Skip to main content

Gen.Variant.Sinowal.1_9181c2e137


Gen:Variant.Sinowal.1 (BitDefender), Trojan.Win32.Fsysna.kzc (Kaspersky), Gen:Variant.Sinowal.1 (B) (Emsisoft), Artemis!9181C2E13726 (McAfee), Gen:Variant.Sinowal.1 (FSecure), Win32/Cryptor (AVG), Gen:Variant.Sinowal.1 (AdAware)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 9181c2e137268c299775215e7ef1f025

SHA1: 4c81f21e831be8f6e5ceb6fb843f696d7f01e522

SHA256: 1a5581dcb6188f0239d3f3d11d4294c7abb555e3ff948caea50921ae3381a7a2

SSDeep: 49152:miCkE7zk7vUTDMTGGE/Qg9jpjz7rPR0lTTp2eu8 kP0GgbsS:WNErUTDRGaQg9jpjfKlTTEs ksk

Size: 2303488 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2010-12-23 13:51:26

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

rundll32.exe:324
%original file name%.exe:1476
ctfmon.exe:536

The Trojan injects its code into the following process(es):No processes have been created.

File activity

The process %original file name%.exe:1476 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\zlib1.dll (88576 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libjansson-4.dll (52736 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libcurl-4.dll (228352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer-rpc.exe (20480 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\pthreadGC2.dll (99058 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer-rpc.exe (33280 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pdcurses.dll (102912 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\taskhost.exe (55296 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll.dll (42496 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll64.dll (41984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker_jansson-0.1-0.dll (22016 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pthreadGC2.dll (87040 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libusb-1.0.dll (76800 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\scrypt130511.cl (23825 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\minerd.exe (735709 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer.exe (1223680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pdcurses.dll (92672 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\zlib1.dll (98304 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\zlib1.dll (109568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pthreadGC2.dll (45056 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\libcurl-4.dll (633352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker_jansson-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libjansson-4.dll (66048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer.exe (846336 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libusb-1.0.dll (117760 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker-0.1-0.dll (13824 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libcurl-4.dll (238080 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\backtrace.dll (1123328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe (166912 bytes)

Registry activity

The process rundll32.exe:324 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 16 2C FB 4A 4B 1C B4 B5 8A 9C 01 91 22 0B 67"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Host Process" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe"

The process %original file name%.exe:1476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 6D 69 C4 27 B2 F3 76 8D AC A9 EE F4 28 AA AB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process ctfmon.exe:536 makes changes in the system registry.


The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    rundll32.exe:324
    %original file name%.exe:1476

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker-0.1-0.dll (22016 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\scrypt130511.cl (23825 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\zlib1.dll (88576 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libjansson-4.dll (52736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libcurl-4.dll (228352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer-rpc.exe (20480 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\pthreadGC2.dll (99058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer-rpc.exe (33280 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pdcurses.dll (102912 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\backtrace.dll (1123328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\taskhost.exe (55296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll.dll (42496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\dll\hookdll64.dll (41984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libblkmaker_jansson-0.1-0.dll (22016 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pthreadGC2.dll (87040 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libusb-1.0.dll (76800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\scrypt130511.cl (23825 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\minerd.exe (735709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\bfgminer.exe (1223680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\pdcurses.dll (92672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\zlib1.dll (98304 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\zlib1.dll (109568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\pthreadGC2.dll (45056 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\miderd\libcurl-4.dll (633352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker_jansson-0.1-0.dll (13824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libjansson-4.dll (66048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\bfgminer.exe (846336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libusb-1.0.dll (117760 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg32\libblkmaker-0.1-0.dll (13824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\libcurl-4.dll (238080 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\bin\bfg64\backtrace.dll (1123328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe (166912 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Host Process" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FlashContainer\rundll32.exe"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps