Skip to main content

Gen.Variant.Kazy.224568_a5a03819bb


Susp_Dropper (Kaspersky), Gen:Variant.Kazy.224722 (B) (Emsisoft), Gen:Variant.Kazy.224568 (AdAware), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a5a03819bb8ddd78b86a0079117cfc40

SHA1: 9cbbc8b231b62fba603fdcf454333e079891e483

SHA256: e108e49aa0de18ba1b583fa2b56f00287e1efa2a1dc72b60ce75da7d9c2d248f

SSDeep: 384:zIqi/i99pEcfyL01iceZ73hmkx7Lj0bThrSaZYLRap3W0NK9tBk0slmeg:zI9g9PlE7Rv5LUThf2Nk/K9Dslmeg

Size: 20992 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Uyuld & co.

Created at: 2010-11-06 05:06:34

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:2712
regedit.exe:3060

The Backdoor injects its code into the following process(es):

svchost.exe:2756

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2712 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

C:\RCXB2.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (44 bytes)

The Backdoor deletes the following file(s):

C:\%original file name%.exe.tmp1 (0 bytes)

Registry activity

The process %original file name%.exe:2712 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D FA 1C 12 E2 C7 64 6E 43 F8 97 70 81 4A CB 04"

The process regedit.exe:3060 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 73 26 08 4C 97 ED 8D 14 55 3B C5 32 59 AD CE"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteAccess" = "%Documents and Settings%\%current user%\Local Settings\RemoteAccess.exe"

Dropped PE files

MD5 File path
7a9bf64fb473908de6f6cff2e8e7853cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\RemoteAccess.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2712
    regedit.exe:3060

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    C:\RCXB2.tmp (23552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
    C:\%original file name%.exe.tmp1 (373 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (44 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "RemoteAccess" = "%Documents and Settings%\%current user%\Local Settings\RemoteAccess.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: Spanish (Spain, International Sort)

Company Name: Adobe Systems, Inc.Product Name: Flash? Player Installer/UninstallerProduct Version: 10,1,53,64Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.Legal Trademarks: Adobe? Flash? PlayerOriginal Filename: FlashUtil.exeInternal Name: Adobe? Flash? Player Installer/Uninstaller 10.1File Version: 10,1,53,64File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53Comments: Language: Spanish (Spain, International Sort)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096439246085.22196218121512f0e8a6f37c8110c6229ac3f
.rdata12288104515362.51569b09e1f7c28fc22c6f6859d92fabdae15
.data163849275122.539574bd92ec76dfb579497a8263cd411230a
.rsrc2048012996133125.42238d9b2c28983ad0a6abee5aaf006db5d9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://www.gov.toh.info/wjacu.php?id=004413111D304CEG3G211.234.117.178

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /wjacu.php?id=004413111D304CEG3G HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.gov.toh.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Date: Sun, 16 Nov 2014 14:45:33 GMT

Server: Apache/2.2.15 (CentOS)

Content-Length: 289

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /wjacu.php was not found on this server.</p>.<hr>.<address>Apache/2.2.15 (CentOS) Server at VVV.gov.toh.info Port 80</address>.</body></html>...

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_2756:

.text

.text

`.rdata

`.rdata

@.data

@.data

SSh@C@

SSh@C@

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

VVV.gov.toh.info

VVV.gov.toh.info

200.115.173.102

200.115.173.102

200.115.138.136

200.115.138.136

regedit.exe /s

regedit.exe /s

~dfds3.reg

~dfds3.reg

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

"%s"="%s"

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

WinHttp

%s.tmp1

%s.tmp1

4$@2.dat

4$@2.dat

hXXp://%s:%d/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

%c%c%c%c%c

/%s.php?id=d%s

/%s.php?id=d%s

%%temp%%\%u

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

X-X-X-X-X-X

X-X-X-X-X-X

01-01-01-01-01-01

01-01-01-01-01-01

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe

svchost.exe_2756_rwx_00400000_00005000:

.text

.text

`.rdata

`.rdata

@.data

@.data

SSh@C@

SSh@C@

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

VVV.gov.toh.info

VVV.gov.toh.info

200.115.173.102

200.115.173.102

200.115.138.136

200.115.138.136

regedit.exe /s

regedit.exe /s

~dfds3.reg

~dfds3.reg

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

"%s"="%s"

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

WinHttp

%s.tmp1

%s.tmp1

4$@2.dat

4$@2.dat

hXXp://%s:%d/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

%c%c%c%c%c

/%s.php?id=d%s

/%s.php?id=d%s

%%temp%%\%u

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1

X-X-X-X-X-X

X-X-X-X-X-X

01-01-01-01-01-01

01-01-01-01-01-01

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe