Skip to main content

Gen.Variant.Kazy.290327_c4d41795cf


Trojan.Win32.Inject.azgw (Kaspersky), Gen:Variant.Kazy.290327 (B) (Emsisoft), Gen:Variant.Kazy.290327 (AdAware), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: c4d41795cffacdb28f94841acd622f3d

SHA1: aef379ce87004d05e659d93ed40c4bf4750a33df

SHA256: 1463e55b21896721f7d8f3b0dc0e19be7378e21e259347a5a188a9f03646b60c

SSDeep: 384:F xsgz9JdoacWIrVZjucXY4gpxX8PgxSwT3LvJYjIKGShkPHiQy7kQ81 Hv:F8Kt3IbPYpsIHHGjIKzhkPiQwk76

Size: 27136 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2010-12-29 09:37:00

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mscorsvw.exe:172
regedit.exe:448
%original file name%.exe:1820

The Trojan injects its code into the following process(es):

svchost.exe:1564

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1820 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\%original file name%.exe.tmp1 (1257 bytes)

Registry activity

The process mscorsvw.exe:172 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process regedit.exe:448 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 55 D2 C0 CB 3F 00 2B 57 36 33 4B C1 A2 BE 34"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HTTPFilter" = "%Documents and Settings%\%current user%\Local Settings\HTTPFilter.exe"

The process %original file name%.exe:1820 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 C2 E0 05 E4 E6 99 CE DF F6 02 93 EA 36 1E D5"

Dropped PE files

MD5 File path
2d08a3c658bfc1f897559986a7fab6d0c:\Documents and Settings\"%CurrentUserName%"\Local Settings\HTTPFilter.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:172
    regedit.exe:448
    %original file name%.exe:1820

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
    C:\%original file name%.exe.tmp1 (1257 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HTTPFilter" = "%Documents and Settings%\%current user%\Local Settings\HTTPFilter.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: Russian (Russia)

Company Name: Adobe Systems, Inc.Product Name: Flash? Player Installer/UninstallerProduct Version: 10,1,53,64Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.Legal Trademarks: Adobe? Flash? PlayerOriginal Filename: FlashUtil.exeInternal Name: Adobe? Flash? Player Installer/Uninstaller 10.1File Version: 10,1,53,64File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53Comments: Language: Russian (Russia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409622760230405.090663c50840d5a7e3774c5fabf12d639fa2d
.rdata2867299610243.17402d214cdade079311d21d114ce97e26661
.data327689315122.4689185159569691104599b319eba94ccff51
.rsrc36864113615361.84173b5ed7b029bc65184d8f3a398fb854e6d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
52d0b6b72726ce96dffc3fe96ee61137

Network Activity

URLs

URL IP
hxxp://www.gov.toh.info/kkgdv.php?id=018720111D306EDCD1211.234.117.178

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /kkgdv.php?id=018720111D306EDCD1 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.gov.toh.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Date: Thu, 18 Dec 2014 00:15:28 GMT

Server: Apache/2.2.15 (CentOS)

Content-Length: 289

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /kkgdv.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) Server at VVV.gov.toh.info Port 80</address>.</body></html>...

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_1564:

.text

.text

`.rdata

`.rdata

@.data

@.data

SSh@C@

SSh@C@

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

VVV.gov.toh.info

VVV.gov.toh.info

200.115.173.102

200.115.173.102

regedit.exe /s

regedit.exe /s

~dfds3.reg

~dfds3.reg

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

"%s"="%s"

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

WinHttp

%s.tmp1

%s.tmp1

4$@2.dat

4$@2.dat

hXXp://%s:%d/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

%c%c%c%c%c

/%s.php?id=d%s

/%s.php?id=d%s

%%temp%%\%u

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

X-X-X-X-X-X

X-X-X-X-X-X

01-01-01-01-01-01

01-01-01-01-01-01

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe

svchost.exe_1564_rwx_00400000_00005000:

.text

.text

`.rdata

`.rdata

@.data

@.data

SSh@C@

SSh@C@

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

VVV.gov.toh.info

VVV.gov.toh.info

200.115.173.102

200.115.173.102

regedit.exe /s

regedit.exe /s

~dfds3.reg

~dfds3.reg

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

"%s"="%s"

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

WinHttp

%s.tmp1

%s.tmp1

4$@2.dat

4$@2.dat

hXXp://%s:%d/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

%c%c%c%c%c

/%s.php?id=d%s

/%s.php?id=d%s

%%temp%%\%u

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

X-X-X-X-X-X

X-X-X-X-X-X

01-01-01-01-01-01

01-01-01-01-01-01

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe