Skip to main content

Backdoor.Win32.Napolar.vn_bc14507891


Backdoor.Win32.Napolar.vn (Kaspersky)Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bc14507891da9a9592edce81f6cd9311

SHA1: 84cd506cb055411f5a503950534e1b2c9bdf3987

SHA256: b57c89235d7c7f59f3fed8f26df30181d3c9db01affae55eb5de79c40ae77203

SSDeep: 3072:PAycG/885J4Mqpx srgvuCZdyhAFTmqwIdtOccwEjAWkj:TFq1xfcvdZkKhmkgV8

Size: 170856 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: no certificate found

Created at: 2014-03-27 19:57:58

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

{897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596
{897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504
%original file name%.exe:1248
%original file name%.exe:1724

The Backdoor injects its code into the following process(es):

Explorer.EXE:2080

File activity

The process %original file name%.exe:1248 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка\{897da024-84c6-cb43-f92a-b6a6897da024}.exe (170856 bytes)

Registry activity

The process {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка"

The process {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка"

The process %original file name%.exe:1248 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка"

The process %original file name%.exe:1724 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Backdoor installs the following user-mode hooks in WS2_32.dll:

send

The Backdoor installs the following user-mode hooks in ntdll.dll:

DbgUiRemoteBreakin
ZwSetValueKey
NtResumeThread
NtQueryDirectoryFile

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2596
    {897da024-84c6-cb43-f92a-b6a6897da024}.exe:2504
    %original file name%.exe:1248
    %original file name%.exe:1724

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Главное меню\Программы\Автозагрузка\{897da024-84c6-cb43-f92a-b6a6897da024}.exe (170856 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40968533122883.45701d7710c14dc529bea7e63831e55260e7d
.rdata16384417781922.01813be4f4fd23cc1ffbc8eee143db178abb
.data2457675140960.372667758b24e4ffba4fa0d1a1988b2f20fa0c
.rsrc28672499781923.02847f73aa029f84e5f4474aa229864fdff66

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
yghqlyz.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

Strings from Dumps

Explorer.EXE_2080_rwx_01EA0000_0001A000:

0%D$!

0%D$!

URLM

URLM

CHROME.Aq

CHROME.Aq

OPERA

OPERA

PORTUTIL

PORTUTIL

C:\plug

C:\plug

in.bine

in.bine

form-url

form-url

01234567

01234567

\\.\pipe

\\.\pipe

v=%d.%

v=%d.%

d&u=%s&c

d&u=%s&c

=%s&h

=%s&h

http://

http://

%s HTTP/

%s HTTP/

t: %s

t: %s

pad.exe

pad.exe

olPort 9

olPort 9

fig.me/

fig.me/

.bin@2b

.bin@2b

C:\sw8i.t!

C:\sw8i.t!

z.com_

z.com_

URLMON

URLMON

CHROME.DLL

CHROME.DLL

OPERA.DLL

OPERA.DLL

RAPPORTUTIL

RAPPORTUTIL

C:\plugin.bin

C:\plugin.bin

\tor.bin

\tor.bin

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

GET /?lX HTTP/1.1

GET /?lX HTTP/1.1

HOST: %s

HOST: %s

User-Agent: %s

User-Agent: %s

POST / HTTP/1.1

POST / HTTP/1.1

Content-Length: %d

Content-Length: %d

\\.\pipe\npSolar

\\.\pipe\npSolar

v=%d.%d&u=%s&c=%s&s=%s&w=%d.%d.%d&b=%d

v=%d.%d&u=%s&c=%s&s=%s&w=%d.%d.%d&b=%d

lX.exe

lX.exe

p=%s&h=%s&u=%s&s=lX

p=%s&h=%s&u=%s&s=lX

.rdata

.rdata

.text

.text

https://

https://

%d.%d.%d.%d

%d.%d.%d.%d

127.0.0.1

127.0.0.1

POST %s HTTP/1.0

POST %s HTTP/1.0

Host: %s

Host: %s

\notepad.exe

\notepad.exe

ControlPort 9001

ControlPort 9001

SocksListenAddress 127.0.0.1

SocksListenAddress 127.0.0.1

SocksPort 9002

SocksPort 9002

http://ipv4.icanhazip.com

http://ipv4.icanhazip.com

http://myip.dnsomatic.com

http://myip.dnsomatic.com

http://api.exip.org?call=ip

http://api.exip.org?call=ip

http://ip.comax.fr

http://ip.comax.fr

http://ip1.dynupdate.no-ip.com

http://ip1.dynupdate.no-ip.com

http://ifconfig.me/ip

http://ifconfig.me/ip

application/x-www-form-urlencoded

application/x-www-form-urlencoded

\explorer.exe

\explorer.exe

set_url

set_url

C:\swi.txt

C:\swi.txt

yghqlyz.com

yghqlyz.com

{897da024-84c6-cb43-f92a-b6a6897da024}

{897da024-84c6-cb43-f92a-b6a6897da024}

elX.exe

elX.exe

Microsoft\Windows\CurrentVersion\Run

Microsoft\Windows\CurrentVersion\Run

Microsoft\Windows NT\CurrentVersion\Windows\run

Microsoft\Windows NT\CurrentVersion\Windows\run

Microsoft\Windows NT\CurrentVersion\Windows\load

Microsoft\Windows NT\CurrentVersion\Windows\load

Microsoft\Windows\CurrentVersion\Policies\Explorer\run

Microsoft\Windows\CurrentVersion\Policies\Explorer\run

Microsoft\Windows NT\CurrentVersion\Winlogon

Microsoft\Windows NT\CurrentVersion\Winlogon

e\notepad.exe

e\notepad.exe

n.bin

n.bin

e\explorer.exe

e\explorer.exe

%Documents and Settings%\%current user%\

%Documents and Settings%\%current user%\

\{897da024-84c6-cb43-f92a-b6a6897da024}.exe

\{897da024-84c6-cb43-f92a-b6a6897da024}.exe

%Documents and Settings%\%current user%\Application Data\tor.bin

%Documents and Settings%\%current user%\Application Data\tor.bin

%Documents and Settings%\%current user%\Application Data\torrc

%Documents and Settings%\%current user%\Application Data\torrc

%Documents and Settings%\%current user%\Application Data\{897da024-84c6-cb43-f92a-b6a6897da024}\

%Documents and Settings%\%current user%\Application Data\{897da024-84c6-cb43-f92a-b6a6897da024}\

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

Explorer.EXE_2080_rwx_02030000_00001000:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Explorer.EXE_2080_rwx_02080000_00001000:

v=1.1&u=adm&c=MAS1&s={897da024-84c6-cb43-f92a-b6a6897da024}&w=2.5.1&b=32

v=1.1&u=adm&c=MAS1&s={897da024-84c6-cb43-f92a-b6a6897da024}&w=2.5.1&b=32