ThreatExpert Report: Trojan-Downloader.BAT.Agent.kr, Trojan-Downloader, Troj/Banloa-IP..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 14 August 2012, 03:13:50
Processing time: 8 min 47 sec
Submitted sample:

File MD5: 0xA1D2A281980FDD75546557A9BA6DE0A6
File SHA-1: 0xFC787BEEE1F58300538724180C53863E66074D08
Filesize: 701,242 bytes
Alias:

Trojan-Downloader.BAT.Agent.kr [Kaspersky Lab]
Trojan-Downloader [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\2.tmp\jeovahjireh.bat %Temp%\B.tmp\jeovahjireh.bat	11,237 bytes	MD5: 0x7095AA116E1A3D0224A2BFCB1785C36E SHA-1: 0xB9A0F66520EE852F4D0E0A3D4AD56E70CFFD76AF	Trojan-Downloader.BAT.Agent.kr [Kaspersky Lab] Troj/Banloa-IP [Sophos]
2	%Temp%\certadm.dll	85,504 bytes	MD5: 0xAED39116FE12C5550975043DA1D1B244 SHA-1: 0xED8AA12A00E93C1A477F4EF69864948B4014A7FB	(not available)
3	%Temp%\certnew.cer	1,134 bytes	MD5: 0x2B742FEB1883EE5CB418B1CBAB145A7D SHA-1: 0xE52ACF59C89A37BD7601CC19E7E1076B813BF2A8	(not available)
4	%Temp%\certutil.exe	569,344 bytes	MD5: 0x711DB2EF10B6C2AB2080698AEC6C6D08 SHA-1: 0x5746C14FE1790A18B76CC9833F93BC72937ACA72	(not available)
5	%Temp%\givetome.exe	61,440 bytes	MD5: 0x6D2C398E03397C9D089EDC0F00AB3FCB SHA-1: 0x57D92E2F61DC613774DB1EF8E5088CA57F34C6C6	(not available)
6	%Temp%\jeovahjireh.exe	37,888 bytes	MD5: 0x0B2BF362548B244477D9FFB613AF54D4 SHA-1: 0x7F599290460BEC64324785E01602532D7EB5C793	Trojan-Downloader.BAT.Agent.kr [Kaspersky Lab] Trojan-Downloader [Ikarus] packed with UPX [Kaspersky Lab]
7	%Temp%\msavc.exe	125 bytes	MD5: 0x7C5F5A68051F6B0C0E9A2AD33C40D415 SHA-1: 0x120865765927A61AF83F02B83DC297EEDE61EC41	(not available)
8	%Temp%\%UserName%.dll	3 bytes	MD5: 0xDFDA6361A5637A57CBFFD42F1749EF5F SHA-1: 0x9356278188DD05B4D6B59FDE1520F21A88E926D1	(not available)
9	%Temp%\xhuahushbnnmf.dat.dat	519 bytes	MD5: 0x6A15E1505E8E25160F1A30FFCCAB6F53 SHA-1: 0x4A7BD58AB42A863F889BEF5186EE1B030837422A	(not available)
10	%Windir%\certutil.log	1,441 bytes	MD5: 0x5DB14959737C15EC7F191E06E35803A1 SHA-1: 0x2A7EB7211C9DD5AD9C163D5BD555B341779F34C1	(not available)
11	[file and pathname of the sample #1]	701,242 bytes	MD5: 0xA1D2A281980FDD75546557A9BA6DE0A6 SHA-1: 0xFC787BEEE1F58300538724180C53863E66074D08	Trojan-Downloader.BAT.Agent.kr [Kaspersky Lab] Trojan-Downloader [Ikarus]

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following directories were created:

%Temp%\B.tmp
%Temp%\2.tmp

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
jeovahjireh.exe	%Temp%\jeovahjireh.exe	106,496 bytes
givetome.exe	%Temp%\givetome.exe	65,536 bytes
certutil.exe	%Temp%\certutil.exe	585,728 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	462,848 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D76CA9BF52127E241D4FE620C92FE5CC6E5B8EEE
HKEY_CURRENT_USER\Software\WinRAR SFX

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D76CA9BF52127E241D4FE620C92FE5CC6E5B8EEE]

Blob = 03 00 00 00 01 00 00 00 14 00 00 00 D7 6C A9 BF 52 12 7E 24 1D 4F E6 20 C9 2F E5 CC 6E 5B 8E EE 20 00 00 00 01 00 00 00 0F 03 00 00 30 82 03 0B 30 82 01 F3 A0 03 02 01 02 02 10 48 1B 0C AA 89 D6 85 B0 42 79 B0 03 E7 E7 79 5C 30 0D 06 09 2A 86 48 86 F

[HKEY_CURRENT_USER\Software\WinRAR SFX]

C%%DOCUME~1%%UserName%%LOCALS~1%Temp% = "%Temp%\"

Other details

To mark the presence in the system, the following Mutex object was created:

_SHuassist.mtx

The following Internet Connection was established:

Server Name	Server Port	Connect as User	Connection Password
216.17.106.2	80	(null)	(null)

The following GET request was made:

~comprapr/KLJAWEIUIJN92838921JAS.JIP

Downloaded File Summary:

Download details:

Download retrieved: 14 August 2012 03:22:37
Processing time: 8 min 31 sec
Downloaded sample:

File MD5: 0xB99A6FF84E4404488D789F5D56593735
File SHA-1: 0x830ACB906EA3998B4C9E9208FF9A2E646D4ABAB1
Filesize: 867,840 bytes
Alias:

Trojan-FakeAV.Win32.Agent.rpd [Kaspersky Lab]
Trojan.Win32.FakeAV [Ikarus]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	867,840 bytes	MD5: 0xB99A6FF84E4404488D789F5D56593735 SHA-1: 0x830ACB906EA3998B4C9E9208FF9A2E646D4ABAB1	Trojan-FakeAV.Win32.Agent.rpd [Kaspersky Lab] Trojan.Win32.FakeAV [Ikarus]

The following directory was created:

%AppData%\Microsoft\%ComputerName%

Note:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	3,452,928 bytes

Other details

To mark the presence in the system, the following Mutex objects were created:

MutexNPA_UnitVersioning_156
NGV3R1Jipa

The following Host Names were requested from a host database:

192.5.5.241
www.snv1r1.net

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
50.23.106.84	80

The following HTTP URL was started reading:

http://50.23.106.84/DELIVERY/18404213.php

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.