Dropped.Generic.Malware.Sdld.C425D330_c96ecac13a – Adaware

Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: c96ecac13a6728b32e7fb84cf647fb7f

SHA1: 7b0d976b58e792d11eea74a7a8677779d2b278eb

SHA256: 91508c1f62bed51a01f2e5ea9ee462fe8aa779f02aa48bb39bb559b4b2b8ecea

SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1VMvoDg3amvs8yZbqgW juec :IKgI9SGJpU8BQPL9CeVSoDgqmPyZbqgH

Size: 1300391 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 1992-06-20 01:22:17

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

Behaviour	Description
IRCBot	A bot can communicate with command and control servers via IRC channel.

Process activity

The Dropped creates the following process(es):

%original file name%.exe:1796

The Dropped injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1796 makes changes in the file system.

The Dropped creates and/or writes to the following file(s):

C:\Windows\win32dc\BattleField 1942(nocd).exe (8571 bytes)
C:\Windows\win32dc\Half-Life 2_codes.exe (34646 bytes)
C:\Windows\win32dc\Sims 2(serial).exe (7971 bytes)
C:\Windows\win32dc\Quake3_fix.exe (16109 bytes)
C:\Windows\win32dc\Half-Life 2 serial.exe (7971 bytes)
C:\Windows\win32dc\Sims 2_crack.exe (7971 bytes)
C:\Windows\win32dc\Counter-Strike codes.exe (7971 bytes)
C:\Windows\win32dc\Quake3 cheat.exe (18537 bytes)
C:\Windows\win32dc\DAoC fix.exe (18537 bytes)

Registry activity

Dropped PE files

MD5	File path
5058c538da58e76fc5d8b21b0f521a88	c:\Windows\win32dc\BattleField 1942(nocd).exe
e57820706fd12c70a82330ba8282bca0	c:\Windows\win32dc\DAoC fix.exe
52a42a40f8af9b81dadb6b390952a789	c:\Windows\win32dc\Half-Life 2_codes.exe
399ba5cb5b590c68ea3a778b9d0b429a	c:\Windows\win32dc\Quake3 cheat.exe
bd75cb9b57c637eaa02e54a0ad76c552	c:\Windows\win32dc\Quake3_fix.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1796
Delete the original Dropped file.
Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\BattleField 1942(nocd).exe (8571 bytes)
C:\Windows\win32dc\Half-Life 2_codes.exe (34646 bytes)
C:\Windows\win32dc\Sims 2(serial).exe (7971 bytes)
C:\Windows\win32dc\Quake3_fix.exe (16109 bytes)
C:\Windows\win32dc\Half-Life 2 serial.exe (7971 bytes)
C:\Windows\win32dc\Sims 2_crack.exe (7971 bytes)
C:\Windows\win32dc\Counter-Strike codes.exe (7971 bytes)
C:\Windows\win32dc\Quake3 cheat.exe (18537 bytes)
C:\Windows\win32dc\DAoC fix.exe (18537 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	40592	40960	4.37354	4599c8e48266467f9472d9c0076da0aa
DATA	45056	416	512	2.59038	6723f313105be59e8f34015bac1ef0c6
BSS	49152	4493	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	57344	2332	2560	2.95832	1f3c6fef94d61a4d2beebca25d327785
.tls	61440	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	65536	24	512	0.129329	bf98d008e3e41c32258f4ddad0423dfc
.reloc	69632	2396	2560	4.48773	c247e5d4f27055db8d87da84767714bb
.rsrc	73728	1536	1536	2.62048	b115dc78febf3048a6accb9f8efeb1de

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2202
ef2d2eb0996329df1775d6f51f5b214a
0247ffacc242c9c894fbf4602d1119db
fc10bf789350f92a2f5096af493be71c
f07659644a1b94f44e5be40693fabb81
ec93b9532a23173ff8957cdcaea0e1ea
e3168e47048a685e966daf117d3e96bd
e1a24e76236bcb7700c9522a49418ecc
ca2083ba2967d3c6e5f09c4da25ed6ba
7af6cb79e4bbe96b65f7d9c826d14339
4cdaf8a89099a35e0404b4e77a15fc3c
204ca1d18e1203518972221742ac65f9
0e61c160a9616336d6af5dbea2e946d3
09447791ef9b704401683afb98e19154
081f26ed6e1bdd222664dc7c00b356c0
da8ede551b5e2b1786a88dd5ea783b96
fa718cee99caa7ded0db41592ebf7a67
e922a769fe7ad0e19e42c65b311ea6b3
ceb082fe53d615709efd38debee15f3a
c51bbf5ad597f0fc6b5772bfef556e76
8dbf9c23a207bf486a0d0892681728a6
8c186dcb8593e1c4dc469b2c2f2b4b74
896f1994684a01c251361617a5dd6cbe
76e344ea280f0036d4b180a5f1d7eef8
e20f21fadc5cfc7baba72a248b47a462
b68d59ebc3cb5470808294307d8c906e

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Dropped connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1796:

.idata

.rdata

P.reloc

P.rsrc

PRIVMSG

JOIN

PRIVMSG

:File Executed

(netbios_invalidpass:

File(%cur%\

File(%sys%\

rndnick

NICK

join

%sys%\

%cur%\

%rnddir%\%rand%.exe

system.ini

explorer.exe

.com "win2k" :

DCPlusPlus.xml

dcplusplus.xml

%sys%

%cur%

\WINDOWS\Start Menu\Programs\Startup\

netapi32.dll

%rnddir%\%rand%.com

irc.lcirc.net

kernel32.dll

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

GetWindowsDirectoryA

mpr.dll

wsock32.dll

shell32.dll

ShellExecuteA

wininet.dll

URLMON.DLL

URLDownloadToFileA

KWindows

&pWebServer