GenPack.Generic.Malware.Sdld.870A1045_019d8d27e0

Dynamic Analysis

Payload

Behaviour	Description
IRCBot	A bot can communicate with command and control servers via IRC channel.

Process activity

The GenPack creates the following process(es):No processes have been created.The GenPack injects its code into the following process(es):

%original file name%.exe:2748

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2748 makes changes in the file system.

The GenPack creates and/or writes to the following file(s):

C:\Windows\win32dc\FlatOut trainer.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4(fix).exe (673 bytes)
C:\Windows\win32dc\Half-Life 2(nocd).exe (10879 bytes)
C:\Windows\win32dc\DAoC_patch.exe (6639 bytes)
C:\Windows\win32dc\Half-Life 2_fix.exe (673 bytes)
C:\Windows\win32dc\UT2004_patch.exe (2533 bytes)
C:\Windows\win32dc\Silent Hill 4 nocd.exe (10879 bytes)
C:\Windows\win32dc\Sims 2(nocd).exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4 serial.exe (673 bytes)
C:\Windows\win32dc\Doom 3(fix).exe (17935 bytes)

Registry activity

Dropped PE files

MD5	File path
20915eecb8e7859df3d14145764f2f90	c:\Windows\win32dc\DAoC_patch.exe
bece151f581c0fd95f79a93db9de8f02	c:\Windows\win32dc\Doom 3(fix).exe
dafad1cf86f100f5e9a9b408f79494e6	c:\Windows\win32dc\Half-Life 2(nocd).exe
822e502a6c6690b7eabc6a6b71a5a889	c:\Windows\win32dc\Silent Hill 4 nocd.exe
544369fd76f365153bf535061ab93891	c:\Windows\win32dc\UT2004_patch.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original GenPack file.
   
3. Delete or disinfect the following files created/modified by the GenPack:

   C:\Windows\win32dc\FlatOut trainer.exe (673 bytes)
   C:\Windows\win32dc\Silent Hill 4(fix).exe (673 bytes)
   C:\Windows\win32dc\Half-Life 2(nocd).exe (10879 bytes)
   C:\Windows\win32dc\DAoC_patch.exe (6639 bytes)
   C:\Windows\win32dc\Half-Life 2_fix.exe (673 bytes)
   C:\Windows\win32dc\UT2004_patch.exe (2533 bytes)
   C:\Windows\win32dc\Silent Hill 4 nocd.exe (10879 bytes)
   C:\Windows\win32dc\Sims 2(nocd).exe (673 bytes)
   C:\Windows\win32dc\Silent Hill 4 serial.exe (673 bytes)
   C:\Windows\win32dc\Doom 3(fix).exe (17935 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	57344	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	61440	77824	76288	5.51903	1393f3858368755f7e7a25d69f7bde92
.rsrc	139264	4096	2048	2.63797	b5916a1f63e299e8c8a487a2ccfe581b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The GenPack connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2748:

`.rsrc

`.rsrc

PRIVMSG

PRIVMSG

JOIN

JOIN

login

login

PRIVMSG

PRIVMSG

:Fisier Executat

:Fisier Executat

(Director Windows:

(Director Windows:

(netbios_invalidpass:

(netbios_invalidpass:

File(%cur%\

File(%cur%\

File(%sys%\

File(%sys%\

rndnick

rndnick

NICK

NICK

join

join

%sys%\

%sys%\

%cur%\

%cur%\

%rnddir%\%rand%.exe

%rnddir%\%rand%.exe

system.ini

system.ini

explorer.exe

explorer.exe

.com "win2k" :

.com "win2k" :

DCPlusPlus.xml

DCPlusPlus.xml

dcplusplus.xml

dcplusplus.xml

%sys%

%sys%

%cur%

%cur%

\WINDOWS\Start Menu\Programs\Startup\

\WINDOWS\Start Menu\Programs\Startup\

netapi32.dll

netapi32.dll

%rnddir%\%rand%.com

%rnddir%\%rand%.com

us.undernet.org

us.undernet.org

KWindows

KWindows

&pWebServer

&pWebServer

GetWindowsDirectoryA

GetWindowsDirectoryA

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

ShellExecuteA

ShellExecuteA

URLDownloadToFileA

URLDownloadToFileA

GetKeyboardType

GetKeyboardType

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

&pWebServ

&pWebServ

O^nKey

O^nKey

URLY

URLY

\-%c)

\-%c)

w-8 %u"D

w-8 %u"D

KERNEL32.DLL

KERNEL32.DLL

advapi32.dll

advapi32.dll

mpr.dll

mpr.dll

oleaut32.dll

oleaut32.dll

shell32.dll

shell32.dll

URLMON.DLL

URLMON.DLL

user32.dll

user32.dll

wininet.dll

wininet.dll

wsock32.dll

wsock32.dll

%original file name%.exe_2748_rwx_00401000_00014000:

PRIVMSG

PRIVMSG

JOIN

JOIN

login

login

PRIVMSG

PRIVMSG

:Fisier Executat

:Fisier Executat

(Director Windows:

(Director Windows:

(netbios_invalidpass:

(netbios_invalidpass:

File(%cur%\

File(%cur%\

File(%sys%\

File(%sys%\

rndnick

rndnick

NICK

NICK

join

join

%sys%\

%sys%\

%cur%\

%cur%\

%rnddir%\%rand%.exe

%rnddir%\%rand%.exe

system.ini

system.ini

explorer.exe

explorer.exe

.com "win2k" :

.com "win2k" :

DCPlusPlus.xml

DCPlusPlus.xml

dcplusplus.xml

dcplusplus.xml

%sys%

%sys%

%cur%

%cur%

\WINDOWS\Start Menu\Programs\Startup\

\WINDOWS\Start Menu\Programs\Startup\

netapi32.dll

netapi32.dll

%rnddir%\%rand%.com

%rnddir%\%rand%.com

us.undernet.org

us.undernet.org

KWindows

KWindows

&pWebServer

&pWebServer

GetWindowsDirectoryA

GetWindowsDirectoryA

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

ShellExecuteA

ShellExecuteA

URLDownloadToFileA

URLDownloadToFileA

GetKeyboardType

GetKeyboardType

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

&pWebServ

&pWebServ

O^nKey

O^nKey

URLY

URLY