Backdoor.Win32.Simbot_d53eaa886b

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1144
regedit.exe:1604

The Backdoor injects its code into the following process(es):

svchost.exe:1236

File activity

The process %original file name%.exe:1144 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\RCX1.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)

The Backdoor deletes the following file(s):

C:\%original file name%.exe.tmp1 (0 bytes)

Registry activity

The process %original file name%.exe:1144 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 6F 64 8B 32 EF 89 4F FC C2 2A AD 65 C7 0A 54"

The process regedit.exe:1604 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 44 61 7E 0C 3F 96 6E B4 C1 36 42 85 DC 7E AE"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Wmi" = "%Documents and Settings%\%current user%\Local Settings\Wmi.exe"

Dropped PE files

MD5	File path
377886248e4c2678b7f33bf423b9aae8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Wmi.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:1144
   regedit.exe:1604
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:

   %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
   C:\RCX1.tmp (23552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
   C:\%original file name%.exe.tmp1 (373 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Wmi" = "%Documents and Settings%\%current user%\Local Settings\Wmi.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: English (United States)

Company Name: Adobe Systems, Inc.Product Name: Flash? Player Installer/UninstallerProduct Version: 10,1,53,64Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.Legal Trademarks: Adobe? Flash? PlayerOriginal Filename: FlashUtil.exeInternal Name: Adobe? Flash? Player Installer/Uninstaller 10.1File Version: 10,1,53,64File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	4392	4608	5.22707	9cc40aa30283d3abef7062dd7d0b6edb
.rdata	12288	1045	1536	2.51569	b09e1f7c28fc22c6f6859d92fabdae15
.data	16384	927	512	2.52675	b6f8e6aec2eeab060a4a4bbf08b7eb30
.rsrc	20480	12996	13312	5.4257	5fcf5950b62e1469f10a3916122e0e79

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
a74e26cae3dc4b39e6ea164f242940a5
be9988bc6789b1a398706a53184460c2
b56d8d9128be1bd449ed83b0587b8061

Network Activity

URLs

URL	IP
hxxp://71.41.214.210/bkgxm.php?id=015847111D309F33E9

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /bkgxm.php?id=015847111D309F33E9 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: 71.41.214.210

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Server: thttpd/2.19-MX Mar 4 2013

Content-type: text/html

Date: Sun, 15 Jun 2014 20:40:17 GMT

Last-modified: Sun, 15 Jun 2014 20:40:17 GMT

Accept-Ranges: bytes

Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN". "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>.<meta http-equiv='X-UA-Compatible' content='IE=EmulateIE9' />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="Content-Script-Type" content="text/javascript">.<meta http-equiv="Content-Style-Type" content="text/css">.<meta name="publisher" content="MOBOTIX AG, Germany">.<meta name="copyright" content="MOBOTIX AG, Germany">.<link rel="SHORTCUT ICON" href="/favicon.ico">.<link rel="apple-touch-icon" href="/apple-touch-icon.png">.<meta name="author" content="Daniel Kabs, MOBOTIX AG, Germany">.<link rel="owner" href="mailto:info@mobotix.com">.<link rel="copyright" href="/about.html" title="Copyright">..<style type='text/css'>.body {. font-family:Helvetica,Arial,sans-serif;. font-size:80%;.}.pre,textarea { font-family:monospace; }..headtablesmall { font-size:125%; }..standard {} /* obsolete */..mxSubmitButton {. width: 110px;. margin:2px 0;.}..mxErrorMessage {. color:red;. background-color:yellow;. font-weight:bold;. padding:5px;.}..mxFooterWarning {. padding:5px;. margin:0;. background-color:#DDDDDD;. color:red;. font-weight:bold;.}..mxFooterNote {. padding:5px;. margin:0;. background-color:#DDDDDD;.}..mxSubmitbuttonsRow {. background-color:#DDDDDD;. border-collapse:collapse;.}..mxSubmitbuttonsRow td {. padding:5px;.}..mxReadOnly {. background:#eee

<<

<<< skipped >>>

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_1236:

.text

.text

`.rdata

`.rdata

@.data

@.data

SSh@C@

SSh@C@

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

iphlpapi.dll

iphlpapi.dll

SHLWAPI.dll

SHLWAPI.dll

71.56.69.34

71.56.69.34

71.41.214.210

71.41.214.210

yahoofacebook.345.pl

yahoofacebook.345.pl

regedit.exe /s

regedit.exe /s

~dfds3.reg

~dfds3.reg

Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

"%s"="%s"

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

WinHttp

%s.tmp1

%s.tmp1

4$@2.dat

4$@2.dat

http://%s:%d/%s.php?id=d%s&ext=%s

http://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

http://%s:%d/%s.php?id=d%s

http://%s:%d/%s.php?id=d%s

%c%c%c%c%c

%c%c%c%c%c

/%s.php?id=d%s

/%s.php?id=d%s

%%temp%%\%u

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

HTTP/1.1