Skip to main content

Backdoor.Win32.Kelihos_94416b0904


Trojan.Win32.Badur.fzji (Kaspersky), Trojan.Win32.Kryptik.mwe (v) (VIPRE), Backdoor.Win32.Kelihos.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 94416b090436f967d3d6fbbc9aa181fc

SHA1: 417717e35b8f1bf48ca9124236c71c68a87ecd56

SHA256: a463072e07f132a50c84c0065378798daefd3d48c03389d852d509757973c50c

SSDeep: 384:2U8xB9ZowPHtlBc7OskDUBPDgd4crNWxNrq4nZ r:2NEWH0X2UALgxN7ngr

Size: 27665 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-08-20 01:44:55

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

Reader_sl.exe:1064
wuauclt.exe:344
ntvdm.exe:1864
%original file name%.exe:376
jusched.exe:1056

The Backdoor injects its code into the following process(es):

temp241124419.exe:1764

File activity

The process wuauclt.exe:344 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Backdoor deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process temp241124419.exe:1764 makes changes in the file system.


The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (0 bytes)

The process ntvdm.exe:1864 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Program Files%\Java\jre6\lib (12 bytes)
%Program Files%\Java\jre6\lib\ext (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (2321 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%Program Files%\Java\jre6\lib\fonts (4 bytes)
%Program Files%\Java\jre6\lib\zi (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Program Files%\Wireshark (96 bytes)
%Program Files%\Java\jre6\lib\security (4 bytes)
%WinDir% (672 bytes)
C:\$Directory (16 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%System% (1920 bytes)

The Backdoor deletes the following file(s):

%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)

The process %original file name%.exe:376 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\temp3371987840.exe (3913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp241124419.exe (3913 bytes)

The process jusched.exe:1056 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

Registry activity

The process Reader_sl.exe:1064 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process temp241124419.exe:1764 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 F4 96 56 5D 04 36 EA F6 57 06 7E 09 7A 22 37"

[HKCU\Software\Microsoft\Notepad]
"sizeCompletedValid" = "DOb5Qg/Mxblvz16dTB/G1rGyYWuQUigK8mfETlefaElK5ALW zd8L1i5a/VnkNf Qg=="

[HKCU\Software\Sysinternals\Process Monitor]
"UrlEnabledUse" = "80"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"EnableStationQueries" = "1"
"ComputerName" = "XP8"

[HKCU\Software\Microsoft\Notepad]
"infoPlayedCurrent" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 6A 00 03 CD 04"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Sysinternals\Process Monitor]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Notepad]
"styleModifiedPrev" = "80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"
"PersistentLocalizedName" = "24 80 F9 7F 7A 40 0A 61 B2 E7 08 0A EB CE 61 00"

[HKCU\Software\Sysinternals\Process Monitor]
"DefaultCompressedRecord" = "24 80 F9 7F 73 66 3D 27 15 38 BB D0 37 8E 6B 97"

[HKCU\Software\Microsoft\Notepad]
"activeModifiedTheme" = "24 80 F9 7F 87 72 16 11 F5 99 E8 77 63 61 FF 30"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"RecordEnabledCheck" = "80"

[HKCU\Software\Sysinternals\Process Monitor]
"RecordModifiedMax" = "DOb5Qg/Mxblvz16dTB/G1rGyYWuQUigK8mfETlefaElK5ALW zd8L1i5a/VnkNf Qg=="

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"UserName" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"LineLoadedQuick" = "DOb5Qg/Mxblvz16dTB/G1rGyYWuQUigK8mfETlefaElK5ALW zd8L1i5a/VnkNf Qg=="

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkUpdater" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\temp241124419.exe"

The process %original file name%.exe:376 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 1E B0 43 D8 0F D3 00 B0 22 F7 86 2E 38 64 BF"

Network activity (URLs)

URL IP
hxxp://37.49.225.226/mod1/yanicha.exe (Malicious)
hxxp://122.255.203.213/mod2/yanicha.exe (Malicious)


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wuauclt.exe:344
    ntvdm.exe:1864
    %original file name%.exe:376

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Program Files%\Java\jre6\lib (12 bytes)
    %Program Files%\Java\jre6\lib\ext (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (995 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (2321 bytes)
    %WinDir%\Temp\scs1.tmp (33880 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
    %Program Files%\Java\jre6\lib\fonts (4 bytes)
    %Program Files%\Java\jre6\lib\zi (4 bytes)
    %Program Files%\Wireshark (96 bytes)
    %Program Files%\Java\jre6\lib\security (4 bytes)
    C:\$Directory (16 bytes)
    %WinDir%\Temp\scs2.tmp (10145 bytes)
    %System% (1920 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\temp3371987840.exe (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\temp241124419.exe (3913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NetworkUpdater" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\temp241124419.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps