Skip to main content

Backdoor.Win32.Turkojan_56e520e523


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.MSIL.Injector.ea (v) (VIPRE), Trojan-Dropper.Small!IK (Emsisoft), Backdoor.Win32.Turkojan.FD, RATTurkojan.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 56e520e5238123988a686a6d8c95c5ad

SHA1: 8765947917c13a0da6150fa362ac2ae9f52f0759

SHA256: e95987cdd7e44cdac5cdb6a8c76428269bd4565e2d2c240cd80d26f3c3ea770b

SSDeep: 6144:JlRSny9iM4c4UpyIqhzzayF6KB qlpoWvexY04hki:xcLW hRiWEv

Size: 344064 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: SummerSoft

Created at: 2013-07-18 02:07:03

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

56e520e5238123988a686a6d8c95c5ad.exe:1652
csc.exe:1648
cvtres.exe:892

The Backdoor injects its code into the following process(es):

56e520e5238123988a686a6d8c95c5ad.exe:428

File activity

The process 56e520e5238123988a686a6d8c95c5ad.exe:1652 makes changes in a file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.out (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.0.cs (196 bytes)
%Documents and Settings%\%current user%\Application Data\56e520e5238123988a686a6d8c95c5ad.exe (6 bytes)
%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.cmdline (238 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.dll (0 bytes)

The process csc.exe:1648 makes changes in a file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.dll (3110 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (0 bytes)

The process cvtres.exe:892 makes changes in a file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (2912 bytes)

Registry activity

The process 56e520e5238123988a686a6d8c95c5ad.exe:1652 makes changes in a system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 5F CA C5 19 F4 29 D2 74 99 29 4F 66 EA 19 89"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Facebook Hack" = "%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Hack" = "%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe"

The process 56e520e5238123988a686a6d8c95c5ad.exe:428 makes changes in a system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 3B 51 B5 E7 1C 58 F7 5A 95 86 2D 32 5B 96 A6"

The process csc.exe:1648 makes changes in a system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 2A 13 B1 04 34 66 EB 3A 74 5E BB A5 4D DC 22"

The process cvtres.exe:892 makes changes in a system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 96 7E F6 CC F9 CF 01 22 4F 55 59 92 6B 76 BA"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    56e520e5238123988a686a6d8c95c5ad.exe:1652
    csc.exe:1648
    cvtres.exe:892

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.out (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.0.cs (196 bytes)
    %Documents and Settings%\%current user%\Application Data\56e520e5238123988a686a6d8c95c5ad.exe (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.cmdline (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\udfb0s-v.dll (3110 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (2912 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Facebook Hack" = "%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Facebook Hack" = "%Documents and Settings%\%current user%\Application Data\Facebook Hack\Facebook Hack.exe"

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps