smss.exe

The executable smss.exe has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘exexc10’. While running, it connects to the Internet address ip-143-95-252-46.iplocal on port 80 using the HTTP protocol.
Version:
5.3.4.13373413

MD5:
bf26a03eb8c65601ff7030fab4818892

SHA-1:
98392458fa5264fe6767603efea97b717fc64ed8

SHA-256:
d0e35d4762cc5dbb16678857f52f9ea6624d0a8fa6e70be061711db7c8262731

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
12/26/2024 5:21:39 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
160917-0

ESET NOD32
MSIL/TrojanClicker.Agent.NOJ trojan
6.3.12010.0

File size:
1.3 MB (1,401,856 bytes)

Product version:
5.3.4.13373413

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\smss.exe

File PE Metadata
Compilation timestamp:
10/19/2016 3:11:31 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:xCeklgt25ffFyM38WQ1+3aiyvPqM7xN2gGFBuqAUHCY4T9jxjRA+Mkgffa:UlgtcXsM38WZ9miMTYjXr+HYfS

Entry address:
0xCB4EE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.5019

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
805.5 KB (824,832 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
exexc10

Command:
C:\users\{user}\appdata\local\temp\{random}.tmp\smss.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ip-143-95-252-46.iplocal  (143.95.252.46:80)

TCP (HTTP SSL):
Connects to tsa03s02-in-f2.1e100.net  (172.217.27.130:443)

TCP (HTTP):
Connects to tsa03s01-in-f3.1e100.net  (216.58.200.227:80)

TCP (HTTP SSL):
Connects to tsa01s08-in-f3.1e100.net  (216.58.200.35:443)

TCP (HTTP):
Connects to tsa01s07-in-f4.1e100.net  (172.217.24.4:80)

TCP (HTTP):
Connects to tsa01s07-in-f2.1e100.net  (172.217.24.2:80)

TCP (HTTP):
Connects to p3nlhg720c1720.shr.prod.phx3.secureserver.net  (184.168.159.1:80)

TCP (HTTP):
Connects to ec2-52-35-223-213.us-west-2.compute.amazonaws.com  (52.35.223.213:80)

TCP (HTTP SSL):
Connects to arn02s06-in-f163.1e100.net  (216.58.201.163:443)

TCP (HTTP):

TCP (HTTP):
Connects to a23-41-133-163.deploy.static.akamaitechnologies.com  (23.41.133.163:80)

Remove smss.exe - Powered by Reason Core Security