DDoSNitol_002a96d79a

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:232
hrl1.tmp:1096

The Trojan injects its code into the following process(es):

bohboq.exe:1276

File activity

The process regsvr32.exe:232 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (67 bytes)

The process hrl1.tmp:1096 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\bohboq.exe (601 bytes)

The process bohboq.exe:1276 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\RCX2.tmp (15004 bytes)
%System%\hra33.dll (7 bytes)

The Trojan deletes the following file(s):

%System%\hra33.dll (0 bytes)

Registry activity

The process regsvr32.exe:232 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 61 C3 F7 EB B6 10 E2 F8 39 B9 70 7E DB C2 D7"

Dropped PE files

MD5	File path
909efa605371aadc67a15314155ed655	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SOFTWARE.LOG
909efa605371aadc67a15314155ed655	c:\WINDOWS\system32\bohboq.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.Brenz.pl

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   regsvr32.exe:232
   hrl1.tmp:1096
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (67 bytes)
   %System%\bohboq.exe (601 bytes)
   C:\RCX2.tmp (15004 bytes)
   %System%\hra33.dll (7 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	2860	3072	3.84485	c9b6b9fbded3d4764666702b145428d1
.rdata	8192	2505	2560	3.36056	6951ee1a0ff3a7f5a44727b4713506a3
.data	12288	672	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	16384	67220	67584	4.87324	969bb4178891bfac0b78243b2633cd75
.reloc	86016	494	512	3.52939	cfa8d04dd000bb30ab126902176ed40d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
ilo.brenz.pl	148.81.111.111
huanghe110.3322.org	221.130.179.36

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

regsvr32.exe_232:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

ole32.dll

ole32.dll

regsvr32.pdb

regsvr32.pdb

_wcmdln

_wcmdln

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

Excessive # of DLL's on cmdline

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

REGSVR32.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

OleUninitialize failed.["%1" is not an executable file and no registration

bohboq.exe_1276:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

USER32.dll

USER32.dll

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

WS2_32.dll

WS2_32.dll

WINMM.dll

WINMM.dll

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyA

RegOpenKeyA

ShellExecuteA

ShellExecuteA

MFC42.DLL

MFC42.DLL

MSVCRT.dll

MSVCRT.dll

_acmdln

_acmdln

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

huanghe110.3322.org:8443

huanghe110.3322.org:8443

10315491711031549171

10315491711031549171

%u.%u.%u.%u

%u.%u.%u.%u

hra%u.dll

hra%u.dll

iexplore.exe

iexplore.exe

stf%c%c%c%c%c.exe

stf%c%c%c%c%c.exe

PlusCtrl.dll

PlusCtrl.dll

kernel32.dll

kernel32.dll

SOFTWARE.LOG

SOFTWARE.LOG

%c%c%c%c%c%c.exe

%c%c%c%c%c%c.exe

%u MB

%u MB

%u MHz

%u MHz

Windows NT

Windows NT

Windows 7

Windows 7

Windows 2008

Windows 2008

Windows Vista

Windows Vista

Windows 2003

Windows 2003

Windows XP

Windows XP

Windows 2000

Windows 2000

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Program Files\Internet Explorer\iexplore.exe

\Program Files\Internet Explorer\iexplore.exe

#0%s!

#0%s!

%s/%s

%s/%s

GET %s HTTP/1.1

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s:%d

Host: %s

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: http://%s:80/http://%s

Referer: http://%s:80/http://%s

%s %s%s

%s %s%s

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%d.%d.%d.%d

%d.%d.%d.%d

192.168.1.244

192.168.1.244

@.reloc

@.reloc

SHLWAPI.dll

SHLWAPI.dll

lpk.dll

lpk.dll

YU.yS

YU.yS

:1-6}i|

:1-6}i|

oq].ba

oq].ba

.citp

.citp

cmd /c RD /s /q "%s"

cmd /c RD /s /q "%s"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"

"%s" x "%s" *.exe "%s\"

"%s" x "%s" *.exe "%s\"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"

rar.exe

rar.exe

1, 0, 0, 1

1, 0, 0, 1

server.EXE

server.EXE