Skip to main content

DDoSNitol_002a96d79a


Trojan.Win32.MicroFake.ba (Kaspersky), Trojan.Microfake.D (B) (Emsisoft), Trojan.Microfake.D (AdAware), DDoSNitol.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 002a96d79a1081c068c0457952add1e3

SHA1: fe0b84bab6cf593a5a0fee7b9b0c25517a26ac29

SHA256: 149045c16f8b8207f0ed7d4363b11a0f5b25d8c237f21da33fd41647b8406615

SSDeep: 1536:omRqx6nOp I5kmJKRWcc5yzvmgUtkAX/0n HHeX6WnHbcW:oBxeQ IMWvyzv9UF/QMHen7R

Size: 74752 bytes

File type: DLL

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: SummerSoft

Created at: 2010-06-08 12:59:36

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:232
hrl1.tmp:1096

The Trojan injects its code into the following process(es):

bohboq.exe:1276

File activity

The process regsvr32.exe:232 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (67 bytes)

The process hrl1.tmp:1096 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\bohboq.exe (601 bytes)

The process bohboq.exe:1276 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\RCX2.tmp (15004 bytes)
%System%\hra33.dll (7 bytes)

The Trojan deletes the following file(s):

%System%\hra33.dll (0 bytes)

Registry activity

The process regsvr32.exe:232 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 61 C3 F7 EB B6 10 E2 F8 39 B9 70 7E DB C2 D7"

Dropped PE files

MD5 File path
909efa605371aadc67a15314155ed655c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SOFTWARE.LOG
909efa605371aadc67a15314155ed655c:\WINDOWS\system32\bohboq.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1www.Brenz.pl


Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:232
    hrl1.tmp:1096

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (67 bytes)
    %System%\bohboq.exe (601 bytes)
    C:\RCX2.tmp (15004 bytes)
    %System%\hra33.dll (7 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096286030723.84485c9b6b9fbded3d4764666702b145428d1
.rdata8192250525603.360566951ee1a0ff3a7f5a44727b4713506a3
.data1228867200d41d8cd98f00b204e9800998ecf8427e
.rsrc1638467220675844.87324969bb4178891bfac0b78243b2633cd75
.reloc860164945123.52939cfa8d04dd000bb30ab126902176ed40d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
ilo.brenz.pl148.81.111.111
huanghe110.3322.org221.130.179.36

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

regsvr32.exe_232:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

ole32.dll

ole32.dll

regsvr32.pdb

regsvr32.pdb

_wcmdln

_wcmdln

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

Excessive # of DLL's on cmdline

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

REGSVR32.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

OleUninitialize failed.["%1" is not an executable file and no registration

bohboq.exe_1276:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

WS2_32.dll

WS2_32.dll

WINMM.dll

WINMM.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyA

RegOpenKeyA

ShellExecuteA

ShellExecuteA

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

huanghe110.3322.org:8443

huanghe110.3322.org:8443

10315491711031549171

10315491711031549171

%u.%u.%u.%u

%u.%u.%u.%u

hra%u.dll

hra%u.dll

iexplore.exe

iexplore.exe

stf%c%c%c%c%c.exe

stf%c%c%c%c%c.exe

PlusCtrl.dll

PlusCtrl.dll

kernel32.dll

kernel32.dll

SOFTWARE.LOG

SOFTWARE.LOG

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe

%u MB

%u MB

%u MHz

%u MHz

Windows NT

Windows NT

Windows 7

Windows 7

Windows 2008

Windows 2008

Windows Vista

Windows Vista

Windows 2003

Windows 2003

Windows XP

Windows XP

Windows 2000

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

\Program Files\Internet Explorer\iexplore.exe

#0%s!

#0%s!

%s/%s

%s/%s

GET %s HTTP/1.1

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s:%d

Host: %s

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: http://%s:80/http://%s

Referer: http://%s:80/http://%s

%s %s%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

%d.%d.%d.%d

192.168.1.244

192.168.1.244

@.reloc

@.reloc

SHLWAPI.dll

SHLWAPI.dll

lpk.dll

lpk.dll

YU.yS

YU.yS

:1-6}i|

:1-6}i|

oq].ba

oq].ba

.citp

.citp

cmd /c RD /s /q "%s"

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

rar.exe

1, 0, 0, 1

1, 0, 0, 1

server.EXE

server.EXE