Packed.Win32.Themida_18942b54e5

by malwarelabrobot on August 21st, 2013 in Malware Descriptions.

Trojan.Win32.Agent.xmxp (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Win32.SuspectCrc!IK (Emsisoft), Packed.Win32.Themida.FD, PackedThemida.YR, GenericInjector.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Packed


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 18942b54e5f52b0a66640fb6002b4f11
SHA1: 9f0cddfcfd113b92c67745a71565c71c0313c96e
SHA256: 52eaf0194364bcde59e64ebcffecbb5adb19d57a7587156fcdec1a5e885211a6
SSDeep: 6144:z9Pu3lPFuPAAGAEKPO/IVrohSucqkXRK/ZxDrWMxWpLi:gVPFinHVrohSHXIxxDSMYp
Size: 364544 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2013-04-08 04:20:06


Summary:

Packed. A packed file can be a compressed and/or encrypted in a manner that prevents matching the memory image of that file and the actual file on disk. Sometimes used for copy protection, packers are often used to make Spyware less easy to analyze/detect.

Payload

No specific payload has been found.

Process activity

The Packed creates the following process(es):

ctfmon.exe:252

The Packed injects its code into the following process(es):

18942b54e5f52b0a66640fb6002b4f11.exe:3356
winbluetooth.exe:3696

File activity

The process 18942b54e5f52b0a66640fb6002b4f11.exe:3356 makes changes in a file system.
The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Windows Host\winbluetooth.exe (34911 bytes)

The process winbluetooth.exe:3696 makes changes in a file system.
The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Windows Host\phatk.ptx (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Windows Host\btc-evergreen.il (84 bytes)
%Documents and Settings%\%current user%\Application Data\Windows Host\coineng.dll (1857 bytes)
%Documents and Settings%\%current user%\Application Data\Windows Host\coinutil.dll (29 bytes)
%Documents and Settings%\%current user%\Application Data\Windows Host\usft_ext.dll (6311 bytes)
%Documents and Settings%\%current user%\Application Data\Windows Host\phatk.cl (9 bytes)
%Documents and Settings%\%current user%\Application Data\Windows Host\miner.dll (1621 bytes)
%Documents and Settings%\%current user%\Application Data\Windows Host\btc.il (151 bytes)

Registry activity

The process 18942b54e5f52b0a66640fb6002b4f11.exe:3356 makes changes in a system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 A6 87 1A 33 F3 C7 D2 5D 49 22 7E 15 6E CE 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Windows Host]
"winbluetooth.exe" = "Bluetooth Media Player Controller"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Packed adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup" = "%Documents and Settings%\%current user%\Application Data\Windows Host\Winver.exe"

The Packed modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Packed modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Packed modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process winbluetooth.exe:3696 makes changes in a system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 9C 86 E5 66 1E A6 71 3E B1 4A 24 BC FC E0 E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process ctfmon.exe:252 makes changes in a system registry.
The Packed deletes the following value(s) in system registry:
The Packed disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

URL IP
hxxp://sourceforge.mirror.iweb.ca/project/themine/Windows Compiled/coin-minerstandard.exe (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://downloads.sourceforge.net/project/themine/Windows Compiled/coin-minerstandard.exe?download&failedmirror=iweb.dl.sourceforge.net 216.34.181.59
hxxp://softlayer-dal.dl.sourceforge.net/project/themine/Windows Compiled/coin-minerstandard.exe 67.228.157.232
eu-stratum.btcguild.com 95.211.223.14
iweb.dl.sourceforge.net 70.38.0.134


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original Packed's process (How to End a Process With the Task Manager).
  2. Delete the original Packed file.
  3. Delete or disinfect the following files created/modified by the Packed:

    %Documents and Settings%\%current user%\Application Data\Windows Host\winbluetooth.exe (34911 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Host\phatk.ptx (206 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Host\btc-evergreen.il (84 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Host\coineng.dll (1857 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Host\coinutil.dll (29 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Host\usft_ext.dll (6311 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Host\phatk.cl (9 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Host\miner.dll (1621 bytes)
    %Documents and Settings%\%current user%\Application Data\Windows Host\btc.il (151 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Startup" = "%Documents and Settings%\%current user%\Application Data\Windows Host\Winver.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.