GenPack.Generic.Malware.SYdg.49851E96_0778d6b0c6

by malwarelabrobot on December 28th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), GenPack:Generic.Malware.SYd!g.49851E96 (B) (Emsisoft), GenPack:Generic.Malware.SYd!g.49851E96 (AdAware), Trojan-Spy.Win32.Qukart.FD, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Trojan-Spy, Banker, Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0778d6b0c6f2050acb6eaf8fdbe57d12
SHA1: af58630b1d7296e1208d97fa47a786484985472e
SHA256: e056cd9afcf111bfab4157806a2dd1e3668542ca3e3b45c5015cea709d1678bb
SSDeep: 768:ZfYyzXvXNw2GgG/EtGs9JuPRMdXlowSEYJY5zx GZtt8H/iw08X/1H5:VHb/Nw7gWEtIadVBhmf5089
Size: 51712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2024-04-18 22:06:08
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan-Spy. Spy program intended for stealing user's confidential data.

Payload

No specific payload has been found.

Process activity

The GenPack creates the following process(es):

%original file name%.exe:2844

The GenPack injects its code into the following process(es):

Kjicmmcl.exe:2796

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Kjicmmcl.exe:2796 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ldpneonc.htm (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bkmmeqjl.htm (552 bytes)
%System%\surf.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cjcgngof.htm (207 bytes)

The GenPack deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ldpneonc.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bkmmeqjl.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cjcgngof.htm (0 bytes)

The process %original file name%.exe:2844 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):

%System%\Ohpdhf32.dll (6 bytes)
%System%\Kjicmmcl.exe (102 bytes)

Registry activity

The process Kjicmmcl.exe:2796 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 15 8E 82 C0 55 5E 25 DD 0A D1 63 87 53 F4 A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1601" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1601" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1601" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1601" = "0"

The process %original file name%.exe:2844 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 27 27 4F 4F 3A A5 76 47 0B 70 83 CC A2 30 C1"

[HKCR\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32]
"(Default)" = "%System%\Ohpdhf32.dll"
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"

Dropped PE files

MD5 File path
3f17822b7526b58f1c18a4f5c62e7531 c:\WINDOWS\system32\Kjicmmcl.exe
5103118072cc7fd7c801e0747e9977e0 c:\WINDOWS\system32\Ohpdhf32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 32428 32768 4.9306 f537d294ff3c5892eac246be2ddef3e2
.bss 36864 136112 0 0 d41d8cd98f00b204e9800998ecf8427e
.data 176128 12752 12800 4.18685 7d657d7d2cc8c83204ceb9c4e7c3e40d
.idata 192512 3748 4096 3.5204 708cff90e55fcc1f43ce49fc7ad6f7f4
.aciof 196608 4096 512 1.55733 5feef8bafc608bebf63c900b04113e75

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The GenPack connects to the servers at the folowing location(s):

Kjicmmcl.exe_2796:

.text
.data
.idata
.aciof
%System%\dnkk.dll
%System%\surf.dat
%System%\kk32.dll
%System%\kk32.vxd
%System%
hXXp://crutop.nu/index.php
hXXp://crutop.ru/index.php
hXXp://mazafaka.ru/index.php
hXXp://color-bank.ru/index.php
hXXp://asechka.ru/index.php
hXXp://trojan.ru/index.php
hXXp://fuck.ru/index.php
hXXp://goldensand.ru/index.php
hXXp://filesearch.ru/index.php
hXXp://devx.nm.ru/index.php
hXXp://ros-neftbank.ru/index.php
hXXp://lovingod.host.sk/index.php
hXXp://VVV.redline.ru/index.php
hXXp://cvv.ru/index.php
hXXp://hackers.lv/index.php
hXXp://fethard.biz/index.php
hXXp://ldark.nm.ru/index.htm
hXXp://gaz-prom.ru/index.htm
hXXp://promo.ru/index.htm
hXXp://potleaf.chat.ru/index.htm
hXXp://kadet.ru/index.htm
hXXp://cvv.ru/index.htm
hXXp://crutop.nu/index.htm
hXXp://crutop.ru/index.htm
hXXp://mazafaka.ru/index.htm
hXXp://xware.cjb.net/index.htm
hXXp://konfiskat.org/index.htm
hXXp://parex-bank.ru/index.htm
hXXp://kidos-bank.ru/index.htm
hXXp://kavkaz.ru/index.htm
hXXp://fethard.biz/index.htm
CRYPTKEY
ntdll.dll
kernel32.dll
wsock32.dll
user32.dll
`.rdata
@.data
.reloc
.edata
%s\%s
WinExec
KERNEL32.DLL
CRTDLL.DLL
dll.dll
This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu
Welcome to our forum, Adult Web Masters! hXXp://crutop.nu
AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE
REAL CASH, REAL BITCHEZ - CRUTOP.NU
%s-%s
%s %s
surf.dat
dnkk.dll
kk32.vxd
kk32.dll
%s\%s.exe
%s/Rtdx1%i.htm
%s\Rtdx1%i.dat
%s /C %s
\command.com
%s\command.pif
%s\cmd.exe
%s\cmd.pif
:u
of fraud on our website, we are undertaking a period review of our member accounts.
%ssetTimeout("x()",%u);
%sself.parent.location="%s";
%s<!-- %u -->
%s%u - Microsoft Internet Explorer
\Iexplore.exe
.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Internet Settings
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u
%ssetTimeout("z()",%u);
%sdocument.%s.submit();
%s<input type="edit" value='%s' name='%s%u'><br>
%s<input type="edit" value='%s' name='%s'><br>
%s<form action="%s" method="POST" name="%s">
%s<title>%s%u</title>
%s<!-- %.2u -->
%s%c%c
Web Event Logger
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
CLSID\%s\InProcServer32
%s\%s.dll
{79FEACFF-FFCE-815E-A900-316290B5B738}
TXT: '%s'
%s %X%c
%s FORM_%X
.yahoo.com
webmail.juno.com
my.juno.com/s/
.juno.com
.earthlink.
signin.ebay.
.paypal.com
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
GetWindowsDirectoryA
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
ole32.DLL
OLEAUT32.DLL
WININET.DLL
USER32.DLL
GDI32.DLL
ADVAPI32.DLL
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2844

  2. Delete the original GenPack file.
  3. Delete or disinfect the following files created/modified by the GenPack:

    %Documents and Settings%\%current user%\Local Settings\Temp\ldpneonc.htm (221 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bkmmeqjl.htm (552 bytes)
    %System%\surf.dat (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cjcgngof.htm (207 bytes)
    %System%\Ohpdhf32.dll (6 bytes)
    %System%\Kjicmmcl.exe (102 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe" = "%System%\ctfmon.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now