ThreatExpert Report: Trojan.Dropper, Packed.Win32.Krap.c, Downloader-ASH.gen.g, Mal/EncPk-GT..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 13 August 2012, 09:02:35
Processing time: 7 min 42 sec
Submitted sample:

File MD5: 0x6591831CAF499A2E33A2950166F45C2F
File SHA-1: 0x270085BE6DAF8DCC50498A345BCD4A287FDB008D
Filesize: 86,392 bytes
Alias:

Trojan.Dropper [Symantec]
Packed.Win32.Krap.c [Kaspersky Lab]
Downloader-ASH.gen.g [McAfee]
Mal/EncPk-GT [Sophos]
Backdoor:Win32/Farfli.K [Microsoft]
Trojan.Win32.Hiloti [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\bits.dll	53,522 bytes	MD5: 0xDE6AAC383E414E361295EE7370BF63BD SHA-1: 0xD72F5E43C8548827E89B05F103741FE992F196FB	Backdoor.Trojan [Symantec] Trojan-Spy.Win32.Batton.aj [Kaspersky Lab] Backdoor:Win32/Zegost.Q [Microsoft] Trojan.Win32.Agent [Ikarus] packed with PE_Patch.RLPack [Kaspersky Lab]
2	[file and pathname of the sample #1]	86,392 bytes	MD5: 0x6591831CAF499A2E33A2950166F45C2F SHA-1: 0x270085BE6DAF8DCC50498A345BCD4A287FDB008D	Trojan.Dropper [Symantec] Packed.Win32.Krap.c [Kaspersky Lab] Downloader-ASH.gen.g [McAfee] Mal/EncPk-GT [Sophos] Backdoor:Win32/Farfli.K [Microsoft] Trojan.Win32.Hiloti [Ikarus]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	80,949 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
bits.dll	%System%\bits.dll	Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0xA90000 - 0xAC2E68

The following system service was modified:

Service Name	Display Name	New Status	Service Filename
BITS	Background Intelligent Transfer Service	"Running"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services

The following Registry Values were modified:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]

(Default) =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]

(Default) =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

+Pf8+P35rq6vvLGxsLC8/fAFqLGxsLCe

The following Host Names were requested from a host database:

192.5.5.241
jinjok001.3322.org

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
jinjok001.3322.org	3322

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 3322:

00000000 | 4768 3073 7482 0100 0048 0200 0078 9C4D | Gh0st....H...x.M
00000010 | 515D 2843 6118 7EBE F989 6345 A2A4 A529 | Q](Ca.~...cE...)
00000020 | 69A9 2D93 13B7 B81D 5676 31E3 8264 250D | i.-.....Vv1..d%.
00000030 | 93BF 8B53 6772 23A5 9656 2CD7 CAB9 7347 | ...Sgr#..V,...sG
00000040 | A15C 38B5 4B25 77BB 7423 A9C9 8DD4 E2F9 | .\8.K%w.t#......
00000050 | BEB3 B379 4F4F CFFB BDDF F3FE 7CEF 490A | ...yOO......|.I.
00000060 | 1D3E 0134 0020 21A0 011E F20C 96B1 891D | .>.4. !.........
00000070 | AC60 899E 1F51 2CD2 5BA5 3704 54B4 F167 | .`...Q,.[.7.T..g
00000080 | 0DC7 9317 E940 C246 13CF F96E 2BFD 4DF6 | .....@.F...n+.M.
00000090 | 1F69 D863 DDCB 59C6 63BA AA27 F58D 441B | .i.c..Y.c..'..D.
000000A0 | 21EF A49D C51C 6651 0519 97BA B73A 20C9 | !.....fQ.....: .
000000B0 | 2C1F 4655 6E81 2812 C14E 544D 2825 B046 | ,.FUn.(..NTM(%.F
000000C0 | 2A08 47F3 0A39 7B7D B3AB 91F5 3CF8 1425 | *.G..9{}....<..%
000000D0 | CE29 6795 731D 3A69 D89D B355 4F39 9F0C | .)g.s.:i...UO9..
000000E0 | B513 8FA2 56DF A39A 085C B700 26BD 09AC | ....V....\..&...
000000F0 | 2385 0D6C 634B 6D66 8AFB 48D1 73FB 64AB | #..lcKmf..H.s.d.
00000100 | 993A 7271 1B0F 6EAD A7B2 E965 AF81 FE8C | .:rq..n....e....
00000110 | 51E0 9E40 BEFA D0D4 CC37 511D 1D95 DDB8 | Q..@.....7Q.....
00000120 | D64A 4430 C6FA B485 B229 F3DD BBBB 84B3 | .JD0.....)......
00000130 | CFC8 AF8D AFFC 8111 E6BF 1841 0883 1584 | ...........A....
00000140 | A939 79C9 1AB7 E719 43BE E5C7 0B4C DF5B | .9y.....C....L.[
00000150 | 08F2 036C 947A 2D0C CFDB 103D 967A EB29 | ...l.z-....=.z.)
00000160 | D935 F7AE B65F A873 D110 18EF E3CC A17D | .5..._.s.......}
00000170 | E3FF 39C7 37C9 58EE 3D6B 74D1 FF03 5B09 | ..9.7.X.=kt...[.
00000180 | 6A19                                    | j.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.