Susp_Dropper (Kaspersky), Gen:Variant.Kazy.224722 (B) (Emsisoft), Gen:Variant.Kazy.224568 (AdAware), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5f2cff16eae1d6b87c01c3f4db42269f
SHA1: 0246976adca5a2b9b78c0d256b3a5150b8861120
SHA256: 5e4f4ed5ac0705d12e0ac8e355996bd11fc8e531bcbe602cc12801d30b9cd45e
SSDeep: 384:zK7E/N/tX4ncfyL01scgYCOrXFQ/uH6vVgmAkO eVg:zK8P4wlI5SVQ/uCveVg
Size: 20992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Blood White
Created at: 2010-11-06 05:06:34
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1592
regedit.exe:452
The Backdoor injects its code into the following process(es):
svchost.exe:508
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1592 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\RCXB2.tmp (23552 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)
The Backdoor deletes the following file(s):
C:\%original file name%.exe.tmp1 (0 bytes)
Registry activity
The process %original file name%.exe:1592 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 90 2E D8 2E 7F 59 4C 29 EC C2 16 F3 39 37 75"
The process regedit.exe:452 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE FC FB 1F 5E 8D 84 ED A2 BE 56 D8 FE 51 76 9C"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 0d95cd931e3c5ea5189bd62e5046a06c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Netlogon.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1592
regedit.exe:452 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
C:\RCXB2.tmp (23552 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: English (United Kingdom)
Company Name: Adobe Systems, Inc.Product Name: Flash? Player Installer/UninstallerProduct Version: 10,1,53,64Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.Legal Trademarks: Adobe? Flash? PlayerOriginal Filename: FlashUtil.exeInternal Name: Adobe? Flash? Player Installer/Uninstaller 10.1File Version: 10,1,53,64File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53Comments: Language: English (United Kingdom)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 4392 | 4608 | 5.22695 | bf48a645ffb85332520181c052d19e41 |
| .rdata | 12288 | 1045 | 1536 | 2.51569 | b09e1f7c28fc22c6f6859d92fabdae15 |
| .data | 16384 | 927 | 512 | 2.52989 | 156b9f597adf1f082cf0a831730382cc |
| .rsrc | 20480 | 12996 | 13312 | 5.42436 | f916dec20651b1f32659a1a7d5f0da1d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
cb6f641748ece725b667597dd1a4a14c
cbaa311d0ebe07dba6b3cf3b9324f18b
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://71.41.214.210/hggla.php?id=004495111D307928CC | |
| yahoofacebook.345.pl | 60.249.95.143 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /hggla.php?id=004495111D307928CC HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 71.41.214.210
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Server: thttpd/2.19-MX Mar 4 2013
Content-type: text/html
Date: Mon, 13 Oct 2014 22:25:48 GMT
Last-modified: Mon, 13 Oct 2014 22:25:48 GMT
Accept-Ranges: bytes
Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN". "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>.<meta http-equiv='X-UA-Compatible' content='IE=EmulateIE9' />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="Content-Script-Type" content="text/javascript">.<meta http-equiv="Content-Style-Type" content="text/css">.<meta name="publisher" content="MOBOTIX AG, Germany">.<meta name="copyright" content="MOBOTIX AG, Germany">.<link rel="SHORTCUT ICON" href="/favicon.ico">.<link rel="apple-touch-icon" href="/apple-touch-icon.png">.<meta name="author" content="Daniel Kabs, MOBOTIX AG, Germany">.<link rel="owner" href="mailto:info@mobotix.com">.<link rel="copyright" href="/about.html" title="Copyright">..<style type='text/css'>.body {. font-family:Helvetica,Arial,sans-serif;. font-size:80%;.}.pre,textarea { font-family:monospace; }..headtablesmall { font-size:125%; }..standard {} /* obsolete */..mxSubmitButton {. width: 110px;. margin:2px 0;.}..mxErrorMessage {. color:red;. background-color:yellow;. font-weight:bold;. padding:5px;.}..mxFooterWarning {. padding:5px;. margin:0;. background-color:#DDDDDD;. color:red;. font-weight:bold;.}..mxFooterNote {. padding:5px;. margin:0;. background-color:#DDDDDD;.}..mxSubmitbuttonsRow {. background-color:#DDDDDD;. border-collapse:collapse;.}..mxSubmitbuttonsRow td {. padding:5px;.}..mxReadOnly {. background:#eee
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_508:
.text
.text
`.rdata
`.rdata
@.data
@.data
SSh@C@
SSh@C@
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
71.56.69.34
71.56.69.34
71.41.214.210
71.41.214.210
yahoofacebook.345.pl
yahoofacebook.345.pl
regedit.exe /s
regedit.exe /s
~dfds3.reg
~dfds3.reg
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
"%s"="%s"
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
WinHttp
%s.tmp1
%s.tmp1
4$@2.dat
4$@2.dat
hXXp://%s:%d/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s
hXXp://%s:%d/%s.php?id=d%s
%c%c%c%c%c
%c%c%c%c%c
/%s.php?id=d%s
/%s.php?id=d%s
%%temp%%\%u
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
X-X-X-X-X-X
X-X-X-X-X-X
01-01-01-01-01-01
01-01-01-01-01-01
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe
svchost.exe_508_rwx_00400000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
SSh@C@
SSh@C@
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
71.56.69.34
71.56.69.34
71.41.214.210
71.41.214.210
yahoofacebook.345.pl
yahoofacebook.345.pl
regedit.exe /s
regedit.exe /s
~dfds3.reg
~dfds3.reg
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
"%s"="%s"
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
WinHttp
%s.tmp1
%s.tmp1
4$@2.dat
4$@2.dat
hXXp://%s:%d/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
hXXp://%s:%d/%s.php?id=d%s
hXXp://%s:%d/%s.php?id=d%s
%c%c%c%c%c
%c%c%c%c%c
/%s.php?id=d%s
/%s.php?id=d%s
%%temp%%\%u
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
X-X-X-X-X-X
X-X-X-X-X-X
01-01-01-01-01-01
01-01-01-01-01-01
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe