Backdoor.Win32.Caphaw_QKKBAL_6ab1881ee2

by malwarelabrobot on June 15th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.12511 (B) (Emsisoft), Gen:Variant.Barys.12511 (AdAware), GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6ab1881ee292b0b12e1535be828a25c1
SHA1: 4f505866d4c6e180890643843ce51a3c61f13f98
SHA256: 16583b809479500942c987e2235870ee018dc835bc341aff3f5bdcd8630c6150
SSDeep: 12288:AwSIoMjoYps9KLZX0iIWb6Oan20w3EUXcgHaea L:BOMjBpsUXhe320W5Xqea
Size: 429056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Applications Install
Created at: 2014-06-05 10:56:49
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

wscript.exe:1836
buzif.exe:1672
System:4
tmp.exe:320
%original file name%.exe:1076
.exe:1112

The Backdoor injects its code into the following process(es):
No processes have been created.

File activity

The process System:4 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

\Device\HarddiskVolume1\$Directory (552 bytes)

The process tmp.exe:320 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp17520219.bat (213 bytes)
%Documents and Settings%\%current user%\Application Data\Toqy\buzif.exe (141 bytes)

The process %original file name%.exe:1076 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mata2.bat (49 bytes)
%System%\drivers\etc\hosts (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mata.bat (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ .exe (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (141 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mata2.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mata.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (0 bytes)

Registry activity

The process wscript.exe:1836 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 7B 94 29 A5 E4 33 07 91 27 F9 F0 DF 96 A8 CE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"mata2.bat" = "mata2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process buzif.exe:1672 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E EB 80 D0 4E 78 0C 8D 65 A1 6B B7 B9 3E DA 08"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Ukyzs]
"Uteb" = "DE FC 0C 90 BA 55 AE C7 24 9A 3E D3 CB 6E 42 F4"

The process tmp.exe:320 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 7A 9D 65 F7 DE 4B 5F DF 6A 20 57 79 91 92 88"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Ukyzs]
"Uteb" = "DE FC 0C 90 BA 55 AE C7 24 9A 3E D3 CB 6E 42 F4"

The process %original file name%.exe:1076 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 00 07 B0 2B AC 54 3B D8 FC 0E 32 34 EE B4 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"tmp.exe" = "tmp"

[HKCU\Software\Microsoft\Ukyzs]
"Uteb" = "DE FC 0C 90 BA 55 AE C7 24 9A 3E D3 CB 6E 42 F4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"mata.bat" = "mata"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%Documents and Settings%\%current user%\Local Settings\Temp\file.exe"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-8964"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9217"
"SHELL32.dll,-9216"

The process .exe:1112 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 3E 65 8D 50 31 3A AC 84 29 6A 1F 6B 51 28 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

MD5 File path
9c84359b82628501947bbaf8ef4edc38 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Toqy\buzif.exe
e0d21bee6dae44a7c6e1896d7a8c7463 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ .exe

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 216 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com
127.0.0.1 www.website.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: sitauktrading
Product Name: sitauktrading
Product Version: 1.0.0.0
Legal Copyright: 4877328
Legal Trademarks: sitauktrading
Original Filename: force.exe
Internal Name: force.exe
File Version: 1.0
File Description: invoice
Comments: Þscription%
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.rsrc 8192 5336 5632 3.00761 39b818676c1d76546f5c92ea263c8844
.text 16384 422328 422400 5.25877 bb9744b9674dc4744b2e4a04da064d74
.reloc 442368 12 512 0.084755 707b6b5c76c568b412a254fa89d20621

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wscript.exe:1836
    buzif.exe:1672
    System:4
    tmp.exe:320
    %original file name%.exe:1076
    .exe:1112

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    \Device\HarddiskVolume1\$Directory (552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp17520219.bat (213 bytes)
    %Documents and Settings%\%current user%\Application Data\Toqy\buzif.exe (141 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mata2.bat (49 bytes)
    %System%\drivers\etc\hosts (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mata.bat (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ .exe (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rundll32-.txt (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\invs.vbs (78 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (141 bytes)

  4. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "%Documents and Settings%\%current user%\Local Settings\Temp\file.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.