ThreatExpert Report: Troj/Spy-XR, Trojan-Downloader.Win32.PowerPointer

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 23 December 2011, 05:27:40
Processing time: 8 min 31 sec
Submitted sample:

File MD5: 0xB8AE7608B6E85B8B435AE3561A4D400D
File SHA-1: 0x542B24F1DA13F0B1D647F3865B09E026BF00D4EF
Filesize: 116,856 bytes
Alias: Troj/Spy-XR [Sophos]

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\ATxBtCuy.exe	110,592 bytes	MD5: 0x02295642397EDC2087FC296C684FDCB9 SHA-1: 0x3536BC0A17C0A2552E74E6583CCE5BA14F87F6F4	Troj/Spy-XR [Sophos]
2	%Temp%\Exploit.class	1,377 bytes	MD5: 0xD6ED5E378FC74164AC903C05098BD920 SHA-1: 0xAB7CEE7E39E3929C899271ED8E898DDAA6BB9015	(not available)
3	%Temp%\META-INF\MANIFEST.MF	91 bytes	MD5: 0x3384ACBCA76830A4835E53C856EDE437 SHA-1: 0xCC5F34EEF6710214D33D4C08E8036B41375B7A80	(not available)
4	%Temp%\metasploit\Payload.class	8,803 bytes	MD5: 0xEEB9BA7FB4F752E1249E696B638D4732 SHA-1: 0x579BC6B6A8D9F99D98EB465E92A4B27893CEA406	(not available)
5	%Temp%\metasploit.dat	34 bytes	MD5: 0xC394C759B64DCC8CBEA0C5812999B2AC SHA-1: 0xA2A8D80A861E7043CF8733C00B5888150D5BC45A	(not available)
6	%Windir%\ime\wmimachine2.dll	77,824 bytes	MD5: 0xEFF6859F28B1C215CC08608C2E4EB91C SHA-1: 0xE0DF6443CEBCEA0B2A45335A81C40FDBD5371B6F	Troj/Spy-XR [Sophos] Trojan-Downloader.Win32.PowerPointer [Ikarus]
7	[file and pathname of the sample #1]	116,856 bytes	MD5: 0xB8AE7608B6E85B8B435AE3561A4D400D SHA-1: 0x542B24F1DA13F0B1D647F3865B09E026BF00D4EF	Troj/Spy-XR [Sophos]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%Temp%\META-INF
%Temp%\metasploit

Memory Modifications

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
wmimachine2.dll	%Windir%\ime\wmimachine2.dll	Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x10000000 - 0x10013000

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
6to4	.NET Runtime Optimization Service v2.086521.BackUp_X86	"Running"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "6to4"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000]

Service = "6to4"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = ".NET Runtime Optimization Service v2.086521.BackUp_X86"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Enum]

0 = "Root\LEGACY_6TO4\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters]

ServiceDll = "%Windir%\ime\wmimachine2.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = ".NET Runtime Optimization Service v2.086521.BackUp_X86"
ObjectName = "LocalSystem"
Description = "Microsoft .NET Framework NGEN"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "6to4"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000]

Service = "6to4"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = ".NET Runtime Optimization Service v2.086521.BackUp_X86"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum]

0 = "Root\LEGACY_6TO4\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters]

ServiceDll = "%Windir%\ime\wmimachine2.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = ".NET Runtime Optimization Service v2.086521.BackUp_X86"
ObjectName = "LocalSystem"
Description = "Microsoft .NET Framework NGEN"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.