Trojan-Dropper.Win32.Dapato.eelp (Kaspersky), Gen:Variant.Kazy.416631 (AdAware), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 10ad77f97d3530288996e18b40875e75
SHA1: 5f3e708e741df77347e05230003b6a5769a6bcc2
SHA256: 532828a0d3af9d410e9c5572e9fe5b0013032e6b3edd5017fa8b6f6802d20efa
SSDeep: 6144:1kthniZIxEchhDmCI62sVGjGhowtRf0Oi0 D tRDMyJfFx aijq6UgyXpt67:mt5EI3hBILjyrtJ0o GDDJWaRNX
Size: 360448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Firseria s.l.
Created at: 2004-04-22 11:13:46
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:864
The Backdoor injects its code into the following process(es):
mscorsvw.exe:1912
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:864 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\AbyoLops\IbwejPuben.dat (1639 bytes)
Registry activity
The process %original file name%.exe:864 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 2A 11 C5 33 B4 34 4F 96 35 D5 11 13 E9 F5 AA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Classes\CLSID\{7BD47FDD-1028-4944-A268-024C76A61BA9}]
"#sd" = "63 3A 5C 31 30 61 64 37 37 66 39 37 64 33 35 33"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"IbwejPuben" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\IbwejPuben\IbwejPuben.dat"
Dropped PE files
MD5 | File path |
---|---|
e300714bab0ec3642f59120d4db66f1f | c:\Documents and Settings\All Users\Application Data\IbwejPuben\IbwejPuben.dat |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Backdoor installs the following user-mode hooks in ADVAPI32.dll:
CreateProcessAsUserA
CreateProcessAsUserW
The Backdoor installs the following user-mode hooks in kernel32.dll:
CreateProcessA
CreateProcessW
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:864
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\AbyoLops\IbwejPuben.dat (1639 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"IbwejPuben" = "regsvr32.exe %Documents and Settings%\All Users\Application Data\IbwejPuben\IbwejPuben.dat" - Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 5.2.3790.0
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: kbdmon.dll
Internal Name: kbdmon (3.12)
File Version: 5.2.3790.0 (srv03_rtm.030324-2048)
File Description: Mongolian Keyboard Layout
Comments:
Language: Language Neutral
Company Name: Microsoft CorporationProduct Name: HD Player Product Version: 5.2.3790.0Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: kbdmon.dllInternal Name: kbdmon (3.12)File Version: 5.2.3790.0 (srv03_rtm.030324-2048)File Description: Mongolian Keyboard LayoutComments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 321584 | 323584 | 5.36723 | 3d0daf1c4b02dae847580cf440700164 |
.rdata | 327680 | 16502 | 20480 | 1.81687 | a1d2e1abc774cc9830a12a4915ef774a |
.data | 348160 | 5888 | 8192 | 1.98538 | 3fb3d4bb197010adee1fbe5588d5ee8c |
.rsrc | 356352 | 1008 | 4096 | 0.74881 | 2d7be2b3a359d482381c84bd1e8b3ff2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Backdoor connects to the servers at the folowing location(s):