ThreatExpert Report: Troj/Magania-O, Backdoor:Win32/Farfli.K, Backdoor.Win32.Dedipros, Trojan.Gen..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 17 August 2012, 01:39:04
Processing time: 7 min 38 sec
Submitted sample:

File MD5: 0x26B470992B2CEDE0B8CEB3F359E60735
File SHA-1: 0xF08630AC3AD1BF055456578BA042008AE059A8AE
Filesize: 112,128 bytes
Alias:

Troj/Magania-O [Sophos]
Backdoor:Win32/Farfli.K [Microsoft]
Backdoor.Win32.Dedipros [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat category was identified:

Threat Category	Description
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%ProgramFiles%\Common Files\main.dll	104,573 bytes	MD5: 0x181A97644083EFF05D57DD25E854E359 SHA-1: 0x28DD40E87F120A135334DFEC45A4C0B43056F48A	Trojan.Gen [Symantec] Trojan-GameThief.Win32.Magania.evju [Kaspersky Lab] BackDoor-DVB [McAfee] Mal/Behav-010 [Sophos] Backdoor:Win32/Farfli.K [Microsoft] Backdoor.Win32.Zegost [Ikarus]
2	[file and pathname of the sample #1]	112,128 bytes	MD5: 0x26B470992B2CEDE0B8CEB3F359E60735 SHA-1: 0xF08630AC3AD1BF055456578BA042008AE059A8AE	Troj/Magania-O [Sophos] Backdoor:Win32/Farfli.K [Microsoft] Backdoor.Win32.Dedipros [Ikarus]

Note:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	118,784 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
main.dll	%ProgramFiles%\common files\main.dll	Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x5A0000 - 0x5BE000

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
mdmserver	Microsoft Device Managers	"Running"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDMSERVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDMSERVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDMSERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmserver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmserver\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmserver\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmserver\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDMSERVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDMSERVER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDMSERVER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmserver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmserver\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmserver\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmserver\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDMSERVER\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "mdmserver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDMSERVER\0000]

Service = "mdmserver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Microsoft Device Managers"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MDMSERVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmserver\Enum]

0 = "Root\LEGACY_MDMSERVER\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmserver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmserver\Parameters]

ServiceDll = "%ProgramFiles%\Common Files\main.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mdmserver]

Type = 0x00000120
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Microsoft Device Managers"
ObjectName = "LocalSystem"
Description = "Microsoft Device Managers..."
InstallModule = "[file and pathname of the sample #1]"
ConnectGroup = "??????"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDMSERVER\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "mdmserver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDMSERVER\0000]

Service = "mdmserver"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Microsoft Device Managers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MDMSERVER]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmserver\Enum]

0 = "Root\LEGACY_MDMSERVER\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmserver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmserver\Parameters]

ServiceDll = "%ProgramFiles%\Common Files\main.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdmserver]

Type = 0x00000120
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Microsoft Device Managers"
ObjectName = "LocalSystem"
Description = "Microsoft Device Managers..."
InstallModule = "[file and pathname of the sample #1]"
ConnectGroup = "??????"

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]

netsvcs =

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

The following Host Name was requested from a host database:

mxdoo.3322.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
mxdoo.3322.org	8888

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 8888:

00000000 | 4768 3073 7498 0100 0060 0200 0078 9C75 | Gh0st....`...x.u
00000010 | 51CF 4B02 5110 FEB6 52F3 C721 3A84 DDF6 | Q.K.Q...R..!:...
00000020 | 541E 3A2C C242 F78E 4525 1199 9928 A610 | T.:,.B..E%...(..
00000030 | 29F9 24A3 C382 7658 F050 A087 C043 0441 | ).$...vX.P...C.A
00000040 | 4B49 4144 8297 8E1D 248C 3CA4 F507 7448 | KIAD....$.<...tH
00000050 | 94A0 BF60 9BE7 EEC1 0407 3EE6 CDBC EF9B | ...`......>.....
00000060 | 3733 2FAE EBFA 3900 0B41 2078 1CC0 08F9 | 73/...9..A x....
00000070 | B558 FA70 371A 1357 23D1 3DD1 0B34 3C2E | .X.p7..W#.=..4<.
00000080 | 5C85 5414 9A0E 2C4E 9759 22A0 A222 185C | \.T...,N.Y"..".\
00000090 | AEB3 1226 4CFC 33D1 84C9 6B8F 0271 528D | ...&L.3...k..qR.
000000A0 | F751 5E9B 4097 EA75 A432 E335 3166 D485 | .Q^.@..u.2.51f..
000000B0 | 20A0 EA34 7459 720B FBC9 54E6 2096 5E8E |  ..4tYr...T. .^.
000000C0 | 2463 83CF 0C33 D17C 98D7 9364 AF84 90C6 | $c...3.|...d....
000000D0 | EA41 8DE5 675D 089F 3A20 D5BB 52E3 F2E5 | .A..g]..: ..R...
000000E0 | 81D3 125B 2ACE 7C1A E333 72E1 13E9 783F | ...[*.|..3r...x?
000000F0 | BA4E 7A1A 6CAE E5E0 AD01 E44B 841C F165 | .Nz.l......K...e
00000100 | BFC6 780C 335F A11C 20C3 6B2B 2A93 74FA | ..x.3_.. .k+*.t.
00000110 | B6CB BD38 BF22 E3A4 7747 BBDC 56E1 FE29 | ...8."..wG..V..)
00000120 | 28F3 C4A1 F5EB 9C7B 6B2D 2A1D 82A8 0590 | (......{k-*.....
00000130 | 377B FF15 B2C6 F07D 96D8 54A1 BFA3 574B | 7{.....}..T...WK
00000140 | 2194 822A 6AEC 9AE5 3634 C66B 1D91 BF5F | !..*j...64.k..._
00000150 | 377A F2D3 7FF1 FFA8 53FC C573 648F 1739 | 7z......S..sd..9
00000160 | 85FB 8CF3 58A9 0EEC 6A29 68F4 57B3 1495 | ....X...j)h.W...
00000170 | D48C 0B6E EAD3 47E7 1B9B 1D49 F298 2AB3 | ...n..G....I..*.
00000180 | 1DCA 7DF2 7909 61E2 3FDF D5DE AAAD 8FF6 | ..}.y.a.?.......
00000190 | B0FD FF01 B5A9 8646                     | .......F

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.