Backdoor.Win32.Caphaw_QKKBAL_6ab1881ee2

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

wscript.exe:1836
buzif.exe:1672
System:4
tmp.exe:320
%original file name%.exe:1076
.exe:1112

The Backdoor injects its code into the following process(es):No processes have been created.

File activity

The process System:4 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

\Device\HarddiskVolume1\$Directory (552 bytes)

The process tmp.exe:320 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp17520219.bat (213 bytes)
%Documents and Settings%\%current user%\Application Data\Toqy\buzif.exe (141 bytes)

The process %original file name%.exe:1076 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mata2.bat (49 bytes)
%System%\drivers\etc\hosts (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mata.bat (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ .exe (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (141 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mata2.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mata.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (0 bytes)

Registry activity

The process wscript.exe:1836 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 7B 94 29 A5 E4 33 07 91 27 F9 F0 DF 96 A8 CE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"mata2.bat" = "mata2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process buzif.exe:1672 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E EB 80 D0 4E 78 0C 8D 65 A1 6B B7 B9 3E DA 08"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Ukyzs]
"Uteb" = "DE FC 0C 90 BA 55 AE C7 24 9A 3E D3 CB 6E 42 F4"

The process tmp.exe:320 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 7A 9D 65 F7 DE 4B 5F DF 6A 20 57 79 91 92 88"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Ukyzs]
"Uteb" = "DE FC 0C 90 BA 55 AE C7 24 9A 3E D3 CB 6E 42 F4"

The process %original file name%.exe:1076 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 00 07 B0 2B AC 54 3B D8 FC 0E 32 34 EE B4 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"tmp.exe" = "tmp"

[HKCU\Software\Microsoft\Ukyzs]
"Uteb" = "DE FC 0C 90 BA 55 AE C7 24 9A 3E D3 CB 6E 42 F4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"mata.bat" = "mata"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%Documents and Settings%\%current user%\Local Settings\Temp\file.exe"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"

The process .exe:1112 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 3E 65 8D 50 31 3A AC 84 29 6A 1F 6B 51 28 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

MD5	File path
9c84359b82628501947bbaf8ef4edc38	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Toqy\buzif.exe
e0d21bee6dae44a7c6e1896d7a8c7463	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ .exe

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 216 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.website.com
127.0.0.1	www.website.com
127.0.0.1	www.website.com
127.0.0.1	www.website.com
127.0.0.1	www.website.com
127.0.0.1	www.website.com
127.0.0.1	www.website.com
127.0.0.1	www.website.com

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   wscript.exe:1836
   buzif.exe:1672
   System:4
   tmp.exe:320
   %original file name%.exe:1076
   .exe:1112

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:

   \Device\HarddiskVolume1\$Directory (552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp17520219.bat (213 bytes)
   %Documents and Settings%\%current user%\Application Data\Toqy\buzif.exe (141 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\mata2.bat (49 bytes)
   %System%\drivers\etc\hosts (216 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\mata.bat (47 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ .exe (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (2321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (78 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (141 bytes)

4. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "%Documents and Settings%\%current user%\Local Settings\Temp\file.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: sitauktrading
Product Name: sitauktrading
Product Version: 1.0.0.0
Legal Copyright: 4877328
Legal Trademarks: sitauktrading
Original Filename: force.exe
Internal Name: force.exe
File Version: 1.0
File Description: invoice
Comments: Þscription%
Language: Language Neutral

Company Name: sitauktradingProduct Name: sitauktradingProduct Version: 1.0.0.0Legal Copyright: 4877328Legal Trademarks: sitauktradingOriginal Filename: force.exeInternal Name: force.exeFile Version: 1.0 File Description: invoiceComments: Þscription%Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.rsrc	8192	5336	5632	3.00761	39b818676c1d76546f5c92ea263c8844
.text	16384	422328	422400	5.25877	bb9744b9674dc4744b2e4a04da064d74
.reloc	442368	12	512	0.084755	707b6b5c76c568b412a254fa89d20621

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps