MD5: 07d4c1b98e1a92c11c10817311b178e4
SHA1: fe72d7488f1bf8ad3ca0c1fbbdfe623c209b6fdd
SHA256: 2b24d927004d00c8c21046b1f3584a2e03268357e16425213d341f1418c78fc4
SSDeep: 6144:mLuvICadCpSc3vYlyV09Z8AUiXoxeksYePsuzflRQG:lwyxAs093lC/ekuzN2
Size: 327680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-01 08:28:31
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

07d4c1b98e1a92c:420
%original file name%.exe:668

The Backdoor injects its code into the following process(es):

rundll32.exe:156
svchost.exe:2004
iexplore.exe:1560

File activity

The process 07d4c1b98e1a92c:420 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe (1425 bytes)
%System%\drivers\etc\hosts (421 bytes)

The process %original file name%.exe:668 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sbaD.tmp (11010 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg (1 bytes)
%System%\2622.jpg.exe (4 bytes)
%WinDir%\systm32\win32.exe (1425 bytes)
%System%\2622.jpg (48 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

Registry activity

The process 07d4c1b98e1a92c:420 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 93 C9 20 64 ED DF 36 AA 85 9B AF 2B F2 6F B5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"

The process rundll32.exe:156 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 B0 AC 9D 11 5F 39 87 4B 0F F7 A1 12 F3 28 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:668 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 54 92 4F C6 C0 DE 65 80 C1 9C 8C A2 70 D0 E1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}]
"StubPath" = "%WinDir%\systm32\win32.exe restart"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\BYQHfSQ]
"InstalledServer" = "%WinDir%\systm32\win32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\BYQHfSQ]
"ServerStarted" = "6/3/2014 6:42:04 AM"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\systm32\win32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\systm32\win32.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 421 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: n0XGm
Product Name: k2K0Q
Product Version: 19.47.59.57
Legal Copyright: Xr8x6Q
Legal Trademarks: Tb1r9P0Yc
Original Filename: ghsav5ud.exe
Internal Name: ghsav5ud.exe
File Version: 19.47.59.57
File Description: o3MDx04Zeq
Comments: Kx04Xyc6L
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_2004_rwx_00C80000_0001F000:

.idata

.rdata

P.reloc

P.rsrc

P.xur

Portions Copyright (c) 1999,2003 Avenger by NhT

789:;<&'()* ,-./12345

user32.dll

urlmon.dll

wininet.dll

advapi32.dll

Shell32.dll

shell32.dll

shlwapi.dll

kernel32.dll

GetProcessHeap

oleaut32.dll

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyW

RegCloseKey

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

SHDeleteKeyW

FindExecutableW

ShellExecuteW

URLDownloadToFileW

DeleteUrlCacheEntryW

PSAPI.dll

ntdll.dll

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

4/4.565>5

55^516;6E6O6Y6

KWindows

UnitKeylogger

=zy%X

nBÞ

:U.Xf

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

Software\Microsoft\Windows\CurrentVersion\Explorer

x.html

Software\Microsoft\Windows\CurrentVersion\Run

[Execute]

KeyDelBackspace

XtremeKeylogger

l.xtr

http://

.functions

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ÞFAULTBROWSER%

\Microsoft\Windows\

svchost.exe

explorer.exe

pepe12.no-ip.biz

win32.exe

{5460C4DF-B266-909E-CB58-E32B79832EB2}

ftp.ftpserver.com

r FTP

ftpuser

Hftppass

%WinDir%\systm32\win32.exe

%WinDir%\systm32\

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg

Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}

iexplore.exe_1560:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_1560_rwx_00C80000_0001F000:

.idata

.rdata

P.reloc

P.rsrc

P.xur

Portions Copyright (c) 1999,2003 Avenger by NhT

789:;<&'()* ,-./12345

user32.dll

urlmon.dll

wininet.dll

advapi32.dll

Shell32.dll

shell32.dll

shlwapi.dll

kernel32.dll

GetProcessHeap

oleaut32.dll

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyW

RegCloseKey

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

SHDeleteKeyW

FindExecutableW

ShellExecuteW

URLDownloadToFileW

DeleteUrlCacheEntryW

PSAPI.dll

ntdll.dll

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

4/4.565>5

55^516;6E6O6Y6

KWindows

UnitKeylogger

=zy%X

nBÞ

:U.Xf

Kernel32.dll

ADVAPI32.dll

RegOpenKeyExA

Software\Microsoft\Windows\CurrentVersion\Explorer

x.html

Software\Microsoft\Windows\CurrentVersion\Run

[Execute]

KeyDelBackspace

XtremeKeylogger

l.xtr

http://

.functions

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ÞFAULTBROWSER%

\Microsoft\Windows\

svchost.exe

explorer.exe

pepe12.no-ip.biz

win32.exe

{5460C4DF-B266-909E-CB58-E32B79832EB2}

ftp.ftpserver.com

r FTP

ftpuser

Hftppass

%WinDir%\systm32\win32.exe

%WinDir%\systm32\

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg

Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}

rundll32.exe_156:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   07d4c1b98e1a92c:420
   %original file name%.exe:668
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe (1425 bytes)
   %System%\drivers\etc\hosts (421 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\sbaD.tmp (11010 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\BYQHfSQ.cfg (1 bytes)
   %System%\2622.jpg.exe (4 bytes)
   %WinDir%\systm32\win32.exe (1425 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "HKCU" = "%WinDir%\systm32\win32.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "HKLM" = "%WinDir%\systm32\win32.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.