Susp_Dropper (Kaspersky), Gen:Variant.Kazy.224722 (B) (Emsisoft), Gen:Variant.Kazy.224568 (AdAware), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a5a03819bb8ddd78b86a0079117cfc40
SHA1: 9cbbc8b231b62fba603fdcf454333e079891e483
SHA256: e108e49aa0de18ba1b583fa2b56f00287e1efa2a1dc72b60ce75da7d9c2d248f
SSDeep: 384:zIqi/i99pEcfyL01iceZ73hmkx7Lj0bThrSaZYLRap3W0NK9tBk0slmeg:zI9g9PlE7Rv5LUThf2Nk/K9Dslmeg
Size: 20992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Uyuld & co.
Created at: 2010-11-06 05:06:34
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:2712
regedit.exe:3060
The Backdoor injects its code into the following process(es):
svchost.exe:2756
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2712 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\RCXB2.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (44 bytes)
The Backdoor deletes the following file(s):
C:\%original file name%.exe.tmp1 (0 bytes)
Registry activity
The process %original file name%.exe:2712 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D FA 1C 12 E2 C7 64 6E 43 F8 97 70 81 4A CB 04"
The process regedit.exe:3060 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 73 26 08 4C 97 ED 8D 14 55 3B C5 32 59 AD CE"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteAccess" = "%Documents and Settings%\%current user%\Local Settings\RemoteAccess.exe"
Dropped PE files
MD5 | File path |
---|---|
7a9bf64fb473908de6f6cff2e8e7853c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\RemoteAccess.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2712
regedit.exe:3060 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
C:\RCXB2.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (44 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteAccess" = "%Documents and Settings%\%current user%\Local Settings\RemoteAccess.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: Spanish (Spain, International Sort)
Company Name: Adobe Systems, Inc.Product Name: Flash? Player Installer/UninstallerProduct Version: 10,1,53,64Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.Legal Trademarks: Adobe? Flash? PlayerOriginal Filename: FlashUtil.exeInternal Name: Adobe? Flash? Player Installer/Uninstaller 10.1File Version: 10,1,53,64File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53Comments: Language: Spanish (Spain, International Sort)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 4392 | 4608 | 5.22196 | 218121512f0e8a6f37c8110c6229ac3f |
.rdata | 12288 | 1045 | 1536 | 2.51569 | b09e1f7c28fc22c6f6859d92fabdae15 |
.data | 16384 | 927 | 512 | 2.53957 | 4bd92ec76dfb579497a8263cd411230a |
.rsrc | 20480 | 12996 | 13312 | 5.4223 | 8d9b2c28983ad0a6abee5aaf006db5d9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.gov.toh.info/wjacu.php?id=004413111D304CEG3G | 211.234.117.178 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /wjacu.php?id=004413111D304CEG3G HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.gov.toh.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Date: Sun, 16 Nov 2014 14:45:33 GMT
Server: Apache/2.2.15 (CentOS)
Content-Length: 289
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /wjacu.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) Server at VVV.gov.toh.info Port 80</address>.</body></html>...
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_2756:
.text
.text
`.rdata
`.rdata
@.data
@.data
SSh@C@
SSh@C@
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
VVV.gov.toh.info
VVV.gov.toh.info
200.115.173.102
200.115.173.102
200.115.138.136
200.115.138.136
regedit.exe /s
regedit.exe /s
~dfds3.reg
~dfds3.reg
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
"%s"="%s"
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
WinHttp
%s.tmp1
%s.tmp1
4$@2.dat
4$@2.dat
hXXp://%s:%d/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s
hXXp://%s:%d/%s.php?id=d%s
%c%c%c%c%c
%c%c%c%c%c
/%s.php?id=d%s
/%s.php?id=d%s
%%temp%%\%u
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
X-X-X-X-X-X
X-X-X-X-X-X
01-01-01-01-01-01
01-01-01-01-01-01
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe
svchost.exe_2756_rwx_00400000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
SSh@C@
SSh@C@
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
VVV.gov.toh.info
VVV.gov.toh.info
200.115.173.102
200.115.173.102
200.115.138.136
200.115.138.136
regedit.exe /s
regedit.exe /s
~dfds3.reg
~dfds3.reg
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
"%s"="%s"
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
WinHttp
%s.tmp1
%s.tmp1
4$@2.dat
4$@2.dat
hXXp://%s:%d/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s
hXXp://%s:%d/%s.php?id=d%s
%c%c%c%c%c
%c%c%c%c%c
/%s.php?id=d%s
/%s.php?id=d%s
%%temp%%\%u
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
X-X-X-X-X-X
X-X-X-X-X-X
01-01-01-01-01-01
01-01-01-01-01-01
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe