Generic.Malware.SYd!g.93736C4C (BitDefender), Backdoor:Win32/Berbew.DR (Microsoft), Trojan-Proxy.Win32.Qukart.ez (Kaspersky), BehavesLike.Win32.Malware.ssc (mx-v) (VIPRE), BackDoor.HangUp.51712 (DrWeb), Generic.Malware.SYd!g.93736C4C (B) (Emsisoft), BackDoor-AXJ.gen (McAfee), Backdoor.Berbew.F (Symantec), Trojan-Spy.Win32.Qukart (Ikarus), Generic.Malware.SYd!g.93736C4C (FSecure), I-Worm/Nuwar.N (AVG), Win32:Malware-gen (Avast), BKDR_BERBEW.F (TrendMicro), Generic.Malware.SYd!g.93736C4C (AdAware), Trojan-Spy.Win32.Qukart.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-Proxy, Trojan-Spy, Banker, Trojan, Backdoor, Worm, Trojan-Proxy, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 00366f22698cc90d5bf37e0a0bd44d80
SHA1: 5c2dadfb6d8b8da6f26d25287122e22446921cda
SHA256: fffe6b6d81584a84d7b5ca66cbe66eb1ea6172a58b851ff71d9ceecc5a684009
SSDeep: 768:dJw94CqsTDL2HUmygB4T7OYwOZ/WYXehloPOie/1H5K:Twg4OygMwe/WYXehiPK
Size: 51712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: InstallShield Software Corporation
Created at: 2024-04-18 22:06:08
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-Proxy. Trojan program, which allows the usage of user's system as a remote proxy.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
Process activity
The Generic creates the following process(es):
%original file name%.exe:2436
The Generic injects its code into the following process(es):
Lnninpgf.exe:672
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Lnninpgf.exe:672 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nbeggddc.htm (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ehfcjnfh.htm (211 bytes)
%System%\surf.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eipjagbo.htm (500 bytes)
The Generic deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nbeggddc.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ehfcjnfh.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eipjagbo.htm (0 bytes)
The process %original file name%.exe:2436 makes changes in the file system.
The Generic creates and/or writes to the following file(s):
%System%\Lnninpgf.exe (102 bytes)
%System%\Aedlblgl.dll (6 bytes)
Registry activity
The process Lnninpgf.exe:672 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 09 58 26 FA 3D FB CF 2A 5C 25 0B 80 90 DB B4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1601" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1601" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1601" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1601" = "0"
The process %original file name%.exe:2436 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 30 28 DA 71 2A 72 0B 58 8F 68 0E CD E4 73 97"
[HKCR\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32]
"(Default)" = "%System%\Aedlblgl.dll"
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
Dropped PE files
| MD5 | File path |
|---|---|
| 1231269ea1b9e94671ce929228ce7de0 | c:\WINDOWS\system32\Aedlblgl.dll |
| 0b9055e478e65550ab1db0841ae449ff | c:\WINDOWS\system32\Lnninpgf.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2436
- Delete the original Generic file.
- Delete or disinfect the following files created/modified by the Generic:
%Documents and Settings%\%current user%\Local Settings\Temp\nbeggddc.htm (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ehfcjnfh.htm (211 bytes)
%System%\surf.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eipjagbo.htm (500 bytes)
%System%\Lnninpgf.exe (102 bytes)
%System%\Aedlblgl.dll (6 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe" - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 32428 | 32768 | 4.96815 | df701a8ce41b3d032dff8657f1be8442 |
| .bss | 36864 | 136112 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .data | 176128 | 12752 | 12800 | 4.0622 | 4774f52d665e8ab8758e6145ee2e8380 |
| .idata | 192512 | 3748 | 4096 | 3.5204 | 708cff90e55fcc1f43ce49fc7ad6f7f4 |
| .aciof | 196608 | 4096 | 512 | 1.5773 | c4f94c5009850aad01001cc0a0fcc382 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
cda2b99376146f52a5152eaaa345de60
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Generic connects to the servers at the folowing location(s):
Strings from Dumps
Lnninpgf.exe_672:
.text
.text
.data
.data
.idata
.idata
.aciof
.aciof
%System%\dnkk.dll
%System%\dnkk.dll
%System%\surf.dat
%System%\surf.dat
%System%\kk32.dll
%System%\kk32.dll
%System%\kk32.vxd
%System%\kk32.vxd
%System%
%System%
hXXp://crutop.nu/index.php
hXXp://crutop.nu/index.php
hXXp://crutop.ru/index.php
hXXp://crutop.ru/index.php
hXXp://mazafaka.ru/index.php
hXXp://mazafaka.ru/index.php
hXXp://color-bank.ru/index.php
hXXp://color-bank.ru/index.php
hXXp://asechka.ru/index.php
hXXp://asechka.ru/index.php
hXXp://trojan.ru/index.php
hXXp://trojan.ru/index.php
hXXp://fuck.ru/index.php
hXXp://fuck.ru/index.php
hXXp://goldensand.ru/index.php
hXXp://goldensand.ru/index.php
hXXp://filesearch.ru/index.php
hXXp://filesearch.ru/index.php
hXXp://devx.nm.ru/index.php
hXXp://devx.nm.ru/index.php
hXXp://ros-neftbank.ru/index.php
hXXp://ros-neftbank.ru/index.php
hXXp://lovingod.host.sk/index.php
hXXp://lovingod.host.sk/index.php
hXXp://VVV.redline.ru/index.php
hXXp://VVV.redline.ru/index.php
hXXp://cvv.ru/index.php
hXXp://cvv.ru/index.php
hXXp://hackers.lv/index.php
hXXp://hackers.lv/index.php
hXXp://fethard.biz/index.php
hXXp://fethard.biz/index.php
hXXp://ldark.nm.ru/index.htm
hXXp://ldark.nm.ru/index.htm
hXXp://gaz-prom.ru/index.htm
hXXp://gaz-prom.ru/index.htm
hXXp://promo.ru/index.htm
hXXp://promo.ru/index.htm
hXXp://potleaf.chat.ru/index.htm
hXXp://potleaf.chat.ru/index.htm
hXXp://kadet.ru/index.htm
hXXp://kadet.ru/index.htm
hXXp://cvv.ru/index.htm
hXXp://cvv.ru/index.htm
hXXp://crutop.nu/index.htm
hXXp://crutop.nu/index.htm
hXXp://crutop.ru/index.htm
hXXp://crutop.ru/index.htm
hXXp://mazafaka.ru/index.htm
hXXp://mazafaka.ru/index.htm
hXXp://xware.cjb.net/index.htm
hXXp://xware.cjb.net/index.htm
hXXp://konfiskat.org/index.htm
hXXp://konfiskat.org/index.htm
hXXp://parex-bank.ru/index.htm
hXXp://parex-bank.ru/index.htm
hXXp://kidos-bank.ru/index.htm
hXXp://kidos-bank.ru/index.htm
hXXp://kavkaz.ru/index.htm
hXXp://kavkaz.ru/index.htm
hXXp://fethard.biz/index.htm
hXXp://fethard.biz/index.htm
CRYPTKEY
CRYPTKEY
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
wsock32.dll
wsock32.dll
user32.dll
user32.dll
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
.edata
.edata
%s\%s
%s\%s
WinExec
WinExec
KERNEL32.DLL
KERNEL32.DLL
CRTDLL.DLL
CRTDLL.DLL
dll.dll
dll.dll
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu
Welcome to our forum, Adult Web Masters! hXXp://crutop.nu
Welcome to our forum, Adult Web Masters! hXXp://crutop.nu
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE
REAL CASH, REAL BITCHEZ - CRUTOP.NU
REAL CASH, REAL BITCHEZ - CRUTOP.NU
%s-%s
%s-%s
%s %s
%s %s
surf.dat
surf.dat
dnkk.dll
dnkk.dll
kk32.vxd
kk32.vxd
kk32.dll
kk32.dll
%s\%s.exe
%s\%s.exe
%s/Rtdx1%i.htm
%s/Rtdx1%i.htm
%s\Rtdx1%i.dat
%s\Rtdx1%i.dat
%s /C %s
%s /C %s
\command.com
\command.com
%s\command.pif
%s\command.pif
%s\cmd.exe
%s\cmd.exe
%s\cmd.pif
%s\cmd.pif
:u
:u
of fraud on our website, we are undertaking a period review of our member accounts.
of fraud on our website, we are undertaking a period review of our member accounts.
%ssetTimeout("x()",%u);
%ssetTimeout("x()",%u);
%sself.parent.location="%s";
%sself.parent.location="%s";
%s
%s
%s%u - Microsoft Internet Explorer
%s%u - Microsoft Internet Explorer
\Iexplore.exe
\Iexplore.exe
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
%ssetTimeout("z()",%u);
%ssetTimeout("z()",%u);
%sdocument.%s.submit();
%sdocument.%s.submit();
%s
%s
%s
%s
%s
%s
%s
%s%u%s
%s%u%s
%s
%s%c%c
%s%c%c
Web Event Logger
Web Event Logger
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
CLSID\%s\InProcServer32
CLSID\%s\InProcServer32
%s\%s.dll
%s\%s.dll
{79FEACFF-FFCE-815E-A900-316290B5B738}
{79FEACFF-FFCE-815E-A900-316290B5B738}
TXT: '%s'
TXT: '%s'
%s %X%c
%s %X%c
%s FORM_%X
%s FORM_%X
.yahoo.com
.yahoo.com
webmail.juno.com
webmail.juno.com
my.juno.com/s/
my.juno.com/s/
.juno.com
.juno.com
.earthlink.
.earthlink.
signin.ebay.
signin.ebay.
.paypal.com
.paypal.com
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ole32.DLL
ole32.DLL
OLEAUT32.DLL
OLEAUT32.DLL
WININET.DLL
WININET.DLL
USER32.DLL
USER32.DLL
GDI32.DLL
GDI32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}