Skip to main content

Gen.Variant.Kazy.290327_70660f396d


Gen:Variant.Kazy.290327 (BitDefender), Backdoor:Win32/Simbot.gen (Microsoft), Trojan.Win32.Inject.azgw (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader6.7800 (DrWeb), Gen:Variant.Kazy.290327 (B) (Emsisoft), BackDoor-EYG (McAfee), Trojan Horse (Symantec), Trojan.Win32.Inject (Ikarus), Gen:Variant.Kazy.290327 (FSecure), Generic_r.EAU (AVG), Win32:Taidoor-D [Trj] (Avast), TROJ_KRYPTK.SMS (TrendMicro), Gen:Variant.Kazy.290327 (AdAware), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 70660f396dc500df2cab297e88ced844

SHA1: 46cf369b078e4ba6bf37d4581a2384af2546613b

SHA256: 0f576151dd81d4389636213e7f2593adbd40e46d29441ac6b84c2917e22f202d

SSDeep: 384:FPFB47j1GH/WOcj/GacWyVybRsw9y/k63Mz ELQHlDT9Bn CGjIQy7kQ81qHv:FPFRA/X3ysdR4/kDtLWDgxIQwk7u

Size: 27136 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2010-12-29 09:37:00

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:860
regedit.exe:192

The Trojan injects its code into the following process(es):

svchost.exe:1912

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:860 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\%original file name%.exe.tmp1 (1257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)

Registry activity

The process %original file name%.exe:860 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B FA 5A 38 AA D1 CD 46 BA 8E A2 20 7C 4B 83 9D"

The process regedit.exe:192 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 82 61 10 92 83 63 29 8F B1 77 10 C2 59 A1 03"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"NetDDEdsdm" = "%Documents and Settings%\%current user%\Local Settings\NetDDEdsdm.exe"

Dropped PE files

MD5 File path
ed8ff4779a69f09af19ebe35e829e89cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\NetDDEdsdm.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:860
    regedit.exe:192

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
    C:\%original file name%.exe.tmp1 (1257 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "NetDDEdsdm" = "%Documents and Settings%\%current user%\Local Settings\NetDDEdsdm.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: Language Neutral

Company Name: Adobe Systems, Inc.Product Name: Flash? Player Installer/UninstallerProduct Version: 10,1,53,64Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.Legal Trademarks: Adobe? Flash? PlayerOriginal Filename: FlashUtil.exeInternal Name: Adobe? Flash? Player Installer/Uninstaller 10.1File Version: 10,1,53,64File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409622760230405.0913308da0878ceed0ed52f1ca739991dab7
.rdata2867299610243.17402d214cdade079311d21d114ce97e26661
.data327689315122.468916a1a4e26e899812a0991c26df36abb11
.rsrc36864113615361.84173b5ed7b029bc65184d8f3a398fb854e6d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 5
0259ceb5059c50e42b40e716762afacc
51efb275229d9f3cee6be6c9cd96909c
4d13d3b974553aa6cfa3bfa6117d0a79
2281c3ccbd6c759193f51fbe17deda94
2ae5f6ec60e42477a9a05f0a19357993

Network Activity

URLs

URL IP
hxxp://www.gov.toh.info/jilyh.php?id=031648111D30FD8GD6211.234.117.178

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /jilyh.php?id=031648111D30FD8GD6 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.gov.toh.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Date: Fri, 26 Dec 2014 10:59:29 GMT

Server: Apache/2.2.15 (CentOS)

Content-Length: 289

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /jilyh.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) Server at VVV.gov.toh.info Port 80</address>.</body></html>...

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_1912:

.text

.text

`.rdata

`.rdata

@.data

@.data

SSh@C@

SSh@C@

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

VVV.gov.toh.info

VVV.gov.toh.info

200.115.173.102

200.115.173.102

regedit.exe /s

regedit.exe /s

~dfds3.reg

~dfds3.reg

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

"%s"="%s"

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

WinHttp

%s.tmp1

%s.tmp1

4$@2.dat

4$@2.dat

hXXp://%s:%d/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

%c%c%c%c%c

/%s.php?id=d%s

/%s.php?id=d%s

%%temp%%\%u

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

X-X-X-X-X-X

X-X-X-X-X-X

01-01-01-01-01-01

01-01-01-01-01-01

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe

svchost.exe_1912_rwx_00400000_00005000:

.text

.text

`.rdata

`.rdata

@.data

@.data

SSh@C@

SSh@C@

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

VVV.gov.toh.info

VVV.gov.toh.info

200.115.173.102

200.115.173.102

regedit.exe /s

regedit.exe /s

~dfds3.reg

~dfds3.reg

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

"%s"="%s"

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

WinHttp

%s.tmp1

%s.tmp1

4$@2.dat

4$@2.dat

hXXp://%s:%d/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

%c%c%c%c%c

/%s.php?id=d%s

/%s.php?id=d%s

%%temp%%\%u

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

X-X-X-X-X-X

X-X-X-X-X-X

01-01-01-01-01-01

01-01-01-01-01-01

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe