Susp_Dropper (Kaspersky), Gen:Variant.Strictor.39554 (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e5685fd3718e1faafc50b7faaea4eeab
SHA1: 1eafe9fc8abd866aaaa758230a04f9a87457ecc2
SHA256: 01f8fedaf08ec5257c2a291d0bbbab707ee7481926742d501c5edc81d695c8dc
SSDeep: 12288:tUomEFRu3xEPEd7BVAX24rT6Gd8qYvwoMebKgSw:rmOMSPEdT4e28s/e2gR
Size: 574031 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-10 20:11:07
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:996
taskkill.exe:1776
taskkill.exe:256
taskkill.exe:1356
fapcf.exe:1580
FAPCF MODZ.exe:1044
FAPCFPACK.EXE:1664
netsh.exe:916
RunDll32.exe:548
RunDll32.exe:780
ERU79Y1MnVyg2PhYu39T.EXE:1104
mscorsvw.exe:172
The Backdoor injects its code into the following process(es):
Google Chrome.exe:2016
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:996 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\fapcf\FAPCF MODZ.exe (4545 bytes)
C:\fapcf\fapcf.exe (65 bytes)
The Backdoor deletes the following file(s):
C:\fapcf\__tmp_rar_sfx_access_check_1365265 (0 bytes)
The process fapcf.exe:1580 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe (65 bytes)
The process Google Chrome.exe:2016 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\3fc95aa47218f21ec0000f752e6e36bd.exe (65 bytes)
The process FAPCF MODZ.exe:1044 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\FAPCF\FAPCFPACK.EXE (282 bytes)
The Backdoor deletes the following file(s):
%WinDir%\FAPCF\__tmp_rar_sfx_access_check_1366218 (0 bytes)
The process FAPCFPACK.EXE:1664 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\RCXB4.tmp (122264 bytes)
%WinDir%\FAPCF\FAPCF.DAT (99 bytes)
%WinDir%\FAPCF\go1.bat (80 bytes)
%WinDir%\FAPCF\x2p6g4T5go9Uh9MzRW42.DB (149 bytes)
%WinDir%\FAPCF\4BYlqxnHUDDBuml3Fsnd.DB (117 bytes)
%WinDir%\FAPCF\BR4YkZ5XAVm7kbpMhRYq.DB (6378 bytes)
%WinDir%\FAPCF\ERU79Y1MnVyg2PhYu39T.EXE (5442 bytes)
The Backdoor deletes the following file(s):
%WinDir%\FAPCF\BR4YkZ5XAVm7kbpMhRYq.DB (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB8D4.tmp (0 bytes)
%WinDir%\FAPCF\4BYlqxnHUDDBuml3Fsnd.DB (0 bytes)
%WinDir%\FAPCF\x2p6g4T5go9Uh9MzRW42.DB (0 bytes)
The process ERU79Y1MnVyg2PhYu39T.EXE:1104 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W47XWGVM\desktop.ini (67 bytes)
%System%\drivers\etc\hosts.ics (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\32916[1].htm (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\ajax-loader[1].gif (4001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\FAPCF[1].HTML (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W47XWGVM\592[1].png (322 bytes)
%System%\drivers\etc\hosts (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\18216[1].htm (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\anti[1].php (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Desktop\FAPCF ONE.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\990x90[1] (11045 bytes)
Registry activity
The process %original file name%.exe:996 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 A6 79 06 B4 54 DF F9 31 B1 A9 C2 C1 51 6C 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\fapcf]
"fapcf.exe" = "fapcf"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\WinRAR SFX]
"C%úpcf" = "C:\fapcf"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\fapcf]
"FAPCF MODZ.exe" = "FAPCF MODZ"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process taskkill.exe:1776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 5E 70 69 AD 27 C3 79 76 B5 C7 18 1C DE 08 0B"
The process taskkill.exe:256 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 7A 6A 92 E6 5F B8 CB FB A8 99 C8 F6 66 71 B4"
The process taskkill.exe:1356 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 1D 30 8A 08 5E 6A CE 52 7F D6 1A 31 39 3A 24"
The process fapcf.exe:1580 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 69 0E 6F C5 8B 34 64 1A AC FA 9B 21 FA BB CD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU]
"di" = "!"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"google chrome.exe" = "Google Chrome"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Google Chrome.exe:2016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 EE A0 1D 2B DD 3F 74 41 66 5C C8 BC 5F 57 EF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU]
"di" = "!"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\3fc95aa47218f21ec0000f752e6e36bd]
"[kl]" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"3fc95aa47218f21ec0000f752e6e36bd" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe .."
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3fc95aa47218f21ec0000f752e6e36bd" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe .."
The process FAPCF MODZ.exe:1044 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 B1 0F 8D 1A E3 8B 8E F6 1F 69 91 91 86 A3 2D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\FAPCF]
"FAPCFPACK.EXE" = "FAPCFPACK"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process FAPCFPACK.EXE:1664 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 62 1C 27 48 14 AC 05 60 35 A1 0D 0C C2 46 80"
The process netsh.exe:916 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 27 D0 DD CF 04 31 37 8B 72 D6 EC 3F A9 F0 DC"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"google chrome.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe:*:Enabled:Google Chrome.exe"
The process RunDll32.exe:548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 19 80 F7 C1 B7 92 D4 ED 81 E2 DF 75 B0 13 95"
The process RunDll32.exe:780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 70 7B AD C3 97 82 98 DC E7 35 B3 2F 4C B3 D1"
The process ERU79Y1MnVyg2PhYu39T.EXE:1104 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1406799985"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "ERU79Y1MnVyg2PhYu39T.EXE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 BE B0 12 25 2F 93 32 FE 74 0C 1E 63 7D 02 F9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process mscorsvw.exe:172 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"
Dropped PE files
| MD5 | File path |
|---|---|
| c91416399bd6196c37585de5ffe0b736 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Google Chrome.exe |
| 9524aebf94a0839f5505729052244f1d | c:\WINDOWS\FAPCF\ERU79Y1MnVyg2PhYu39T.EXE |
| 5c303d26e748f4813e289145b1d84fb6 | c:\fapcf\FAPCF MODZ.exe |
| c91416399bd6196c37585de5ffe0b736 | c:\fapcf\fapcf.exe |
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 480 bytes in size. The following strings are added to the hosts file listed below:
| 9.9.9.9 | mobily.pw |
| 9.9.9.9 | patron.tweethashcount.com |
| 9.9.9.9 | track.ttswebdesign.com |
| 9.9.9.9 | grizzl.thewell-beingcompany.com |
| 9.9.9.9 | rdp.thewalkinginstitute.com |
| 9.9.9.9 | welcome.thesplitscreenphotobooth.com |
| 9.9.9.9 | hello.thesplitscreenphotobooth.com |
| 9.9.9.9 | welcome.thecraftbarnwales.com |
| 9.9.9.9 | hello.sylvanstructures.com |
| 9.9.9.9 | remote.sylvanstructures.com |
| 9.9.9.9 | wuah.chekc.co.vu |
| 9.9.9.9 | canmacar.com |
| 9.9.9.9 | www.canmacar.com |
| 9.9.9.9 | phaelixe.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:996
taskkill.exe:1776
taskkill.exe:256
taskkill.exe:1356
fapcf.exe:1580
FAPCF MODZ.exe:1044
FAPCFPACK.EXE:1664
netsh.exe:916
RunDll32.exe:548
RunDll32.exe:780
ERU79Y1MnVyg2PhYu39T.EXE:1104
mscorsvw.exe:172 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
C:\fapcf\FAPCF MODZ.exe (4545 bytes)
C:\fapcf\fapcf.exe (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe (65 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\3fc95aa47218f21ec0000f752e6e36bd.exe (65 bytes)
%WinDir%\FAPCF\FAPCFPACK.EXE (282 bytes)
C:\RCXB4.tmp (122264 bytes)
%WinDir%\FAPCF\FAPCF.DAT (99 bytes)
%WinDir%\FAPCF\go1.bat (80 bytes)
%WinDir%\FAPCF\x2p6g4T5go9Uh9MzRW42.DB (149 bytes)
%WinDir%\FAPCF\4BYlqxnHUDDBuml3Fsnd.DB (117 bytes)
%WinDir%\FAPCF\BR4YkZ5XAVm7kbpMhRYq.DB (6378 bytes)
%WinDir%\FAPCF\ERU79Y1MnVyg2PhYu39T.EXE (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W47XWGVM\desktop.ini (67 bytes)
%System%\drivers\etc\hosts.ics (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\32916[1].htm (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\ajax-loader[1].gif (4001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WO4KQ4VK\FAPCF[1].HTML (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W47XWGVM\592[1].png (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\18216[1].htm (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\anti[1].php (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Z6D9M5LH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Desktop\FAPCF ONE.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQFS5Y7\990x90[1] (11045 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"3fc95aa47218f21ec0000f752e6e36bd" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe .."
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3fc95aa47218f21ec0000f752e6e36bd" = "%Documents and Settings%\%current user%\Local Settings\Temp\Google Chrome.exe .." - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 165203 | 165376 | 4.66056 | 0d2680623ee21ef164d1e5badd4a9069 |
| .rdata | 172032 | 20307 | 20480 | 3.70992 | 68d6f01f72380c61070d86b06775b053 |
| .data | 192512 | 137468 | 5632 | 2.40524 | 599cdae4e964b67335324e67538c2a9c |
| .rsrc | 331776 | 16796 | 16896 | 3.64547 | 10f378023b040627626fc351e12db0c0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://antiweb.zapto.org/ | 8.23.224.90 |
| hxxp://googlecode.l.googleusercontent.com/svn/trunk/anti.php | |
| hxxp://googlecode.l.googleusercontent.com/svn/trunk/FAPCF.HTML | |
| hxxp://whos.amung.us/swidget/fapcfone.png | 67.202.94.93 |
| hxxp://ad.a-ads.com/32916?size=990x90 | 69.172.212.46 |
| hxxp://ad.a-ads.com/18216?size=990x90 | 69.172.212.46 |
| hxxp://widgets.amung.us/small/05/592.png | 173.192.170.82 |
| hxxp://ad.a-ads.com/system/ads/10423/banners/990x90 | 69.172.212.46 |
| hxxp://cfpro00007.googlecode.com/svn/trunk/anti.php | 64.233.171.82 |
| hxxp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML | 64.233.171.82 |
| hxxp://static.a-ads.com/system/ads/10423/banners/990x90 | 107.170.218.105 |
| hxxp://fapcf001.ddns.net/ | 8.23.224.90 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
<font color="red">GET /system/ads/10423/banners/990x90 HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://ad.a-ads.com/32916?size=990x90<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: static.a-ads.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.6.0<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
Content-Type: application/octet-stream<br>
Content-Length: 55761<br>
Last-Modified: Tue, 27 May 2014 21:33:35 GMT<br>
Connection: keep-alive<br>
ETag: "538504af-d9d1"<br>
<<< skipped >>>
<font color="red">GET /small/05/592.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: widgets.amung.us<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Server: nginx/1.2.4<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
Content-Type: image/png<br>
Content-Length: 322<br>
Last-Modified: Sun, 13 Jun 2010 09:48:29 GMT<br>
Connection: keep-alive<br>
Expires: Sun, 07 Sep 2014 13:41:48 GMT<br>
Cache-Control: max-age=2592000<br>
Accept-Ranges: bytes<br><pre>.PNG........IHDR...P.........D......9PLTE.bM.nX.82.G:................z<br>c.....z.UC..n.'-00/...555...........IDAT8...... .D.FF......c..J.J..S..<br>l0..E.x..d.."p$..Y....Q1.D..o...jfm&P.Db0...>^rh.@.H2 .G........ .A<br>C"...s...0,.Q........r.R...q.....".....~.../.{.Y......<...e.D.. .c.<br>....8.....z.C... e.V)..X....QfI."G&u....IEND.B`...</pre></font><br><br
<font color="red">GET / HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: fapcf001.ddns.net<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Date: Fri, 08 Aug 2014 13:41:47 GMT<br>
Server: Apache<br>
Location: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Content-Length: 0<br>
Connection: close<br>
Content-Type: text/html; charset=UTF-8<br><pre></pre></font><br><br
<font color="red">GET / HTTP/1.1<br>
Accept: */*<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: antiweb.zapto.org<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 302 Found<br>
Date: Fri, 08 Aug 2014 13:41:45 GMT<br>
Server: Apache<br>
Location: hXXp://cfpro00007.googlecode.com/svn/trunk/anti.php<br>
Content-Length: 0<br>
Connection: close<br>
Content-Type: text/html; charset=UTF-8<br><pre></pre></font><br><br
<font color="red">GET /32916?size=990x90 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ad.a-ads.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Type: text/html;charset=utf-8<br>
Content-Length: 5253<br>
Connection: keep-alive<br>
Status: 200 OK<br>
X-XSS-Protection: 1; mode=block<br>
X-Content-Type-Options: nosniff<br>
X-Powered-By: Phusion Passenger 4.0.44<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
<<< skipped >>>
<font color="red">GET /18216?size=990x90 HTTP/1.1<br>
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*<br>
Referer: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: ad.a-ads.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Content-Type: text/html;charset=utf-8<br>
Content-Length: 5355<br>
Connection: keep-alive<br>
Status: 200 OK<br>
X-XSS-Protection: 1; mode=block<br>
X-Content-Type-Options: nosniff<br>
X-Powered-By: Phusion Passenger 4.0.44<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
<<< skipped >>>
<font color="red">GET /swidget/fapcfone.png HTTP/1.1<br>
Accept: */*<br>
Referer: hXXp://cfpro00007.googlecode.com/svn/trunk/FAPCF.HTML<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: whos.amung.us<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 303 See Other<br>
Date: Fri, 08 Aug 2014 13:41:48 GMT<br>
Content-Type: text/html<br>
Transfer-Encoding: chunked<br>
Connection: close<br>
Location: hXXp://widgets.amung.us/small/05/592.png<br>
Set-Cookie: uid=CgH9H1Pk05zAAn97e7QcAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=atta; path=/<br><pre>0..</pre></font><br><br
<font color="red">GET /svn/trunk/anti.php HTTP/1.1<br>
Accept: */*<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Connection: Keep-Alive<br>
Host: cfpro00007.googlecode.com<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Fri, 08 Aug 2014 13:41:45 GMT<br>
Server: Apache<br>
Last-Modified: Tue, 05 Aug 2014 15:55:58 GMT<br>
ETag: "2//trunk/anti.php"<br>
Accept-Ranges: bytes<br>
Expires: Fri, 08 Aug 2014 13:44:45 GMT<br>
Content-Length: 480<br>
Content-Type: text/plain<br>
Cache-Control: public, max-age=180<br>
Age: 0<br>
Alternate-Protocol: 80:quic<br><pre>9.9.9.9 mobily.pw..9.9.9.9 patron.tweethashcount.com..9.9.9.9 track.tt<br>swebdesign.com..9.9.9.9 grizzl.thewell-beingcompany.com..9.9.9.9 rdp.t<br>hewalkinginstitute.com..9.9.9.9 welcome.thesplitscreenphotobooth.com..<br>9.9.9.9 hello.thesplitscreenphotobooth.com..9.9.9.9 welcome.thecraftba<br>rnwales.com..9.9.9.9 hello.sylvanstructures.com..9.9.9.9 remote.sylvan<br>structures.com..9.9.9.9 wuah.chekc.co.vu..9.9.9.9 canmacar.com..9.9.9.<br>9 VVV.canmacar.com..9.9.9.9 phaelixe.com..9.9.9.9 nitrous.cf</font>...<br>.</pre></font><br><br><font color="red">GET /svn/trunk/FAPCF.HTML HTTP/1.1<br>
Accept: */*<br>
Accept-Language: en-us<br>
Accept-Encoding: gzip, deflate<br>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)<br>
Host: cfpro00007.googlecode.com<br>
Connection: Keep-Alive<br>
<br>
</font><br><font color="blue">HTTP/1.1 200 OK<br>
Date: Fri, 08 Aug 2014 13:41:47 GMT<br>
Server: Apache<br>
Last-Modified: Thu, 07 Aug 2014 09:47:19 GMT<br>
ETag: "7//trunk/FAPCF.HTML"<br>
Accept-Ranges: bytes<br>
Expires: Fri, 08 Aug 2014 13:44:47 GMT<br>
Content-Length: 1885<br>
Content-Type: text/plain<br>
Cache-Control: public, max-age=180<br>
Age: 0<br>
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
RunDll32.exe_548:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
RunDll32.exe_780:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s