Examples of Troj/Enchanim-B include:
Example 1
File Information
- Size
- 70K
- SHA-1
- 1ce263a130dc9d0b0e7d4c4e8acd36965c353f52
- MD5
- 47160c597dda3e9588c5cad8d4ef63cf
- CRC-32
- d21bf563
- File type
- Windows executable
- First seen
- 2012-11-02
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\WwYNcVN.exe
Modified Files
- C:\Documents and Settings\NetworkService\Local Settings\History
- Set the hidden and system flags
- C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
- Set the hidden and system flags
Registry Keys Created
- HKCU\Software\Classes\CLSID\{601FB137-1FB1-B137-1FB1-01FB601FB137}
- 6
- MZ□□□□0□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□L□□!□@h□□s□□p□ o□pr□□m□□c□□n□□o□@ □ e□□r□Pn□□i□□ □@O□0 □□o□@e□□□□□□□@□□□□□□□□□□□ □□□□□`q□□□□`q□□□□`q□□□□□n□□□□□q□□□□`q□□□□□q□□□□Py□ □□□q□□□□□}□□□□□q□□□□□R□□□□□q□□□□ i□0h□`q□□□□□□□□□□□□□□□□□E□□□□□□□0□□□:□□D□□□□□□□□□□□□□□□□□□□□□□`□□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□t□Px□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□`□□r□@a□@a□□□□□□□□□□□□□□□□□□□□□□□□□□□□ [... 8256 intervening characters ...] □□□P□□□□□0□□□□□`□□□□□0□□□u□□V□0S□p□□□□□□□□□□□□□□0□□Pu□□□□□□□□□□□□□ □□□□□□□□□□□□v□@□□□□□□□□□□□□□□□□□□□□□□□0U□□□□P□□□□□□□□□□□□□□□_□□□□□]□ □□□U□□□□0□□@V□pS□□M□□□□p□□□□□□□□□□□p□□□□□□□□□□□p□□□□□□□□
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□0□□p□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□□□0□□p□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
- HKCU_Classes\CLSID\{601FB137-1FB1-B137-1FB1-01FB601FB137}
- 6
- MZ□□□□0□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□L□□!□@h□□s□□p□ o□pr□□m□□c□□n□□o□@ □ e□□r□Pn□□i□□ □@O□0 □□o□@e□□□□□□□@□□□□□□□□□□□ □□□□□`q□□□□`q□□□□`q□□□□□n□□□□□q□□□□`q□□□□□q□□□□Py□ □□□q□□□□□}□□□□□q□□□□□R□□□□□q□□□□ i□0h□`q□□□□□□□□□□□□□□□□□E□□□□□□□0□□□:□□D□□□□□□□□□□□□□□□□□□□□□□`□□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□t□Px□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□`□□r□@a□@a□□□□□□□□□□□□□□□□□□□□□□□□□□□□ [... 8256 intervening characters ...] □□□P□□□□□0□□□□□`□□□□□0□□□u□□V□0S□p□□□□□□□□□□□□□□0□□Pu□□□□□□□□□□□□□ □□□□□□□□□□□□v□@□□□□□□□□□□□□□□□□□□□□□□□0U□□□□P□□□□□□□□□□□□□□□_□□□□□]□ □□□U□□□□0□□@V□pS□□M□□□□p□□□□□□□□□□□p□□□□□□□□□□□p□□□□□□□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 1409
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1409
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1409
- 0x00000003
- HKCU\Software\Microsoft\Internet Explorer\Recovery
- ClearBrowsingHistoryOnExit
- 0x00000000
- HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
- ShownServiceDownBalloon
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1409
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- WarnOnIntranet
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1409
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- WwYNcVN
- C:\WINDOWS\system32\WwYNcVN.exe
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
- 1406
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
- 1406
- 0x00000000
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- SavedLegacySettings
- 3c 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 b0 d8 b3 e9 37 b9 cd 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
- Directory
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- History
- C:\WINDOWS\system32\config\systemprofile\Local Settings\History
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- WarnOnPost
- 00 00 00 00
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
- 1406
- 0x00000000
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- SavedLegacySettings
- 3c 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 b0 d8 b3 e9 37 b9 cd 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- History
- C:\WINDOWS\system32\config\systemprofile\Local Settings\History
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
HTTP Requests
- http://188.40.132.6/dc/i.html
- http://188.40.132.6/f/i.html
- http://188.40.132.6/u/i.html
IP Connections
Example 2
File Information
- Size
- 73K
- SHA-1
- 59fc66a6c8e428273f57f35976b7510d74a92733
- MD5
- 62d112385d3b64c4f88171a5735efbc0
- CRC-32
- 2a6fe51b
- File type
- Windows executable
- First seen
- 2012-11-14
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\WwYNcHl.exe
Registry Keys Created
- HKCU\Software\Classes\CLSID\{601FB137-1FB1-B137-1FB1-01FB601FB137}
- 6
- MZ□□□□0□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□L□□!□@h□□s□□p□ o□pr□□m□□c□□n□□o□@ □ e□□r□Pn□□i□□ □@O□0 □□o□@e□□□□□□□@□□□□□□□□□□□□□□□x□□□□`+□□□□`+□□□□`+□□□□P+□@□□`+□□□□P+□□□□`+□`□□0+□□□□`+□□□□□+□ □□`+□`□□ +□`□□`+□□□□p+□□□□`+□□□□□+□□□□`+□ i□0h□□□□`+□□□□□□□□□□□□□□□□□□□□□□□□□□E□□□□□□□@□□@□□□I□□□□□□□□□□□□□□□□□□□□□□`□□□□□□□□□□□□□□□□□□□□p□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□@□□□□□□□□□□□□ □□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@&□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□t□Px□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□`□ [... 12096 intervening characters ...] □□□ s□□□□□□□□□□□□□0□□□□□`□□□)□□-□P#□□□□□□□0□□□0□□□□□□□□□□P□□0□□□□□□8□□A□□)□□□□□<□□A□□□□`□□□□□□□□Pq□□□□0@□□A□□□□□@□□A□□□□□□□@`□□□□□□□P□□□E□□□□P□□□E□□□□`E□□□□□□□□E□□□□□□□□□□P□□□□□□□□□0□□□□□□□□□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 1409
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1409
- 0x00000003
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□W□□k□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1409
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1409
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- WwYNcHl
- C:\WINDOWS\system32\WwYNcHl.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1409
- 0x00000003
- HKCU_Classes\CLSID\{601FB137-1FB1-B137-1FB1-01FB601FB137}
- 6
- MZ□□□□0□□□□□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□L□□!□@h□□s□□p□ o□pr□□m□□c□□n□□o□@ □ e□□r□Pn□□i□□ □@O□0 □□o□@e□□□□□□□@□□□□□□□□□□□□□□□x□□□□`+□□□□`+□□□□`+□□□□P+□@□□`+□□□□P+□□□□`+□`□□0+□□□□`+□□□□□+□ □□`+□`□□ +□`□□`+□□□□p+□□□□`+□□□□□+□□□□`+□ i□0h□□□□`+□□□□□□□□□□□□□□□□□□□□□□□□□□E□□□□□□□@□□@□□□I□□□□□□□□□□□□□□□□□□□□□□`□□□□□□□□□□□□□□□□□□□□p□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□@□□□□□□□□□□□□ □□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@&□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□t□Px□@□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□`□ [... 12096 intervening characters ...] □□□ s□□□□□□□□□□□□□0□□□□□`□□□)□□-□P#□□□□□□□0□□□0□□□□□□□□□□P□□0□□□□□□8□□A□□)□□□□□<□□A□□□□`□□□□□□□□Pq□□□□0@□□A□□□□□@□□A□□□□□□□@`□□□□□□□P□□□E□□□□P□□□E□□□□`E□□□□□□□□E□□□□□□□□□□P□□□□□□□□□0□□□□□□□□□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- WarnOnIntranet
- 0x00000000
- HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
- ShownServiceDownBalloon
- 0x00000000
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□W□□k□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□
- HKCU\Software\Microsoft\Internet Explorer\Recovery
- ClearBrowsingHistoryOnExit
- 0x00000000
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- History
- C:\WINDOWS\system32\config\systemprofile\Local Settings\History
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- WarnOnPost
- 00 00 00 00
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- SavedLegacySettings
- 3c 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 e0 57 0d 6b b8 c2 cd 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
- 1406
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
- 1406
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
- 1406
- 0x00000000
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
- Directory
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
- CachePath
- C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- History
- C:\WINDOWS\system32\config\systemprofile\Local Settings\History
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- SavedLegacySettings
- 3c 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 e0 57 0d 6b b8 c2 cd 01 01 00 00 00 ac 10 00 01 00 00 00 00 00 00 00 00
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
HTTP Requests
- http://188.40.132.6/dc/i.html
- http://188.40.132.6/f/i.html
- http://188.40.132.6/u/i.html
IP Connections
Example 3
File Information
- Size
- 59K
- SHA-1
- 7c713cd99fb4fb8d48debf1510a794bbc7b779f4
- MD5
- 46d0c371cb4081033b622372afdf3e6b
- CRC-32
- 9ca55153
- File type
- Windows executable
- First seen
- 2012-12-07