Gen.Variant.Graftor.31202_bebdf0a16f
Susp_Dropper (Kaspersky), Gen:Variant.Graftor.31202 (B) (Emsisoft), Gen:Variant.Graftor.31202 (AdAware)
Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: bebdf0a16fd6142cad8f675330798186
SHA1: 53babc3a8aa374929bc23937c55958f5ef5cf398
SHA256: cf44668e2a2468a335212c5c448605b5479cbe34951dde67d689aff9cf2704d6
SSDeep: 1536: C/zbuaQGdyQuB4K2iuxF0X/DSc90DfhPO7U7Mn3iXc/Du5N: KcdiKK2ikY/DS60jhPOW2iXc/q5N
Size: 97011 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2017-10-01 15:17:12
Analyzed on: Windows7 SP1 32-bit
Summary:
Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
%original file name%.exe:2624
rundll32.exe:3148
The Malware injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2624 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1317740_res.tmp (689 bytes)
The process rundll32.exe:3148 makes changes in the file system.
The Malware deletes the following file(s):
C:\%original file name%.exe (0 bytes)
Registry activity
The process %original file name%.exe:2624 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\services\awdad4545a.Net CLR]
"Load_Path" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "AeLookupSvc, CertPropSvc, SCPolicySvc, lanmanserver, gpsvc, IKEEXT, AudioSrv, FastUserSwitchingCompatibility, Ias, Irmon, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, SENS, Sharedaccess, SRService, Tapisrv, Wmi, WmdmPmSp, TermService, wuauserv, BITS, ShellHWDetection, LogonHours, PCAudit, helpsvc, uploadmgr, iphlpsvc, seclogon, AppInfo, msiscsi, MMCSS, wercplsupport, EapHost, ProfSvc, schedule, hkmsvc, SessionEnv, winmgmt, browser, Themes, BDESVC, AppMgmt, awdad4545a.Net CLR"
[HKLM\System\CurrentControlSet\services\awdad4545a.Net CLR\Parameters]
"ServiceDll" = "C:\Windows\System32\Server.dll"
"seRVicemAIN" = "UCC"
[HKLM\System\CurrentControlSet\services\awdad4545a.Net CLR]
"Description" = "Microft .NET and Windows XP COM Integration with SOAP"
"ConnectGroup" = "3306"
The process rundll32.exe:3148 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\services\awdad4545a.Net CLR]
"Type" = "288"
The Malware deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\services\awdad4545a.Net CLR]
"Load_Path"
Dropped PE files
| MD5 | File path |
|---|---|
| 587046e88eb64d4ad157802dc726568d | c:\Windows\System32\Server.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 5626 | 5632 | 4.22822 | a2fcea555366a03d2da16d7cec58f0a8 |
| .rsrc | 12288 | 89696 | 90112 | 4.38005 | b426070271037450db4c37f06b86c411 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Malware connects to the servers at the folowing location(s):
.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385
rundll32.exe_3148:
.text
`.data
.rsrc
@.reloc
KERNEL32.dll
USER32.dll
msvcrt.dll
imagehlp.dll
ntdll.dll
?.ulf
.ue9]
ole32.dll
_amsg_exit
_wcmdln
rundll32.pdb
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
{00000000-0000-0000-0000-000000000000}\\?\Volume
\\?\UNC\
rundll32.exe
Windows host process (Rundll32)
6.1.7600.16385 (win7_rtm.090713-1255)
RUNDLL32.EXE
Windows
Operating System
6.1.7600.16385
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2624
rundll32.exe:3148 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1317740_res.tmp (689 bytes)
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
