Dropped.Generic.Malware.Sdld.C425D330_283712ab64

Dynamic Analysis

Payload

Behaviour	Description
IRCBot	A bot can communicate with command and control servers via IRC channel.

Process activity

The Dropped creates the following process(es):

%original file name%.exe:1976

The Dropped injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1976 makes changes in the file system.

The Dropped creates and/or writes to the following file(s):

C:\Windows\win32dc\BattleField 1942 patch.exe (8591 bytes)
C:\Windows\win32dc\Half-Life 2 crack.exe (8591 bytes)
C:\Windows\win32dc\Silent Hill 4_fix.exe (7433 bytes)
C:\Windows\win32dc\Silent Hill 4 cdfix.exe (9603 bytes)
C:\Windows\win32dc\Half-Life 2 nocd.exe (9603 bytes)
C:\Windows\win32dc\Quake3_crack.exe (9093 bytes)
C:\Windows\win32dc\Silent Hill 4 crack.exe (9603 bytes)
C:\Windows\win32dc\Sims 2(cheat).exe (8591 bytes)
C:\Windows\win32dc\UT2004 serial.exe (9093 bytes)
C:\Windows\win32dc\Half-Life 2 trainer.exe (7433 bytes)

Registry activity

Dropped PE files

MD5	File path
cfa3e4a99acd9836023aed009e505ce8	c:\Windows\win32dc\BattleField 1942 patch.exe
362da471a1660077f9011e3058776594	c:\Windows\win32dc\Half-Life 2 crack.exe
1d5952c559933dc0c5ed8cabb62287e4	c:\Windows\win32dc\Half-Life 2 nocd.exe
3df14699575013febc7fe1c19c00fa91	c:\Windows\win32dc\Quake3_crack.exe
958b01d5fe9caf6082a12778e679a42c	c:\Windows\win32dc\Silent Hill 4 cdfix.exe
46301a01b161629129f514ad5f4d6532	c:\Windows\win32dc\Silent Hill 4 crack.exe
b65264e248b9c4fa8992e59507d1e386	c:\Windows\win32dc\Sims 2(cheat).exe
a6a1e8ad87505af3a2e828597e3982c3	c:\Windows\win32dc\UT2004 serial.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:1976

2. Delete the original Dropped file.
   
3. Delete or disinfect the following files created/modified by the Dropped:

   C:\Windows\win32dc\BattleField 1942 patch.exe (8591 bytes)
   C:\Windows\win32dc\Half-Life 2 crack.exe (8591 bytes)
   C:\Windows\win32dc\Silent Hill 4_fix.exe (7433 bytes)
   C:\Windows\win32dc\Silent Hill 4 cdfix.exe (9603 bytes)
   C:\Windows\win32dc\Half-Life 2 nocd.exe (9603 bytes)
   C:\Windows\win32dc\Quake3_crack.exe (9093 bytes)
   C:\Windows\win32dc\Silent Hill 4 crack.exe (9603 bytes)
   C:\Windows\win32dc\Sims 2(cheat).exe (8591 bytes)
   C:\Windows\win32dc\UT2004 serial.exe (9093 bytes)
   C:\Windows\win32dc\Half-Life 2 trainer.exe (7433 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40592	40960	4.37354	4599c8e48266467f9472d9c0076da0aa
DATA	45056	416	512	2.59038	6723f313105be59e8f34015bac1ef0c6
BSS	49152	4493	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	57344	2332	2560	2.95832	1f3c6fef94d61a4d2beebca25d327785
.tls	61440	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	65536	24	512	0.129329	bf98d008e3e41c32258f4ddad0423dfc
.reloc	69632	2396	2560	4.48773	c247e5d4f27055db8d87da84767714bb
.rsrc	73728	1536	1536	2.62048	b115dc78febf3048a6accb9f8efeb1de

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1059
ef2d2eb0996329df1775d6f51f5b214a
2221f945d2e24419e44d4846342f64ca
21467b3588fd0d7188d2a42ad6f3408b
1d17cf218087e0d263ab73c11c3a3dbc
1c38212889e33cbd55a7e8623a010ec4
1b430c1b6c16532b13f7b0af3830548d
1ad45a8782f083d456b0da8544a519a0
1ab01c65855fde6f4400ad8519129b28
1860e83395b0ade6d9f556ae3590d256
1603428574fd5f4e1b880386fec4e637
0fae6304116dcfca2affe3098d9ee5f0
0ed0b5dbd2129e95ad5cecdfd95d3de9
0e59db4faa433b60312aace8ae8e2450
0b4a57a82fe3b65506a0142243e31de1
0ca97d80f818716c0eac3d8ded1b5597
0ac45d8bf355bc68f72fa1a4d5d11597
0a8b55f2228e223ce41658373ca26864
09e5835b700046bd4765257197a5c672
064890490994c9ca5139a52535cd7e84
0768988ddf8fd355a96b5f89fcdfb8aa
0421992f4b14b87a80bd41514eed76b9
03d7facd70b419076541a17a95d7dad5
021b894f14f878bc2034b6bb26eff84c
f8659db37cc2721adf444731bd7e37a6
f7d75ec459b9a924b4f67c4833af6dc6
f1a403a990e9d920f4ac7307373b0e0a

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Dropped connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1976:

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

PRIVMSG

PRIVMSG

JOIN

JOIN

login

login

PRIVMSG

PRIVMSG

:File Executed

:File Executed

(netbios_invalidpass:

(netbios_invalidpass:

File(%cur%\

File(%cur%\

File(%sys%\

File(%sys%\

rndnick

rndnick

NICK

NICK

join

join

%sys%\

%sys%\

%cur%\

%cur%\

%rnddir%\%rand%.exe

%rnddir%\%rand%.exe

system.ini

system.ini

explorer.exe

explorer.exe

.com "win2k" :

.com "win2k" :

DCPlusPlus.xml

DCPlusPlus.xml

dcplusplus.xml

dcplusplus.xml

%sys%

%sys%

%cur%

%cur%

\WINDOWS\Start Menu\Programs\Startup\

\WINDOWS\Start Menu\Programs\Startup\

netapi32.dll

netapi32.dll

%rnddir%\%rand%.com

%rnddir%\%rand%.com

irc.lcirc.net

irc.lcirc.net

kernel32.dll

kernel32.dll

user32.dll

user32.dll

GetKeyboardType

GetKeyboardType

advapi32.dll

advapi32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

oleaut32.dll

oleaut32.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

mpr.dll

mpr.dll

wsock32.dll

wsock32.dll

shell32.dll

shell32.dll

ShellExecuteA

ShellExecuteA

wininet.dll

wininet.dll

URLMON.DLL

URLMON.DLL

URLDownloadToFileA

URLDownloadToFileA

KWindows

KWindows

&pWebServer

&pWebServer