Backdoor.Win32.Napolar.vn (Kaspersky)Behaviour: Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bc14507891da9a9592edce81f6cd9311
SHA1: 84cd506cb055411f5a503950534e1b2c9bdf3987
SHA256: b57c89235d7c7f59f3fed8f26df30181d3c9db01affae55eb5de79c40ae77203
SSDeep: 3072:PAycG/885J4Mqpx srgvuCZdyhAFTmqwIdtOccwEjAWkj:TFq1xfcvdZkKhmkgV8
Size: 170856 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-03-27 19:57:58
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
{897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596
{897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504
%original file name%.exe:1248
%original file name%.exe:1724
The Backdoor injects its code into the following process(es):
Explorer.EXE:2080
File activity
The process %original file name%.exe:1248 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂÂÂòтþ÷ðóру÷úð\{897da024-84c6-cb43-f92a-b6a6897da024}.exe (170856 bytes)
Registry activity
The process {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂÂÂòтþ÷ðóру÷úð"
The process {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂÂÂòтþ÷ðóру÷úð"
The process %original file name%.exe:1248 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂÂÂòтþ÷ðóру÷úð"
The process %original file name%.exe:1724 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂÂÂòтþ÷ðóру÷úð"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Backdoor installs the following user-mode hooks in WS2_32.dll:
send
The Backdoor installs the following user-mode hooks in ntdll.dll:
DbgUiRemoteBreakin
ZwSetValueKey
NtResumeThread
NtQueryDirectoryFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
{897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596
{897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504
%original file name%.exe:1248
%original file name%.exe:1724 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂÂÂòтþ÷ðóру÷úð\{897da024-84c6-cb43-f92a-b6a6897da024}.exe (170856 bytes)
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 8533 | 12288 | 3.45701 | d7710c14dc529bea7e63831e55260e7d |
.rdata | 16384 | 4177 | 8192 | 2.0181 | 3be4f4fd23cc1ffbc8eee143db178abb |
.data | 24576 | 751 | 4096 | 0.372667 | 758b24e4ffba4fa0d1a1988b2f20fa0c |
.rsrc | 28672 | 4997 | 8192 | 3.02847 | f73aa029f84e5f4474aa229864fdff66 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
yghqlyz.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
Strings from Dumps
Explorer.EXE_2080_rwx_01EA0000_0001A000:
0%D$!
0%D$!
URLM
URLM
CHROME.Aq
CHROME.Aq
OPERA
OPERA
PORTUTIL
PORTUTIL
C:\plug
C:\plug
in.bine
in.bine
form-url
form-url
01234567
01234567
\\.\pipe
\\.\pipe
v=%d.%
v=%d.%
d&u=%s&c
d&u=%s&c
=%s&h
=%s&h
http://
http://
%s HTTP/
%s HTTP/
t: %s
t: %s
pad.exe
pad.exe
olPort 9
olPort 9
fig.me/
fig.me/
.bin@2b
.bin@2b
C:\sw8i.t!
C:\sw8i.t!
z.com_
z.com_
URLMON
URLMON
CHROME.DLL
CHROME.DLL
OPERA.DLL
OPERA.DLL
RAPPORTUTIL
RAPPORTUTIL
C:\plugin.bin
C:\plugin.bin
\tor.bin
\tor.bin
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
GET /?lX HTTP/1.1
GET /?lX HTTP/1.1
HOST: %s
HOST: %s
User-Agent: %s
User-Agent: %s
POST / HTTP/1.1
POST / HTTP/1.1
Content-Length: %d
Content-Length: %d
\\.\pipe\npSolar
\\.\pipe\npSolar
v=%d.%d&u=%s&c=%s&s=%s&w=%d.%d.%d&b=%d
v=%d.%d&u=%s&c=%s&s=%s&w=%d.%d.%d&b=%d
lX.exe
lX.exe
p=%s&h=%s&u=%s&s=lX
p=%s&h=%s&u=%s&s=lX
.rdata
.rdata
.text
.text
https://
https://
%d.%d.%d.%d
%d.%d.%d.%d
127.0.0.1
127.0.0.1
POST %s HTTP/1.0
POST %s HTTP/1.0
Host: %s
Host: %s
\notepad.exe
\notepad.exe
ControlPort 9001
ControlPort 9001
SocksListenAddress 127.0.0.1
SocksListenAddress 127.0.0.1
SocksPort 9002
SocksPort 9002
http://ipv4.icanhazip.com
http://ipv4.icanhazip.com
http://myip.dnsomatic.com
http://myip.dnsomatic.com
http://api.exip.org?call=ip
http://api.exip.org?call=ip
http://ip.comax.fr
http://ip.comax.fr
http://ip1.dynupdate.no-ip.com
http://ip1.dynupdate.no-ip.com
http://ifconfig.me/ip
http://ifconfig.me/ip
application/x-www-form-urlencoded
application/x-www-form-urlencoded
\explorer.exe
\explorer.exe
set_url
set_url
C:\swi.txt
C:\swi.txt
yghqlyz.com
yghqlyz.com
{897da024-84c6-cb43-f92a-b6a6897da024}
{897da024-84c6-cb43-f92a-b6a6897da024}
elX.exe
elX.exe
Microsoft\Windows\CurrentVersion\Run
Microsoft\Windows\CurrentVersion\Run
Microsoft\Windows NT\CurrentVersion\Windows\run
Microsoft\Windows NT\CurrentVersion\Windows\run
Microsoft\Windows NT\CurrentVersion\Windows\load
Microsoft\Windows NT\CurrentVersion\Windows\load
Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Microsoft\Windows NT\CurrentVersion\Winlogon
Microsoft\Windows NT\CurrentVersion\Winlogon
e\notepad.exe
e\notepad.exe
n.bin
n.bin
e\explorer.exe
e\explorer.exe
%Documents and Settings%\%current user%\
%Documents and Settings%\%current user%\
\{897da024-84c6-cb43-f92a-b6a6897da024}.exe
\{897da024-84c6-cb43-f92a-b6a6897da024}.exe
%Documents and Settings%\%current user%\Application Data\tor.bin
%Documents and Settings%\%current user%\Application Data\tor.bin
%Documents and Settings%\%current user%\Application Data\torrc
%Documents and Settings%\%current user%\Application Data\torrc
%Documents and Settings%\%current user%\Application Data\{897da024-84c6-cb43-f92a-b6a6897da024}\
%Documents and Settings%\%current user%\Application Data\{897da024-84c6-cb43-f92a-b6a6897da024}\
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
Explorer.EXE_2080_rwx_02030000_00001000:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Explorer.EXE_2080_rwx_02080000_00001000:
v=1.1&u=adm&c=MAS1&s={897da024-84c6-cb43-f92a-b6a6897da024}&w=2.5.1&b=32
v=1.1&u=adm&c=MAS1&s={897da024-84c6-cb43-f92a-b6a6897da024}&w=2.5.1&b=32