Skip to main content

Backdoor.Win32.Farfli_7cc14ad170


Worm:Win32/Xtrat.B!A (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Artemis!7CC14AD17069 (McAfee), Suspicious.Cloud.9 (Symantec), Trojan.MSIL.MultiPacked (Ikarus), Crypt4.CEBB (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R00XC0DI715 (TrendMicro), Backdoor.Win32.Farfli.FD, Backdoor.Win32.Xtrat.FD, Trojan.Win32.IEDummy.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, Packed, WormAutorun, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 7cc14ad17069186ef668c47253509967

SHA1: e8e8e3ddf2e979ed60f367d71e79c2a407c86b63

SHA256: 236718d86b78013a4694114acbe12b7d52d59d15a66655d1cbc81b19e2bb5f86

SSDeep: 49152:O/ivCEPzFJu n1I2LZUuap/I1iPhGI7HVV6rDU83QWVLEMxW3uxGCu:O/ivHzFJryc 9m2r6XUMvVEuECu

Size: 3948032 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2015-09-02 15:25:53

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Backdoor creates the following process(es):

suLjyXabeeG6r3PMTNOF.exe:1480
%original file name%.exe:396

The Backdoor injects its code into the following process(es):

svchost.exe:544
iexplore.exe:1228

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process suLjyXabeeG6r3PMTNOF.exe:1480 makes changes in the file system.


The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

The process %original file name%.exe:396 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (10036 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (10036 bytes)
%WinDir%\suLjyXabeeG6r3PMTNOF.exe (33 bytes)

Registry activity

The process suLjyXabeeG6r3PMTNOF.exe:1480 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 C6 AB 3C 52 77 E1 AC D7 A7 55 61 E5 BD 0A 24"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\XtremeRAT]
"Mutex" = "--((Mutex))--"

The process %original file name%.exe:396 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 FB DE CA 32 26 DA 9F B6 90 B6 48 FC 53 D7 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"suLjyXabeeG6r3PMTNOF.exe" = "suLjyXabeeG6r3PMTNOF"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
f60755947f262f10fb4da99cb13dd94ac:\WINDOWS\InstallDir\Server.exe
f60755947f262f10fb4da99cb13dd94ac:\WINDOWS\suLjyXabeeG6r3PMTNOF.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    suLjyXabeeG6r3PMTNOF.exe:1480
    %original file name%.exe:396

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (10036 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (10036 bytes)
    %WinDir%\suLjyXabeeG6r3PMTNOF.exe (33 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: server.exe
Internal Name: server.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: 0.0.0.0Legal Copyright: Legal Trademarks: Original Filename: server.exeInternal Name: server.exeFile Version: 0.0.0.0File Description: Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text8192394589539459843.788134334361d5c02f597345b60e98dc547c7
.rsrc395673666410241.4786263f525e3b6792c692f08ee76bd0eb762
.reloc3964928125120.070639d152222fe347b1b0f9e0adf7f3008a4f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_544:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

svchost.exe_544_rwx_10000000_0004D000:

`.rsrc

`.rsrc

ServerKeyloggerU

ServerKeyloggerU

789:;

789:;

%SERVER%

%SERVER%

URLMON.DLL

URLMON.DLL

shell32.dll

shell32.dll

hXXp://

hXXp://

advapi32.dll

advapi32.dll

kernel32.dll

kernel32.dll

mpr.dll

mpr.dll

version.dll

version.dll

comctl32.dll

comctl32.dll

gdi32.dll

gdi32.dll

opengl32.dll

opengl32.dll

user32.dll

user32.dll

wintrust.dll

wintrust.dll

msimg32.dll

msimg32.dll

KWindows

KWindows

TServerKeylogger

TServerKeylogger

GetWindowsDirectoryW

GetWindowsDirectoryW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

FindExecutableW

FindExecutableW

ShellExecuteW

ShellExecuteW

SHDeleteKeyW

SHDeleteKeyW

URLDownloadToCacheFileW

URLDownloadToCacheFileW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyboardType

GetKeyboardType

GetKeyboardState

GetKeyboardState

FtpPutFileW

FtpPutFileW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

URLD}

URLD}

KERNEL32.DLL

KERNEL32.DLL

ntdll.dll

ntdll.dll

oleaut32.dll

oleaut32.dll

shlwapi.dll

shlwapi.dll

wininet.dll

wininet.dll

x.html

x.html

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

[Execute]

[Execute]

KeyDelBackspace

KeyDelBackspace

.html

.html

XtremeKeylogger

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

.functions

.functions

icon=shell32.dll,4

icon=shell32.dll,4

shellexecute=

shellexecute=

autorun.inf

autorun.inf

\Microsoft\Windows\

\Microsoft\Windows\

ÞFAULTBROWSER%

ÞFAULTBROWSER%

svchost.exe

svchost.exe

njratro.no-ip.biz

njratro.no-ip.biz

Server.exe

Server.exe

{5460C4DF-B266-909E-CB58-E32B79832EB2}

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

PTF.ftpserver.com

ftpuser

ftpuser

iexplore.exe_1228:

%?9-*09,*19}*09

%?9-*09,*19}*09

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

SHLWAPI.dll

SHLWAPI.dll

SHDOCVW.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

IE-X-X

rsabase.dll

rsabase.dll

System\CurrentControlSet\Control\Windows

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

dw15 -x -s %u

watson.microsoft.com

watson.microsoft.com

IEWatsonURL

IEWatsonURL

%s -h %u

%s -h %u

iedw.exe

iedw.exe

Iexplore.XPExceptionFilter

Iexplore.XPExceptionFilter

jscript.DLL

jscript.DLL

mshtml.dll

mshtml.dll

mlang.dll

mlang.dll

urlmon.dll

urlmon.dll

wininet.dll

wininet.dll

shdocvw.DLL

shdocvw.DLL

browseui.DLL

browseui.DLL

comctl32.DLL

comctl32.DLL

IEXPLORE.EXE

IEXPLORE.EXE

iexplore.pdb

iexplore.pdb

ADVAPI32.dll

ADVAPI32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

IExplorer.EXE

IExplorer.EXE

IIIIIB(II<.fg>

IIIIIB(II<.fg>

7?_____ZZSSH%

7?_____ZZSSH%

)z.UUUUUUUU

)z.UUUUUUUU

,....Qym

,....Qym

````2```

````2```

{.QLQIIIKGKGKGKGKGKG

{.QLQIIIKGKGKGKGKGKG

;33;33;0

;33;33;0

8888880

8888880

8887080

8887080

browseui.dll

browseui.dll

shdocvw.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

6.00.2900.5512 (xpsp.080413-2105)

Windows

Windows

Operating System

Operating System

6.00.2900.5512

6.00.2900.5512

iexplore.exe_1228_rwx_10000000_0004D000:

`.rsrc

`.rsrc

ServerKeyloggerU

ServerKeyloggerU

789:;

789:;

%SERVER%

%SERVER%

URLMON.DLL

URLMON.DLL

shell32.dll

shell32.dll

hXXp://

hXXp://

advapi32.dll

advapi32.dll

kernel32.dll

kernel32.dll

mpr.dll

mpr.dll

version.dll

version.dll

comctl32.dll

comctl32.dll

gdi32.dll

gdi32.dll

opengl32.dll

opengl32.dll

user32.dll

user32.dll

wintrust.dll

wintrust.dll

msimg32.dll

msimg32.dll

KWindows

KWindows

TServerKeylogger

TServerKeylogger

GetWindowsDirectoryW

GetWindowsDirectoryW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

FindExecutableW

FindExecutableW

ShellExecuteW

ShellExecuteW

SHDeleteKeyW

SHDeleteKeyW

URLDownloadToCacheFileW

URLDownloadToCacheFileW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyboardType

GetKeyboardType

GetKeyboardState

GetKeyboardState

FtpPutFileW

FtpPutFileW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

URLD}

URLD}

KERNEL32.DLL

KERNEL32.DLL

ntdll.dll

ntdll.dll

oleaut32.dll

oleaut32.dll

shlwapi.dll

shlwapi.dll

wininet.dll

wininet.dll

x.html

x.html

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

[Execute]

[Execute]

KeyDelBackspace

KeyDelBackspace

.html

.html

XtremeKeylogger

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

.functions

.functions

icon=shell32.dll,4

icon=shell32.dll,4

shellexecute=

shellexecute=

autorun.inf

autorun.inf

\Microsoft\Windows\

\Microsoft\Windows\

ÞFAULTBROWSER%

ÞFAULTBROWSER%

svchost.exe

svchost.exe

njratro.no-ip.biz

njratro.no-ip.biz

Server.exe

Server.exe

{5460C4DF-B266-909E-CB58-E32B79832EB2}

{5460C4DF-B266-909E-CB58-E32B79832EB2}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

PTF.ftpserver.com

ftpuser

ftpuser

%WinDir%\suLjyXabeeG6r3PMTNOF.exe

%WinDir%\suLjyXabeeG6r3PMTNOF.exe

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe