MD5: 5f2cff16eae1d6b87c01c3f4db42269f
SHA1: 0246976adca5a2b9b78c0d256b3a5150b8861120
SHA256: 5e4f4ed5ac0705d12e0ac8e355996bd11fc8e531bcbe602cc12801d30b9cd45e
SSDeep: 384:zK7E/N/tX4ncfyL01scgYCOrXFQ/uH6vVgmAkO eVg:zK8P4wlI5SVQ/uCveVg
Size: 20992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Blood White
Created at: 2010-11-06 05:06:34
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1592
regedit.exe:452

The Backdoor injects its code into the following process(es):

svchost.exe:508

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1592 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\RCXB2.tmp (23552 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (48 bytes)
C:\%original file name%.exe.tmp1 (373 bytes)

The Backdoor deletes the following file(s):

C:\%original file name%.exe.tmp1 (0 bytes)

Registry activity

The process %original file name%.exe:1592 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 90 2E D8 2E 7F 59 4C 29 EC C2 16 F3 39 37 75"

The process regedit.exe:452 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE FC FB 1F 5E 8D 84 ED A2 BE 56 D8 FE 51 76 9C"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: English (United Kingdom)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
cb6f641748ece725b667597dd1a4a14c
cbaa311d0ebe07dba6b3cf3b9324f18b

URLs

URL	IP
hxxp://71.41.214.210/hggla.php?id=004495111D307928CC
yahoofacebook.345.pl	60.249.95.143

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /hggla.php?id=004495111D307928CC HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: 71.41.214.210

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Server: thttpd/2.19-MX Mar  4 2013

Content-type: text/html

Date: Mon, 13 Oct 2014 22:25:48 GMT

Last-modified: Mon, 13 Oct 2014 22:25:48 GMT

Accept-Ranges: bytes

Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN".  "h
ttp://VVV.w3.org/TR/html4/loose.dtd">.<html>.<head>.<
;meta http-equiv='X-UA-Compatible' content='IE=EmulateIE9' />.<m
eta http-equiv="Content-Type" content="text/html; charset=UTF-8">.&
lt;meta http-equiv="Content-Script-Type" content="text/javascript">
.<meta http-equiv="Content-Style-Type" content="text/css">.<m
eta name="publisher" content="MOBOTIX AG, Germany">.<meta name="
copyright" content="MOBOTIX AG, Germany">.<link rel="SHORTCUT IC
ON" href="/favicon.ico">.<link rel="apple-touch-icon" href="/app
le-touch-icon.png">.<meta name="author" content="Daniel Kabs, MO
BOTIX AG, Germany">.<link rel="owner" href="mailto:info@mobotix.
com">.<link rel="copyright" href="/about.html" title="Copyright"
>..<style type='text/css'>.body {.   font-family:Helvetica,Ar
ial,sans-serif;.   font-size:80%;.}.pre,textarea { font-family:monospa
ce; }..headtablesmall {  font-size:125%;  }..standard {} /* obsolete *
/..mxSubmitButton {.   width: 110px;.   margin:2px 0;.}..mxErrorMessag
e {.  color:red;.  background-color:yellow;.  font-weight:bold;.  padd
ing:5px;.}..mxFooterWarning {.  padding:5px;.  margin:0;.  background-
color:#DDDDDD;.  color:red;.  font-weight:bold;.}..mxFooterNote {.  pa
dding:5px;.  margin:0;.  background-color:#DDDDDD;.}..mxSubmitbuttonsR
ow {.  background-color:#DDDDDD;.  border-collapse:collapse;.}..mxSubm
itbuttonsRow td {.  padding:5px;.}..mxReadOnly {.  background:#eee
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

.text

`.rdata

@.data

SSh@C@

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

USER32.dll

ADVAPI32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

WININET.dll

WS2_32.dll

iphlpapi.dll

SHLWAPI.dll

71.56.69.34

71.41.214.210

yahoofacebook.345.pl

regedit.exe /s

~dfds3.reg

Windows Registry Editor Version 5.00

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

%s.tmp1

[email protected]

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

/%s.php?id=d%s

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

X-X-X-X-X-X

01-01-01-01-01-01

%c%c%c%c%c%c.exe

svchost.exe_508_rwx_00400000_00005000:

.text

`.rdata

@.data

SSh@C@

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

USER32.dll

ADVAPI32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

WININET.dll

WS2_32.dll

iphlpapi.dll

SHLWAPI.dll

71.56.69.34

71.41.214.210

yahoofacebook.345.pl

regedit.exe /s

~dfds3.reg

Windows Registry Editor Version 5.00

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

%s.tmp1

[email protected]

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

/%s.php?id=d%s

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

X-X-X-X-X-X

01-01-01-01-01-01

%c%c%c%c%c%c.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1592
   regedit.exe:452
   

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   C:\RCXB2.tmp (23552 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (44 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (48 bytes)
   C:\%original file name%.exe.tmp1 (373 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Netlogon" = "%Documents and Settings%\%current user%\Local Settings\Netlogon.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.