEB784FF33048 SHA-1: 0x48142A035689A84CC804E589A9E1A0C4FFC6E4D8	Mal/Emogen-P [Sophos] Trojan.Win32.Spy [Ikarus]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%System%\soft

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	163,840 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_CURRENT_USER\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell
HKEY_CURRENT_USER\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage
HKEY_CURRENT_USER\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]

(Default) = ""%ProgramFiles%\Internet Explorer\iexplore.exe" http://www.2345.com/?13654"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]

(Default) = ""%ProgramFiles%\Internet Explorer\iexplore.exe" http://www.2345.com/?13654"

The following Registry Value was deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]

(Default) = ""%ProgramFiles%\Internet Explorer\iexplore.exe""

The following Registry Value was modified:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Start Page =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

gheifsrewymhjka
_!SHMSFTHISTORY!_

The following Host Name was requested from a host database:

192.5.5.241

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
192.5.5.241	1033

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
www.2345.com	80	(null)	(null)

The following GET requests were made:

?13654
index.jpg

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://down3.xzskycn.com/down/GGSafe_tjywmax(52).exe	%System%\soft\GGSafe_tjywmax(52).exe
http://download.2345.cn/silence/2345Explorer_233302_silence.exe	%System%\soft\2345Explorer_233301_silence.exe
http://download.haozip.com/uniondown/haozip_silence.205508.exe	%System%\soft\haozip_silence.205508.exe
http://dl.9365.info/dls/ccdmore.exe	%System%\ccdmore.exe

Downloaded File Summary:

Download details:

Download retrieved: 7 September 2012 10:00:26
Processing time: 9 min 57 sec
Downloaded sample #1:

File MD5: 0xEADD3E66D9D78AD8984B47D55CB2A0C5
File SHA-1: 0x6DCCDD2965DCF42851101815995CF3F467106C32
Filesize: 157,776 bytes
Alias & packer info:

Suspicious.MH690 [Symantec]
packed with: UPX [Kaspersky Lab]

Downloaded sample #2:

File MD5: 0x9662577168F887BD2ECBDDCE71A34486
File SHA-1: 0x1E9CECD9D30CF69C42105C0B7C15E70EDC0A4C51
Filesize: 5,105,304 bytes

Downloaded sample #3:

File MD5: 0x7AD85CB25AB8F00F0E306FF8F511BF73
File SHA-1: 0x0730807A1765713641EEBD4F332AFC10D69297B4
Filesize: 3,897,846 bytes

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	157,776 bytes	MD5: 0xEADD3E66D9D78AD8984B47D55CB2A0C5 SHA-1: 0x6DCCDD2965DCF42851101815995CF3F467106C32	Suspicious.MH690 [Symantec] packed with UPX [Kaspersky Lab]
2	[file and pathname of the sample #2]	5,105,304 bytes	MD5: 0x9662577168F887BD2ECBDDCE71A34486 SHA-1: 0x1E9CECD9D30CF69C42105C0B7C15E70EDC0A4C51	(not available)
3	[file and pathname of the sample #3]	3,897,846 bytes	MD5: 0x7AD85CB25AB8F00F0E306FF8F511BF73 SHA-1: 0x0730807A1765713641EEBD4F332AFC10D69297B4	(not available)

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	651,264 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	397,312 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	573,440 bytes

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

The following Host Names were requested from a host database:

bbs.ggsafe.com
wt.ggsafe.com

The data identified by the following URL was then requested from the remote web server:

http://bbs.ggsafe.com/download/ggsetup.php?checkmalicious=0&version=????9

Downloaded Files Summary (Generation #2):

Download details:

Download retrieved: 7 September 2012 10:10:23
Processing time: 14 min 40 sec
Downloaded sample:

File MD5: 0x454B79E045D561382030C47E0F5F58D0
File SHA-1: 0x58BC0803D6D5253A6949B023AA4D553582F67582
Filesize: 8,980,776 bytes

Technical Details:

The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%CommonAppData%\GGSafe\FileCloudCache.db %ProgramFiles%\Youan\GGSafe\Config\coopsoft.ini %ProgramFiles%\Youan\GGSafe\Config\ProtectNews.ini %ProgramFiles%\Youan\GGSafe\Config\RemoveProtect.ini %ProgramFiles%\Youan\GGSafe\Config\restart.ini %ProgramFiles%\Youan\GGSafe\Config\TrustSoft.ini %ProgramFiles%\Youan\GGSafe\Config\vernews.ini %ProgramFiles%\Youan\GGSafe\Config\webgametip.ini	0 bytes	MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709	(not available)
2	%CommonAppData%\GGSafe\Temp\tmp5.tmp	1,616,896 bytes	MD5: 0x96866559CB8A662375491413DE4A59EC SHA-1: 0xA82E7066FFEB5086F9E3431F164B152E0ABF2F15	(not available)
3	%CommonAppData%\GGSafe\Temp\tmp6.tmp	5,729,280 bytes	MD5: 0xE146DDF40421CDF10165CD6F4FCF3213 SHA-1: 0x952CC3227315F85FD96EA98A831481D901CC245D	(not available)
4	%CommonDesktopDir%\???.lnk	764 bytes	MD5: 0xB0508B2F5A7DEBB8C17B83435332057F SHA-1: 0x07F2138C5E99E259F2FCB639FB527468199969AC	(not available)
5	%CommonPrograms%\???????????\???.lnk	792 bytes	MD5: 0xC749F01C67EBF5F5697D6EAC9088A8E7 SHA-1: 0x266B9891CA623FA3143D5ECF8544D3D39CB38022	(not available)
6	%CommonPrograms%\???????????\??????.lnk	762 bytes	MD5: 0xF203D17CE8FBBAD0F4E77EAAEB362443 SHA-1: 0x4E6A8EEE118D59D8B22B78232849572BD6B0A3F0	(not available)
7	%CommonPrograms%\???????????\??????.lnk	750 bytes	MD5: 0x379E73C2FD5775970E2072491AE65454 SHA-1: 0x587A1A269B8DC51B292830684EB553D3FDBE7CB0	(not available)
8	%CommonStartMenu%\???.lnk	738 bytes	MD5: 0xFE9F070402EEC997051C5EF87C3EC224 SHA-1: 0x3A9344098AFF7ED69020B03412E4C337BA873600	(not available)
9	%Temp%\etilqs_OqEGZi6nIxb7y6m	1,028 bytes	MD5: 0x7B6101A189728203FD330D532AD67788 SHA-1: 0xCBB08A6F6B9398DC032E174F25D4917F91B35B6C	(not available)
10	%Temp%\etilqs_vg4qDzsnxdJh4SK	512 bytes	MD5: 0x1668578417743A40C31C45B6162CADCD SHA-1: 0x15C1B5F7390B9E2CD99B812563BC4D0E4BE35F71	(not available)
11	%ProgramFiles%\Youan\GGSafe\Config\cloud.ini	211 bytes	MD5: 0x9D3D3D59568D131F5267366DF004424A SHA-1: 0x200591BCB0B8CB4896C49D2F3CCD5ACCE8847A56	(not available)
12	%ProgramFiles%\Youan\GGSafe\Config\GameWall.ini	288 bytes	MD5: 0x8635A1B8C6D9A1FC463AA3E07005D010 SHA-1: 0xE2E233EBA2A025FD3F798949C607424308821722	(not available)
13	%ProgramFiles%\Youan\GGSafe\Config\GGError.txt	588 bytes	MD5: 0x5496B3F59A0FB799B23F303E04EE3B63 SHA-1: 0x4CAB416826EF12E01ACA56687CC53F6BE8B32757	(not available)
14	%ProgramFiles%\Youan\GGSafe\Config\updateinfo.ini	265 bytes	MD5: 0x6CADCA7E0AA00607E61A7C39F4788534 SHA-1: 0x920DB2E2E3C6C42865771DC1D2D4F6C4A8273297	(not available)
15	%ProgramFiles%\Youan\GGSafe\Config\webconfig.ini	937 bytes	MD5: 0x558F11014112AA22B8399FE52730B0FD SHA-1: 0xC550FC20AFFDB14B4086AC56311F7E2F84197916	(not available)
16	%ProgramFiles%\Youan\GGSafe\Config\wenhou.ini	989 bytes	MD5: 0x8DD4FE296D389C4AD0077574926C363B SHA-1: 0x3660B713765E229C4F89CFC3A7F966D9CAF186AC	(not available)
17	%ProgramFiles%\Youan\GGSafe\config.ini	176 bytes	MD5: 0xA698D048336BF66AE05DC91DEFAD2D70 SHA-1: 0xD67D7A2C618F852496F947014C5425840FAC35D6	(not available)
18	%ProgramFiles%\Youan\GGSafe\Data\banklist.db	13,312 bytes	MD5: 0x5205F8B1338FBB7D79E5E61985045338 SHA-1: 0xBB556C6EA2CF27A715BDA252FA5A27D63E671CBF	(not available)
19	%ProgramFiles%\Youan\GGSafe\Data\FileHash.db	807,230 bytes	MD5: 0xD30463E08E88802E2E61779A56131ED3 SHA-1: 0xD35819C759924E152138DABBAC7BB4302F30E057	(not available)
20	%ProgramFiles%\Youan\GGSafe\Data\funcstatistic.db	3,072 bytes	MD5: 0xA705F0CB3F1E359982301173AD893893 SHA-1: 0xD7192DA375AE437BBF0FB52DCE5E2F6E75FFFBD8	(not available)
21	%ProgramFiles%\Youan\GGSafe\Data\GGProSoft.db	117,760 bytes	MD5: 0xEE3DE8724C7096B04174FFB75ECAE703 SHA-1: 0xC57A512D167DCED4023F2A52297413211C9A245B	(not available)
22	%ProgramFiles%\Youan\GGSafe\Data\GGSafeSoft.db	7,168 bytes	MD5: 0xA5D2CA063FBB4FE12EDC360A7A91420C SHA-1: 0x2DE16FC191808A6D2C3A1245AC7430D0ABB76F10	(not available)
23	%ProgramFiles%\Youan\GGSafe\Data\GWTrustUrl.db	10,240 bytes	MD5: 0x58F66AE1A29778A75F0A0FED69B2B809 SHA-1: 0xAE480DDAE771943A5CD37EAA28A088AAC6AC2271	(not available)
24	%ProgramFiles%\Youan\GGSafe\Data\MalWeb.db	8,192 bytes	MD5: 0xA86EB64CD19026B61A798BBC5FADF2A1 SHA-1: 0xB631AEB176667591FB116C53CF333C486238C21E	(not available)
25	%ProgramFiles%\Youan\GGSafe\Data\minicloud.db	2,048 bytes	MD5: 0x2C5ACB4536D824005D11D88EEDE568E9 SHA-1: 0x7848A90C9D5CE29E5FCD6CA2E6D7D418755F4943	(not available)
26	%ProgramFiles%\Youan\GGSafe\Data\ProtectHistory.db	2,048 bytes	MD5: 0xF080604DE5DAA9E65291163B338A2622 SHA-1: 0x37CAB2B0BD5FA49DD0222C46BCE2E1FEBA5814B6	(not available)
27	%ProgramFiles%\Youan\GGSafe\Data\softver.db	71,680 bytes	MD5: 0x01037FA2E32CBD60BC1060B9AEEC27C9 SHA-1: 0x9F07079E32C443D7B1296A6477DFB31F7F813537	(not available)
28	%ProgramFiles%\Youan\GGSafe\Data\version.db	2,048 bytes	MD5: 0x6BC9E96FA62E5C755CDA71660FB0A350 SHA-1: 0xBE0AA28A53C169769CE18CD6101B634008525041	(not available)
29	%ProgramFiles%\Youan\GGSafe\DriverRule.bin	280 bytes	MD5: 0x4363015D1452AB2CC6874570DA8C4139 SHA-1: 0x360EE4313080456365D313B8AA7409CCA41D67F8	packed with Com100 [Kaspersky Lab]
30	%ProgramFiles%\Youan\GGSafe\FileRule.bin	1,140 bytes	MD5: 0x792A89DD793C8E3ECF7AB64431C2B93F SHA-1: 0x35C51A0109B22FA77C20B6A65385AC3D3CD30229	(not available)
31	%ProgramFiles%\Youan\GGSafe\GameWall.dll	1,055,880 bytes	MD5: 0xB532D25785C3A934A8F3486657766766 SHA-1: 0xD312DA0EDD764B900C0ACF6CDA73F69BAC167201	(not available)
32	%ProgramFiles%\Youan\GGSafe\GG.dat	890,797 bytes	MD5: 0x9D5E7E0EDE45600E07F22B716F73902F SHA-1: 0x13AA0AC9ACF0CA28208FFE0699E1D745D5335573	(not available)
33	%ProgramFiles%\Youan\GGSafe\GGLoader.dll	89,224 bytes	MD5: 0x205A054206DE3FEBE3FC8C183DF194CE SHA-1: 0xF9B68DA4E53C582C96E27C1545AEDC69756B208A	packed with UPX [Kaspersky Lab]
34	%ProgramFiles%\Youan\GGSafe\GGMIN.dat	154,622 bytes	MD5: 0xA6758B354B2847BFE55B41BAF6F39409 SHA-1: 0x1761EF0CF3B9F44C7DAD6ECE3A7957D23407379F	(not available)
35	%ProgramFiles%\Youan\GGSafe\GGSafe.exe	41,096 bytes	MD5: 0x8F785EE9C477C00109B829F0A1AF14DA SHA-1: 0xDB454B09DCA0424D382594E8688578CEF9E0FF26	(not available)
36	%ProgramFiles%\Youan\GGSafe\GGSafe.GG0	1,651,409 bytes	MD5: 0xE39F7E71E36AD1BA8AD274ECE57A327A SHA-1: 0xA37078023FB1FE1744FAA8855F2FDB726738B9B0	(not available)
37	%ProgramFiles%\Youan\GGSafe\GGSafe.sys	975,312 bytes	MD5: 0x421C7432DB43F60F8D00713E2BE82A0E SHA-1: 0xFBB60F172A92B68866CCA4D346D094B70DB6D644	(not available)
38	%ProgramFiles%\Youan\GGSafe\GGSafe64.sys	242,408 bytes	MD5: 0x528CA1DA31240BB71639B8F827FE89EA SHA-1: 0x723E1EEC8C7F3FB2E2620861B11857D7C0AE77C9	(not available)
39	%ProgramFiles%\Youan\GGSafe\GGSafeMon.dll	736,848 bytes	MD5: 0x42B7823BE40BFF509C411F156CAE95E8 SHA-1: 0xD347E57637FC0A4978E3117638580DE10113C261	(not available)
40	%ProgramFiles%\Youan\GGSafe\GGService.exe	33,928 bytes	MD5: 0xF9916261A9FCE558CDCDBC28111190BE SHA-1: 0x8EDF8742149D915F8D7E0D0F27342F04C1975DD2	(not available)
41	%ProgramFiles%\Youan\GGSafe\GGTray.exe	72,784 bytes	MD5: 0x47220A0F740CE46434FABDDF62F20CB7 SHA-1: 0xCEEA5E4C42E656CDA66CBB2A167E320217BFD0AF	packed with UPX [Kaspersky Lab]
42	%ProgramFiles%\Youan\GGSafe\GGUpdateDll.dll	187,984 bytes	MD5: 0x1D01DE31B93AE03ABE5CBF6900FFE700 SHA-1: 0xCBD115CCFB059AEC458D2421E791095A600A7E72	packed with UPX [Kaspersky Lab]
43	%ProgramFiles%\Youan\GGSafe\Image\authorize.bmp	2,104 bytes	MD5: 0x6DA82C4485872E6C9FE98DEA2FED7114 SHA-1: 0x401C0D4B831DD048E1AA2FB309F3C42A35182D4D	(not available)
44	%ProgramFiles%\Youan\GGSafe\Image\e-onlinedata.bmp	2,104 bytes	MD5: 0x6185D5110364F0FC7D5C03B30A7665E3 SHA-1: 0xD26EF9A1C1FB2797FB20033655C12342C3CE5123	(not available)
45	%ProgramFiles%\Youan\GGSafe\Image\electronictransfer.bmp	2,104 bytes	MD5: 0x0B5225BDC58BFF1752E3C9259516D394 SHA-1: 0xFB8C154C0D08E188762425135807ABD8A7D10216	(not available)
46	%ProgramFiles%\Youan\GGSafe\Image\GGNewsDlg.bmp	132,656 bytes	MD5: 0xA58C6B1EAD08B34DBDEE9798904BE967 SHA-1: 0x38ED1FC730D8E7706882F1D17D8453ED9FCCBDF2	(not available)
47	%ProgramFiles%\Youan\GGSafe\Image\GGNews_DOWN.bmp	1,616 bytes	MD5: 0x315005A8C6F15B2B54C81A0F07E40C9E SHA-1: 0x905507CD35BC9506AC8C0CEBB4A5FC15852CD531	(not available)
48	%ProgramFiles%\Youan\GGSafe\Image\GGNews_Hove.bmp	1,616 bytes	MD5: 0x3F806CA87C6D3BDC006F2DA1FC0438CB SHA-1: 0x499FF154059060EA786D11B5D3015E07EE0C4132	(not available)
49	%ProgramFiles%\Youan\GGSafe\Image\GGNews_Normal.bmp	1,616 bytes	MD5: 0xF190A557DD93FF04D532F8E28063516F SHA-1: 0x772F3A30810D4ACA780C3EC30C737C3E9259B088	(not available)
50	%ProgramFiles%\Youan\GGSafe\Image\ipay.bmp	2,104 bytes	MD5: 0xA3ECA6A638F3282354AA89431A0DB983 SHA-1: 0x9B2A45B580F72A59CA8EBF1C4CF430B96345CE48	(not available)
51	%ProgramFiles%\Youan\GGSafe\Image\NewDlgNormal.bmp	248 bytes	MD5: 0x9284F0957ABB42CE6283CC8265B69227 SHA-1: 0xD5D3C6B6CD281F4E32FC18915FED402378A6E975	(not available)
52	%ProgramFiles%\Youan\GGSafe\Image\NewDlgOver.bmp	248 bytes	MD5: 0x5E9517486EB458A6E87F686A07451ADF SHA-1: 0x98037FDE4C020616355791B483B2A92CA4810382	(not available)
53	%ProgramFiles%\Youan\GGSafe\Image\RBS WorldPay.bmp	2,104 bytes	MD5: 0x297E46ECAD1B28349FC4E56A8F964285 SHA-1: 0x01F15D77E1AC3D86C266C4C1C7AA3B7B12B5F1B1	(not available)
54	%ProgramFiles%\Youan\GGSafe\Image\TrustCommerce.bmp	2,104 bytes	MD5: 0xD3076656499BF6A13457AFFFAD40CBCE SHA-1: 0x7C6B4F529F3FC70B045B28A0DDA6B6AA5C37EDD8	(not available)
55	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x6620EBFD36C5A8A8704ECF77F6678F95 SHA-1: 0x041DE1D366190D94567D6D04937421624DB1106E	(not available)
56	%ProgramFiles%\Youan\GGSafe\Image\????.bmp	2,104 bytes	MD5: 0xF7CD4A5D5F7BA2CD6C8D3D45782E23E3 SHA-1: 0x094398A84A15F5F56882DCB93C4736C47B28F52F	(not available)
57	%ProgramFiles%\Youan\GGSafe\Image\??????.bmp	2,104 bytes	MD5: 0x4A59263EC8C4E9D6F58C53C990E5A348 SHA-1: 0xC1782F01D108FC34F578F2F46747FC65C7FAE3D7	(not available)
58	%ProgramFiles%\Youan\GGSafe\Image\?????????.bmp	2,104 bytes	MD5: 0x89A98CE1D5AAD0239904CC1BDB684DC0 SHA-1: 0x0BF26F4D86C8128778B913B779F297A20156AAA1	(not available)
59	%ProgramFiles%\Youan\GGSafe\Image\????????????.bmp	2,104 bytes	MD5: 0x5810D0F06E480745C2EABC9102147355 SHA-1: 0x2288008C0C510BB5C9AFC9BF3460B8440EC54EB3	(not available)
60	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x4E6856A9875B882F7A426A941FFCE7B2 SHA-1: 0x1D7625DF1420C7E591DBE6F0D12FDF0A46E78D85	(not available)
61	%ProgramFiles%\Youan\GGSafe\Image\???????????.bmp	2,104 bytes	MD5: 0x375F4BCECD677BE5725BC30502228FBB SHA-1: 0x32B40BAB808FFEB89D839EFE4CA39159AF26F3FC	(not available)
62	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x44A36534A3024A95BEB0464E9BCB78EF SHA-1: 0xDD7A9C6D27805E98247BE3B8211F9A75634E7558	(not available)
63	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0x2ADC0672A7E059D2093D35223F98B0C7 SHA-1: 0xA782DD758AD528FA4C270F1B42D039031B9B4FCA	(not available)
64	%ProgramFiles%\Youan\GGSafe\Image\?????????.bmp	2,104 bytes	MD5: 0xD5DB363C6DB7A5B324E5291EFB4DCA60 SHA-1: 0xF6BA2664C5261215C3423FAE6B9E6BC128493517	(not available)
65	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x1FAF0274DE556F8EB18CA6F6CA9ABC80 SHA-1: 0x86162AF6F971AB71B2E4532CF39A13E72AED27BA	(not available)
66	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x013CDEF34E567D1431357D04BD225F03 SHA-1: 0x1BD99259AC27072CB185003505E1B990E3CC6311	(not available)
67	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x9B7E8236184955078A3C0AB045549F5E SHA-1: 0x245293A0ED3AC430114789390B3359663BF453B6	(not available)
68	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0x7A454BD7FB165F8432C6B30161B68EE7 SHA-1: 0xDB831400EA5DEE35129346B59731B23101FD58B7	(not available)
69	%ProgramFiles%\Youan\GGSafe\Image\??????.bmp	4,152 bytes	MD5: 0xE95C2316B6F1303F6DDCAC9CFDE1DDF9 SHA-1: 0x27F24681FA22533B64ED9AF15EF6A0D3653A6B5C	(not available)
70	%ProgramFiles%\Youan\GGSafe\Image\???Ã´???????.bmp	2,104 bytes	MD5: 0x7045B3264F3C81B3298D1371E7CFE8E3 SHA-1: 0x3CC739841E21DF63259A059CD23E7546F5F87527	(not available)
71	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x3A1C8C1F2B6A166E720D74CE9ADF3D57 SHA-1: 0x31B8B4AD0E783D7E69A037DD32FCEB812593719B	(not available)
72	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x8609B054510ACD50C4DDBA73E3785438 SHA-1: 0xDFA68300447FF9488AF70BDCF40CCA0A84560782	(not available)
73	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0xD8936294E4C84CB985E4B66B64E8E641 SHA-1: 0x041E9C50431D1D0EFE493B6B1B905A92861B486D	(not available)
74	%ProgramFiles%\Youan\GGSafe\Image\???.bmp	2,104 bytes	MD5: 0x4D056BF44B8C0E21246B09FA2A212B18 SHA-1: 0x4144E916205BC10116D4248A0ABCDF4EE29C61CA	(not available)
75	%ProgramFiles%\Youan\GGSafe\Image\????.bmp %ProgramFiles%\Youan\GGSafe\Image\??????.bmp	2,104 bytes	MD5: 0x551DAF1BB74DAC49EA6F7B2AF8EF80CB SHA-1: 0x9C5072F3CA735F944E6F960A15BEEA696ABF9DCF	(not available)
76	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0xE686E8A34959492160589E432C97F443 SHA-1: 0x77C6BBAEE0703EBEF4D9967DB0D3707D25B2159A	(not available)
77	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0xFE5F2A3C0336A6D4971C5F849BB38FB0 SHA-1: 0x8087E025AE90489AD8F892059560924AFAF51B8D	(not available)
78	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x067B5556E8A4ED6AEE4A13F9F5E1C15E SHA-1: 0xFA0CCB3692573B7B4F6925D6B3B72409159453E4	(not available)
79	%ProgramFiles%\Youan\GGSafe\Image\??????.bmp	2,104 bytes	MD5: 0x0B6C8F955DB2BD8D195BEACB2051A5D3 SHA-1: 0x8C28440F9B0721B21A376C795181941DB1F255FD	(not available)
80	%ProgramFiles%\Youan\GGSafe\Image\??????.bmp	2,104 bytes	MD5: 0xECACA0C02C50EEA0C41F12FC916C653A SHA-1: 0x24E737F4D5A132D56DA788FF2E887A0289C04F05	(not available)
81	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0x2BCA71BFCE0417F7F0B405E41F681FD6 SHA-1: 0xFCB25F9FEBB59FBB13BED50D307293E96989C02E	(not available)
82	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0xF823A27B6603CD231104008160DC3A49 SHA-1: 0xDBB4DC5C785A2986BC772AE3FF5FAE9B0065B903	(not available)
83	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0xF95746A62EF312AB55545AF040D30ACC SHA-1: 0x0E92CBAF9FB8E51B49A7CD6B269A1BB9303D5441	(not available)
84	%ProgramFiles%\Youan\GGSafe\Image\??????????.bmp	2,104 bytes	MD5: 0xAD320C6AF4BA3B0AE8BB9EFD02AB4E67 SHA-1: 0xF18D66C9A6A6F106CE87A2BD2E0C5BCFB7D8BF5B	(not available)
85	%ProgramFiles%\Youan\GGSafe\Image\??????.bmp	2,104 bytes	MD5: 0x5F388450A20D96A6B9D7C897A7DED36F SHA-1: 0xA6ADA4346ADBB1DA10214316D34D435212549CFA	(not available)
86	%ProgramFiles%\Youan\GGSafe\Image\???.bmp	2,104 bytes	MD5: 0x8A29D47DFB215F7F44B7CEE7209E35AA SHA-1: 0x4C023AB6CE78C5C56F1FEA59D938636B43F43D97	(not available)
87	%ProgramFiles%\Youan\GGSafe\Image\???.bmp	2,104 bytes	MD5: 0xD0A68FBF852DE5605698BA375C4D5AA9 SHA-1: 0x6D11D520BE913E6C7A7666516E9BD8DE865F5A6C	(not available)
88	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0xB98B7421363A4F2CD20E4098B1ADA94D SHA-1: 0x2DE8CDF9579F951AC9E6C6F74AD6B636762EAF20	(not available)
89	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0x550FFD8E35C3893DC59C0BE9AB47521B SHA-1: 0x5976881123808CE19BFF00295C957A5B538B59AB	(not available)
90	%ProgramFiles%\Youan\GGSafe\Image\???????????.bmp	2,104 bytes	MD5: 0xF88781976A80D66159D32F8616BEC213 SHA-1: 0x93CDAA8C51FE3481D85E485092D52A59BE687B46	(not available)
91	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0x7EE9C1C346AB5C97C8DEB150FC294755 SHA-1: 0xCDC10CB4DBD82150EE2EB1A6E2F82CEFAD36E375	(not available)
92	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0x0F6E2A4732F1D995A6F92C8B9A94C856 SHA-1: 0xCA6C3315BB8BB4024A07B0C0706A7AC80A7BA30D	(not available)
93	%ProgramFiles%\Youan\GGSafe\Image\??????.bmp	2,104 bytes	MD5: 0x90931A6405576DC9F8929E828E83D360 SHA-1: 0xE748A43105CCEDAB7A5CE6B54CEC8327376926DA	(not available)
94	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x6A70A9CE28AF8B94E763C844068E51D8 SHA-1: 0x12B7AE4D59DFC55B447D244E02A6719196A363B1	(not available)
95	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x7D0907AC7DD624F6E9D5C9D3360EA8E9 SHA-1: 0xF714ACA8260B81719817FE49ABEFEB36041567D7	(not available)
96	%ProgramFiles%\Youan\GGSafe\Image\????????.bmp	2,104 bytes	MD5: 0x43E32243A917C6D6227B7E0261CB7C1C SHA-1: 0x5A8D9103F944C58572885D3CBC37C91F87833844	(not available)
97	%ProgramFiles%\Youan\GGSafe\Image\???@??.bmp	2,104 bytes	MD5: 0x17A528A374A67E352987F4CEADEC0043 SHA-1: 0xE457BBF26779BB6185321F3922A5B14669D5976B	(not available)
98	%ProgramFiles%\Youan\GGSafe\Image\?????.bmp	2,104 bytes	MD5: 0x9685A5F4E4AEB4C9B3C391EF4B41004B SHA-1: 0xB8153CD5DC24F8EE3F38F3120E483743531D27D7	(not available)
99	%ProgramFiles%\Youan\GGSafe\Image\???????.bmp	2,104 bytes	MD5: 0x058579E0DCA7B8C3294EA6801EE40C4F SHA-1: 0xD747C1A99DABBF6F0C9811FCB939B76223ED9B6B	(not available)
100	%ProgramFiles%\Youan\GGSafe\Image\???????????????.bmp	2,104 bytes	MD5: 0x5ABAE2D68441475BB3A3B416074EF7DC SHA-1: 0x3E44CC37D7EAA6FBCBDE15D4E1EB26214C6E02D6	(not available)

Notes:

%CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%CommonPrograms% is a variable that refers to the file system directory that contains the directories for the common program groups that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu\Programs (Windows NT/2000/XP).
%CommonStartMenu% is a variable that refers to the file system directory that contains the programs and folders that appear on the Start menu for all users. A typical path is C:\Documents and Settings\All Users\Start Menu (Windows NT/2000/XP).
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

The following directories were created:

%CommonAppData%\GGSafe
%CommonAppData%\GGSafe\Temp
%CommonPrograms%\???????????
%ProgramFiles%\Youan
%ProgramFiles%\Youan\GGSafe
%ProgramFiles%\Youan\GGSafe\Backup
%ProgramFiles%\Youan\GGSafe\Config
%ProgramFiles%\Youan\GGSafe\Data
%ProgramFiles%\Youan\GGSafe\Image
%ProgramFiles%\Youan\GGSafe\Skin
%ProgramFiles%\Youan\GGSafe\Temp
%ProgramFiles%\Youan\GGSafe\Tools
%ProgramFiles%\Youan\GGSafe\UserData

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
ggservice.exe	%ProgramFiles%\youan\ggsafe\ggservice.exe	2,076,672 bytes
ggsafe.exe	%ProgramFiles%\youan\ggsafe\ggsafe.exe	19,132,416 bytes
ggtray.exe	%ProgramFiles%\youan\ggsafe\ggtray.exe	155,648 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	81,920 bytes
[filename of the sample #1 without extension].tmp	%Temp%\is-UELI1.tmp\[filename of the sample #1 without extension].tmp	831,488 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\???????????_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\???????_is1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GGSAFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GGSAFE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GGSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GGSERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GGSafe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GGSafe\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GGService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GGService\Security
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

GGSafe = ""%ProgramFiles%\Youan\GGSafe\GGSafe.exe" /run0"

so that GGSafe.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\???????????_is1]

Inno Setup: Setup Version = "5.4.1.e2 (a)"
Inno Setup: App Path = "%ProgramFiles%\Youan\GGSafe"
InstallLocation = "%ProgramFiles%\Youan\GGSafe\"
Inno Setup: Icon Group = "???????????"
Inno Setup: User = "%UserName%"
Inno Setup: Selected Tasks = "desktopicon,quicklaunchicon,startmenu"
Inno Setup: Deselected Tasks = ""
Inno Setup: Language = "cn"
DisplayName = "??????????? V2.4.2"
DisplayIcon = "%ProgramFiles%\Youan\GGSafe\GGSafe.exe"
UninstallString = ""%ProgramFiles%\Youan\GGSafe\unins000.exe""
UninstallDataFile = "%ProgramFiles%\Youan\GGSafe\unins000.dat"
QuietUninstallString = ""%ProgramFiles%\Youan\GGSafe\unins000.exe" /SILENT"
DisplayVersion = "2.4.2.1403"
Publisher = "??????????"
NoModify = 0x00000001
NoRepair = 0x00000001
InstallDate = "20120907"
MajorVersion = 0x00000002
MinorVersion = 0x00000004

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GGSAFE\0000]

Service = "GGSafe"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "GGSafe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GGSAFE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GGSERVICE\0000]

Service = "GGService"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "GGService"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GGSERVICE]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GGSafe\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GGSafe]

Type = 0x00000001
Start = 0x00000001
ErrorControl = 0x00000000
ImagePath = "\??\%ProgramFiles%\Youan\GGSafe\GGSafe.sys"
DisplayName = "GGSafe"
CrashTimes = 0x00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GGService\Security]

Security = 01 00 14 80 A4 00 00 00 B0 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 74 00 05 00 00 00 00 00 14 00 70 01 00 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 FD 01 02 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GGService]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%ProgramFiles%\Youan\GGSafe\GGService.exe"
DisplayName = "GGService"
DependOnService = "RPCSS"
DependOnGroup = 00
ObjectName = "LocalSystem"
Description = "?????????????????,???????"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Enable Browser Extensions = "yes"

[HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib]

vga.drv 640x480x32(BGR 0) = "31,31,31,31"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex objects were created:

__PDH_PLA_MUTEX__
GG_MUTEXDefault20100421
oleacc-msaa-loaded
GG_MUTEX1347037200
.NET CLR Data_Perf_Library_Lock_PID_e0
.NET CLR Networking_Perf_Library_Lock_PID_e0
.NET Data Provider for Oracle_Perf_Library_Lock_PID_e0
.NET Data Provider for SqlServer_Perf_Library_Lock_PID_e0
.NETFramework_Perf_Library_Lock_PID_e0
ASP.NET_Perf_Library_Lock_PID_e0
ASP.NET_2.0.50727_Perf_Library_Lock_PID_e0
aspnet_state_Perf_Library_Lock_PID_e0
ContentFilter_Perf_Library_Lock_PID_e0
ContentIndex_Perf_Library_Lock_PID_e0
ISAPISearch_Perf_Library_Lock_PID_e0
PerfDisk_Perf_Library_Lock_PID_e0
PerfNet_Perf_Library_Lock_PID_e0
PerfOS_Perf_Library_Lock_PID_e0
PerfProc_Perf_Library_Lock_PID_e0
PSched_Perf_Library_Lock_PID_e0
RemoteAccess_Perf_Library_Lock_PID_e0
RSVP_Perf_Library_Lock_PID_e0
Spooler_Perf_Library_Lock_PID_e0
TapiSrv_Perf_Library_Lock_PID_e0
Tcpip_Perf_Library_Lock_PID_e0
TermService_Perf_Library_Lock_PID_e0
WmiApRpl_Perf_Library_Lock_PID_e0

The following Host Names were requested from a host database:

info.ggsafe.com
dx.ggsafe.com
safe6.ztgame.com

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
180.96.5.22	80
125.39.177.3	80
180.96.5.13	80
60.28.123.98	80
192.168.74.55	80
192.168.132.197	80
172.17.112.30	80
180.96.5.17	80

The following HTTP URLs were started reading:

http://bbs.ggsafe.com/thread-130494-1-1.html"
http://www.160.com/news/newsinfo_125_updrvofficialnews.html"
http://www.ggsafe.com/qa/"
http://bbs.ggsafe.com/thread-41236-1-1.html"
http://bbs.ggsafe.com/thread-85846-1-2.html"
http://bbs.ggsafe.com/thread-93843-1-1.html"
http://bbs.ggsafe.com/thread-98566-1-1.html"
http://www.ggsafe.com/products/lpk.shtml"

The data identified by the following URL was then requested from the remote web server:

http://dx.ggsafe.com/download/vernews.php

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.