----------------------------------------------------------------------------------------------------
Twitter: @c_APT_ure
Blog: http://c-apt-ure.blogspot.com/
Email: toms.security.stuff [at] gmail.com
Main Ponmocup research page:
- http://www9.dyndns-server.com:8080/pub/botnet-links.html
** NEW ** history of Ponmocup botnet domains (added: 2012-02-20)
- history by domains/IP and by date seen accessed
----------------------------------------------------------------------------------------------------
Why is this malware known under so many different names? (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.)
Why aren't AV companies connecting the dots?
Using one common indicator, the existence or creation of a registry key, namely
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6
and/or
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6
I've been finding malware analysis reports from different AV's and online malware analysis sites.
Another indicator is the existence of a pseudo-random registry key under
HKLM\SOFTWARE\[pseudo-random-key]
which seems to be consistent amongst systems with a certain trait (maybe same company, domain or similar).
Here are some Google search queries to find more analysis reports:
site:xml.ssdsandbox.net "SOFTWARE\UOSBEU" (4'220 hits)
site:mcafee.com "SOFTWARE\XFFNHFHAM" (3'480 hits)
site:threatexpert.com "SOFTWARE\qrjaslop" (227 hits)
site:sophos.com "SOFTWARE\zpppmcegc2 (59 hits)
site:trendmicro.com "SOFTWARE\GHUZPSK" (24 hits)
site:greatis.com "SOFTWARE\qbyyjp" (6 hits)
Some AV's don't include the SOFTWARE registry key, but a well known initial C&C request:
site:securelist.com "gehut4.cn/update/utu.dat" (354 hits)
site:camas.comodo.com imagehut4.cn (28 hits)
Over time I found some other great resources of online analysis reports e.g.
https://web.gsirt.com/TAZERWEB/tazer-MalwareReport-URL-ByHTTPHOST.php?urlhttphost=imagehut4.cn
Below are a number of samples reports from different AV's or online malware analysis sites:
----------------------------------------------------------------------------------------------------
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=842343#none
Virus Profile: Downloader-CEW.ag!C1B67ED00629
Date Discovered: 17/02/2012
Date Added: 17/02/2012
Origin: Unknown
Length: 327123
Type: Trojan
Subtype: Downloader
File Properties Property Values
McAfee Detection Downloader-CEW.ag
Length 327123 bytes
MD5 c1b67ed00629e9c71016d92e8f93aa5e
SHA1 ce9c085c7cd5bc2cf95690723f1c73f888be8bf1
Other Common Detection Aliases
Company Names Detection Names
avast Win32:Malware-gen
avira TR/Crypt.XPACK.Gen3
Microsoft TrojanDownloader:Win32/Renos.KC
Symantec Trojan.Gen
Sophos Troj/Virtum-Gen
Trend Micro TROJ_DLOADR.SMWQ
vba32 SScope.Trojan.Pirminay.chc
The following files were analyzed:
1374189.malware
The following files have been added to the system:
%WINDIR%\SYSTEM32\l3codeca5.exe
The following files have been changed:
%WINDIR%\SYSTEM32\drivers\etc\hosts
The following files were temporarily written to disk then later removed:
%TEMP%\~unins7359.bat
The following registry elements have been created:
HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\
HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\
The following registry elements have been changed:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = 25489158
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\9 = [binary data]
HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\DFO = [binary data]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = 25489158
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\9 = [binary data]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\UHOH = %WINDIR%\SYSTEM32\l3codeca5.exe
HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\DFO = [binary data]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%TEMP%\1374189.malware
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\CATEGORYCOUNT = 16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\CATEGORYMESSAGEFILE = %WINDIR%\SYSTEM32\ESENT.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\EVENTMESSAGEFILE = %WINDIR%\SYSTEM32\ESENT.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\TYPESSUPPORTED = 7
The applications attempted the following network connection(s):
95.168.177.**:80
----------------------------------------------------------------------------------------------------
http://vil.nai.com/vil/content/v_789033.htm
Generic.tfr!bi!B9B8857D1D66
Type Trojan
Discovery Date 01/31/2012
Length 360448
The following files were analyzed:
0866d69dd4f4df3f4e52dcb0675a18b3000c0f95
The following files have been added to the system:
%WINDIR%\SYSTEM32\oddbse324.exe
The following files were temporarily written to disk then later removed:
%TEMP%\~unins1399.bat
The following registry elements have been created:
HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\
HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\
The following registry elements have been changed:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\ERROR DLG DISPLAYED ON EVERY ERROR = no
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOW_PLACEMENT = [binary data]
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = [binary data]
HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\DFO = [binary data]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = [binary data]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\EIDPQ = %WINDIR%\SYSTEM32\oddbse324.exe
HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\DFO = [binary data]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%TEMP%\0866d69dd4f4df3f4e52dcb0675a18b3000c0f95
The applications attempted the following network connection(s):
94.23.19.*:80
94.23.203.***:80
188.165.33.*:80
77.79.11.**:80
188.165.219.**:80
hxxp://ads.alpha00001.com/cgi-bin/advert/*****
87.98.135.***:80
----------------------------------------------------------------------------------------------------
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=754063
Virus Profile: Generic.dx!bcmp!B6677BC448A9
Date Discovered: 06/01/2012
Date Added: 06/01/2012
Origin: Unknown
Length: 302592
Type: Trojan
File Properties Property Values
McAfee Detection Generic.dx!bcmp
Length 302592 bytes
MD5 b6677bc448a93e0bf40e5200181c8f4b
SHA1 faf4e49944d64f5bba764d13bce63615b572d93c
Other Common Detection Aliases
Company Names Detection Names
EMSI Software Trojan.Win32.Webprefix!IK
avast Win32:Rootkit-gen
AVG (GriSoft) Agent3.BBVF (Trojan horse)
avira Rkit/Agent.302592
BitDefender Trojan.Generic.KDV.499810
Dr.Web Trojan.PWS.Panda.1616
eSafe (Alladin) Trojan/Worm
FortiNet W32/Kryptik.YEW
Eset Win32/Kryptik.YEW trojan (variant)
norman W32/Suspicious_Gen2.UPBCE
panda Generic Trojan
rising [Suspicious]
Sophos Mal/Generic-L
V-Buster Trojan.Kryptik!YAY8MUYiqyc (trojan)
The following files were analyzed:
google_mf626_driver.exe
The following files have been added to the system:
%WINDIR%\SYSTEM32\MSRTEDITC.exe
The following files were temporarily written to disk then later removed:
%TEMP%\~unins5231.bat
%TEMP%\TarA.tmp
%TEMP%\Cab9.tmp
The following registry elements have been created:
HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\
HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\
The following registry elements have been changed:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOW_PLACEMENT = [binary data]
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = 328397060
HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\DFO = [binary data]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = 328397060
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\WVYZ = %WINDIR%\SYSTEM32\MSRTEDITC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\DFO = [binary data]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%TEMP%\google_mf626_driver.exe
The applications attempted the following network connection(s):
46.246.119.***:80
217.19.51.***:80
96.17.15.**:80
188.165.239.**:80
hxxp://ads.alpha00001.com/cgi-bin/advert/*****
173.194.33.**:443
----------------------------------------------------------------------------------------------------
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=604411#none
Virus Profile: Kryp.b!B18F52D5A4B2
Date Discovered: 28/09/2011
Date Added: 28/09/2011
Origin: Unknown
Length: 294341
Type: Trojan
File Properties Property Values
McAfee Detection Kryp.b
Length 294341 bytes
MD5 b18f52d5a4b206a5569277dc0120fa6b
SHA1 25d3077b56d900d81afb7a5cd7a4fb74e70ff2a0
Other Common Detection Aliases
Company Names Detection Names
EMSI Software Trojan.Pirminay!IK
avast Win32:MalOb-EI
avira TR/Pirminay.bhf
Kaspersky Trojan.Win32.Pirminay.dao
BitDefender Backdoor.Generic.542938
clamav Trojan.Agent-183385
Dr.Web Trojan.MulDrop1.59103
FortiNet PossibleThreat
Microsoft TrojanDownloader:Win32/Renos.KC
Symantec Trojan.Gen
Eset Win32/TrojanDownloader.Agent.PXO trojan
norman W32/Suspicious_Gen2.HZTOS
panda Trj/Agent.OLO
Sophos Mal/Ponmocup-A
Trend Micro TROJ_GEN.R21CRBQ
vba32 SScope.Trojan.Pirminay.chc
The following files were analyzed:
25d3077b56d900d81afb7a5cd7a4fb74e70ff2a0
The following files have been added to the system:
%WINDIR%\SYSTEM32\faultrep4.exe
The following files have been changed:
%WINDIR%\SYSTEM32\drivers\etc\hosts
The following files were temporarily written to disk then later removed:
%TEMP%\~unins9171.bat
The following registry elements have been created:
HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\
HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\
The following registry elements have been changed:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = [binary data]
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\9 = [binary data]
HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\DFO = [binary data]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = [binary data]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\9 = [binary data]
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\EWUNBM = %WINDIR%\SYSTEM32\faultrep4.exe
HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\DFO = [binary data]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%TEMP%\25d3077b56d900d81afb7a5cd7a4fb74e70ff2a0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\CATEGORYCOUNT = 16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\CATEGORYMESSAGEFILE = %WINDIR%\SYSTEM32\ESENT.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\EVENTMESSAGEFILE = %WINDIR%\SYSTEM32\ESENT.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\TYPESSUPPORTED = 7
The applications attempted the following network connection(s):
87.255.51.***:80
----------------------------------------------------------------------------------------------------
http://xml.ssdsandbox.net/view/442d546ef43b47b8449bb620ebe44011
Submission Details
Date 11/2/2011 12:03:35 PM
File Name C:\88086637.exe
Registry
C:\DOCUME~1\Dave\LOCALS~1\Temp\4sd1.tmp
Changes (5)
HKEY_CURRENT_USER\Software\UOSBEU\VTBGL = [REG_BINARY, size: 50176 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\UOSBEU\VTBGL = [REG_BINARY, size: 50176 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\mmghpdlnx = %SystemRoot%\system32\c_12566.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 9 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 9 bytes]
Winsock
C:\88086637.exe
Outgoing connection to remote server: 31.214.169.45 TCP port 8000
C:\DOCUME~1\Dave\LOCALS~1\Temp\4sd1.tmp
DNS Lookup
Host Name IP Address
82.192.79.174 82.192.79.174
Download URLs
http://82.192.79.174/searchProductResult.jsp
Outgoing connection to remote server: 82.192.79.174 TCP port 80
----------------------------------------------------------------------------------------------------
http://xml.ssdsandbox.net/view/70766ed692dee7f09ec0bbd3055ed1f1
Submission Details
Date 10/31/2011 2:51:22 AM
File Name C:\87984877.exe
Virusscan
C:\87984877.exe NOD32: a variant of Win32/Kryptik.UOE
F-Prot: W32/SmallTrojan.AA2.gen!Eldorado
Symantec: Suspicious.Cloud.5
Avast: Win32:Tindow [Trj]
Kaspersky: Trojan.Win32.Menti.ioce
BitDefender: Gen:Trojan.Heur.FU.aiW@aO2Nk0k
SUPERAntiSpyware: Trojan.Agent/Gen-MultiDrop
DrWeb: Trojan.DownLoad2.22099
AntiVir: TR/Crypt.XPACK.Gen
GData: Gen:Trojan.Heur.FU.aiW@aO2Nk0k
Commtouch: W32/SmallTrojan.AA2.gen!Eldorado
AVG: Generic25.AUTX
Panda: Suspicious File
C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp
Filesystem Chronological order (31)
Create/Open File: \Device\Tcp
Create/Open File: \Device\Ip
Create/Open File: \Device\Ip
Open File: \\.\Ip
Find File: %SystemRoot%\system32
Find File: C:\System Volume Information
Open File: C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp:Zone.Identifier
Find File: C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp
Find File: %SystemRoot%\system32\drivers\*.*
Create/Open File: \Device\Tcp6
Create/Open File: \Device\Ip6
Create/Open File: \Device\Ip6
Open File: \\.\Ip6
Create/Open File: \Device\NetBT_Tcpip_{FB0F1ED3-098A-4B84-AFFD-7C0419EE0934}
Find File: C:\*.*
Create/Open File: \Device\RasAcd
Open File: \\.\Ip6
Open File: \\.\PIPE\lsarpc
Find File: %SystemRoot%\system32\*.*
Get File Attributes: %SystemRoot%\system32\wbcacheo.exe Flags: (SECURITY_ANONYMOUS)
Create File: %SystemRoot%\system32\wbcacheo.exe
Set File Attributes: %SystemRoot%\system32\wbcacheo.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: %SystemRoot%\AppPatch\sysmain.sdb
Open File: %SystemRoot%\AppPatch\systest.sdb
Open File: \Device\NamedPipe\ShimViewer
Open File: %SystemRoot%\system32\
Find File: %SystemRoot%\system32\wbcacheo.exe
Create File: C:\DOCUME~1\Dave\LOCALS~1\Temp\~unins62.bat
Set File Attributes: C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Move File: C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp to
Find File: %SystemRoot%\system32\cmd.exe
Registry Changes (5)
HKEY_CURRENT_USER\Software\UOSBEU\VTBGL = [REG_BINARY, size: 49664 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\UOSBEU\VTBGL = [REG_BINARY, size: 49664 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Xqpeteed = %SystemRoot%\system32\wbcacheo.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 8 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 8 bytes]
Winsock
C:\87984877.exe
Outgoing connection to remote server: 31.214.169.45 TCP port 8000
C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp
DNS Lookup
Host Name IP Address
82.192.79.174 82.192.79.174
Download URLs
http://82.192.79.174/searchProductResult.jsp
Outgoing connection to remote server: 82.192.79.174 TCP port 80
----------------------------------------------------------------------------------------------------
http://xml.ssdsandbox.net/view/0f5482dc490eb6d565f35a8dcfc9e406
Submission Details
Date 10/13/2011 12:27:15 PM
File Name C:\87389383.exe
Virusscan
%SystemRoot%\system32\ipconfig.exe /flushdns
eSafe: Win32.Banker
%SystemRoot%\system32\cmd.exe /c C:\DOCUME~1\Dave\LOCALS~1\Temp\~unins3171.bat C:\87389383.exe
eSafe: Win32.Corrupt.Ag
McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Suspicious.H
Registry
C:\87389383.exe
Changes (25)
[removed]
HKEY_CURRENT_USER\Software\UOSBEU\VTBGL = [REG_BINARY, size: 69632 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\UOSBEU\VTBGL = [REG_BINARY, size: 69632 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Eadnvf = %SystemRoot%\system32\w32tmy.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 6 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 6 bytes]
Winsock
C:\87389383.exe
Download URLs
http://95.211.130.162/html/license_43EC92[removed].html
Outgoing connection to remote server: 95.211.130.162 TCP port 80
%SystemRoot%\system32\w32tmy.exe
DNS Lookup
Host Name IP Address
imagehut4.cn
----------------------------------------------------------------------------------------------------
http://camas.comodo.com/cgi-bin/submit?file=10b9f967fa5ec816432e44ff2a03eedb1cec0b3f9b89385e7d49c1b40bd8a873&iframe=
File Info
Name Value
Size 2214400
MD5 b012d088637b26c6b9ff8fadeff700f2
SHA1 93d69f7b8195204d8c3b778fe8a40b714ae5c262
SHA256 10b9f967fa5ec816432e44ff2a03eedb1cec0b3f9b89385e7d49c1b40bd8a873
DNS Queries
DNS Query Text
skymediaportal.com IN A +
012webpages.com IN A +
contactfriendly.com IN A +
imagehut4.cn IN A +
HTTP Queries
skymediaportal.com GET /logo.png?v67=41&tq=gL5HtzyMv5rJsxG1J4Xo2rCyDvEpwr7UxUrEgPiWW1cg HTTP/1.0
012webpages.com GET /christian13.jpg?v18=71&tq=gKZEt[removed] HTTP/1.0
contactfriendly.com GET /html/license_43EC9[removed].html HTTP/1.1
contactfriendly.com GET /html/license_43EC9[removed].html HTTP/1.1
imagehut4.cn GET /update/utu.dat HTTP/1.1
Verdict
Auto Analysis Verdict
Suspicious+
Description
Suspicious Actions Detected
Copies self to other locations
Creates autorun records
Creates files in program files directory
Creates files in windows system directory
Hides files from user
Injects code into other processes
----------------------------------------------------------------------------------------------------
http://greatis.com/blog/how-to-remove-malware/wzcsvcp-exe.htm
wzcsvcp.exe – trojan Pirminay
June 6, 2011 by NightWatcher
Filed under: Malware
The file wzcsvcp.exe is identified as the Trojan Program that is used for stealing bank information and users passwords.
Malware Analysis of “wzcsvcp.exe”
Executed: C:\sand-box\Xkz.exe
Removed: wzcsvcp.exe. Full path: C:\WINDOWS\system32\wzcsvcp.exe
How to quickly detect malware presence?
Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\mhdfyyuopr
Value: “C:\WINDOWS\system32\wzcsvcp.exe”
Files:
C:\WINDOWS\system32\wzcsvcp.exe
—————————————————————————————————————————-
Classification:
Antivirus Version Last Update Result
F-Secure 9.0.16440.0 2011.05.28 Trojan.Generic.KDV.234550
Kaspersky 9.0.0.837 2011.05.28 Trojan.Win32.Pirminay.hrz
Microsoft 1.6903 2011.05.28 -
NOD32 6159 2011.05.28 a variant of Win32/Injector.FXK
—————————————————————————————————————————-
MD5 f7ece4f2b64096e1bea95d1452a2de0e
SHA1 91123d2be21720f964071e85e493bd58229a00bb
SHA256 3f115637e694615b3ba83d363f4a89a33c58ad8b68803e2419f203fe9a7a8b56
———————————-
Keys added:4
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\Software\qbyyjp
HKCU\Software\qbyyjp
———————————-
Values added:5
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6: 96 ED 95 C5 26 4A 60 28 22 83
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\mhdfyyuopr: “C:\WINDOWS\system32\wzcsvcp.exe”
HKLM\Software\qbyyjp\VAYJQFODW: 7B DA FD /.../ B1 68 DD
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6: 96 ED 95 C5 26 4A 60 28 22 83
HKCU\Software\qbyyjp\VAYJQFODW: 7B DA FD /.../ B1 68 DD
———————————-
Files added:1
———————————-
C:\WINDOWS\system32\wzcsvcp.exe
----------------------------------------------------------------------------------------------------
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Mdrop-DXG/detailed-analysis.aspx
Troj/Mdrop-DXG
Category: Viruses and Spyware
Type: Trojan
Protection available since: 25 Jan 2012 17:07:43 (GMT)
Last Updated: 25 Jan 2012 17:07:43 (GMT)
File Information
Size 361K
SHA-1 112c20a84b5173183d06ff35398930a68c130083
MD5 678b6606994aaa01aaed9c769b9f6530
CRC-32 23ee73af
File type application/x-ms-dos-executable
First seen 2012-01-25
Registry Keys Created
HKLM\SOFTWARE\zpppmcegc
GY
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
6
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
6
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
envvfewu C:\WINDOWS\system32\ati3duagh.exe
Processes Created
c:\windows\system32\ati3duagh.exe
c:\windows\system32\cmd.exe
HTTP Requests
http://7.93.186.240/adj/Category.aspx
http://ads.alpha00001.com/cgi-bin/advert/getads
IP Connections
7.93.186.240:80
DNS Requests
ads.alpha00001.com
somethingclosely.com
----------------------------------------------------------------------------------------------------
http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_PIRMINAY.A
TSPY_PIRMINAY.A
Malware type: Spyware
Overview
This spyware is capable of collecting information from the infected system and checking if the currently logged user has administrator rights.
Technical Details
File size: 302,446 bytes
File type: EXE
Memory resident: Yes
Initial samples received date: 18 Apr 2011
Payload: Modifies HOSTS file
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
{random registry name} = "%System%\{random file name}.exe"
Other System Modifications
This spyware adds the following registry keys as part of its installation routine:
HKEY_CURRENT_USER\Software\GHUZPSK
HOSTS File Modification
This spyware modifies the affected system's HOSTS files to prevent a user from accessing the following websites:
127.0.0.1 thepiratebay.org
127.0.0.1 www.thepiratebay.org
127.0.0.1 mininova.org
127.0.0.1 www.mininova.org
127.0.0.1 forum.mininova.org
127.0.0.1 blog.mininova.org
127.0.0.1 suprbay.org
127.0.0.1 www.suprbay.org
Stolen Information
This spyware sends the gathered information via HTTP POST to the following URL:
http://{BLOCKED}c.net/html/license_43EC92[removed].html
----------------------------------------------------------------------------------------------------
http://www.threatexpert.com/report.aspx?md5=335f2fdaaa82c5e079aa40a6c233b7b5
Submission details:
Submission received: 2 February 2012, 01:37:35
Processing time: 8 min 3 sec
Submitted sample:
File MD5: 0x335F2FDAAA82C5E079AA40A6C233B7B5
File SHA-1: 0x33B69923DDFCB66BCF9807FC906D8B0C73FC696B
Filesize: 303,104 bytes
Summary of the findings:
What's been found Severity Level
Downloads/requests other files from Internet.
Creates a startup registry entry.
File System Modifications
The following file was created in the system:
# Filename(s) File Size File Hash
1 %System%\watchdog7.exe 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
Registry Modifications
The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop
HKEY_CURRENT_USER\Software\qrjaslop
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
6 = 5A 39 4B 80 31 3D 3C 91 C4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
Lznvcpcci = "%System%\watchdog7.exe"
so that watchdog7.exe runs every time Windows starts
[HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop]
URF = 2C 60 D0 7C E6 F2 8F F2 7A 53 21 CB 91 1A A7 6A AC D5 15 38 46 F1 63 5B 10 37 F5 46 DA 36 06 94 2F 8F 7C C1 10 1E AF 18 10 BA 30 55 91 E9 96 31 43 C4 6A 5F 81 39 3E 8C AE D3 DE C4 1E 38 A1 70 C0 BD 0C 06 4F 94 11 3E 12 8D E3 3A 06 3F 78 38 47 4B 87 E
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
6 = 5A 39 4B 80 31 3D 3C 91 C4
[HKEY_CURRENT_USER\Software\qrjaslop]
URF = 2C 60 D0 7C E6 F2 8F F2 7A 53 21 CB 91 1A A7 6A AC D5 15 38 46 F1 63 5B 10 37 F5 46 DA 36 06 94 2F 8F 7C C1 10 1E AF 18 10 BA 30 55 91 E9 96 31 43 C4 6A 5F 81 39 3E 8C AE D3 DE C4 1E 38 A1 70 C0 BD 0C 06 4F 94 11 3E 12 8D E3 3A 06 3F 78 38 47 4B 87 E
Other details
There were registered attempts to establish connection with the remote hosts. The connection details are:
Remote Host Port Number
188.165.231.87 80
188.165.236.39 80
77.79.11.29 80
87.98.135.156 80
87.98.138.127 80
91.121.87.206 80
94.23.19.9 80
The data identified by the following URLs was then requested from the remote web server:
http://ads.regiedepub.com/cgi-bin/advert/getads?x_dp_id=1076
http://ads.regiedepub.com/cgi-bin/advert/settags.cgi?x_format=js&i_cid=385565721&x_dp_id=28&x_pub_id=7568&x_tag_id=adomos_emailing_v2&xloop=1&c4aid=410069244F184F219AB2C29EDC8918CA
http://ads.eorezo.com/cgi-bin/advert/settags.cgi?x_format=js&i_cid=385565721&x_dp_id=28&x_pub_id=7568&x_tag_id=adomos_emailing_v2
http://77.79.11.29/rd/article/search_product.htm
http://su600.com/publicite/com/zone.php?zone=25824&rnd=1328168379
http://su600.com/a/adjs2.php?zoneid=25824
http://su600.com/r.php?dest=http%3A%2F%2Fads.regiedepub.com%2Fcgi-bin%2Fadvert%2Fgetads%3Fx_dp_id%3D1076
http://su600.com/publicite/com/zone.php?zone=25824&rnd=1328168338
http://l.advertstream.com/a/adclick.php?n_clic=258248970385945775&cpme=EIFLNfEz_y4nx8soEXv66PQ&bannerid=1&zoneid=25824&log=no&dest=http%3A%2F%2Fsu600.com%2Fr.php%3Fdest%3Dhttp%253A%252F%252Fads.regiedepub.com%252Fcgi-bin%252Fadvert%252Fgetads%253Fx_dp_id%253D1076
http://l.advertstream.com/a/adclick.php?n_clic=258241292971490&cpme=N7ulwXg4ZD-WkcxqTebFFwk&bannerid=1&zoneid=25824&log=no&dest=http%3A%2F%2Fsu600.com%2Fr.php%3Fdest%3Dhttp%253A%252F%252Fads.regiedepub.com%252Fcgi-bin%252Fadvert%252Fgetads%253Fx_dp_id%253D1076
http://scache.regiedepub.com/html/partners/adomos/site-under_protection-familiale-et-gain-fiscal.htm
http://scache.regiedepub.com/html/partners/adomos/protection-familiale-et-gain-fiscal/emailing_v2_006.css
[removed]
http://scache.regiedepub.com/html/partners/adomos/protection-familiale-et-gain-fiscal/images/buttons.png
http://ads.alpha00001.com/cgi-bin/advert/getads?did=1077
http://ads.alpha00001.com/cgi-bin/advert/getads?x_dp_id=43&frame=false&pdid=1077&ppid=8112
----------------------------------------------------------------------------------------------------
http://www.eset.eu/virus/win32-ponmocup-aa-trojan-jorik-pirminay-akh-milicenso-a?lng=en
Threat Encyclopaedia
Win32/Ponmocup.AA
Aliases: Trojan.Win32.Jorik.Pirminay.akh (Kaspersky), Trojan.Milicenso (Symantec), TrojanDownloader:Win32/Ponmocup.A (Microsoft)
Type of infiltration: Trojan
Size: 262144 B
Short description
Win32/Ponmocup.AA is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan creates one of the following files:
%system%\%random1%.exe
%programfiles%\%existingfolder%\%random1%.exe
%temp%\%random1%.exe
%system%\%random1%.dll
%programfiles%\%existingfolder%\%random1%.dll
%temp%\%random1%.dll
The file is then executed.
The trojan may set the following Registry entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"%random2%" = "%malwarepath%"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"%random2%" = "%malwarepath%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"%random2%" = "%malwarepath%"
A string with variable content is used instead of %random1-3%.
This causes the trojan to be executed on every system start.
The trojan schedules a task that causes the following file to be executed repeatedly:
"%system%\rundll32.exe "%malwarepath%", %random3%"
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects various information related to the operating system.
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan keeps various information in the following Registry keys:
[HKEY_LOCAL_MACHINE\Software\%random4%]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet]
[HKEY_CURRENT_USER\System\CurrentControlSet]
A string with variable content is used instead of %random4%.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (4) URLs. The HTTP protocol is used.
It may perform the following actions:
download files from a remote computer and/or the Internet
run executable files
create a scheduled task that repeatedly executes the
malicious file
disable System Restore
send gathered information
The trojan hooks the following Windows APIs:
NtQueryInformationProcess (ntdll.dll)
----------------------------------------------------------------------------------------------------
http://threatcenter.crdf.fr/?More&ID=48598&D=CRDF.Malware-Generic.92057514299
Display information about the threat
Threat name: CRDF.Trojan.Downloader-Generic.92057514299
File size: 244 kB (249 344 Bytes)
MD5 Signature: 6e4f168b202bcae89ab6c5d60638b2a0
SHA1 Signature: 35c28d7a106d4dbcccf5932b5d7828a766dd39f5
SHA256 Signature: cc2006b3dfe7e14152d8acba89d4ad899b57807960168e3c72609b8b12594abc
Threat Status: Threat confirmed
Date added: Friday 23 September 2011 at 01:01:33
Report detection of virus (VirusTotal)
nProtect Nothing FOUND
CAT-QuickHeal Nothing FOUND
McAfee Generic Downloader.x!gcg
K7AntiVirus Trojan
TheHacker Nothing FOUND
VirusBuster Nothing FOUND
NOD32 Win32/TrojanDownloader.Agent.PXO
F-Prot Nothing FOUND
Symantec Trojan.Milicenso
Norman W32/Obfuscated.L
ByteHero Trojan.Win32.Heur.Gen
TrendMicro-HouseCall TROJ_GEN.F70C3IM
Avast Win32:Pirminay-DE [Trj]
eSafe Nothing FOUND
ClamAV Nothing FOUND
Kaspersky Trojan.Win32.Jorik.Pirminay.ol
BitDefender Trojan.Generic.KD.361527
SUPERAntiSpyware Nothing FOUND
Emsisoft Trojan-Downloader.Win32.Ponmocup!IK
Comodo UnclassifiedMalware
F-Secure Trojan.Generic.KD.361527
DrWeb Trojan.DownLoader4.60908
VIPRE Trojan.Win32.Generic!BT
AntiVir TR/Jorik.Pirminay.ol
TrendMicro Nothing FOUND
McAfee-GW-Edition Generic Downloader.x!gcg
Sophos Nothing FOUND
eTrust-Vet Nothing FOUND
Jiangmin Trojan/Generic.knvv
Antiy-AVL Nothing FOUND
Microsoft TrojanDownloader:Win32/Ponmocup.A
ViRobot Nothing FOUND
Prevx Nothing FOUND
GData Trojan.Generic.KD.361527
Commtouch Nothing FOUND
AhnLab-V3 Trojan/Win32.Jorik
PCTools Trojan.Milicenso
Rising Nothing FOUND
Ikarus Trojan-Downloader.Win32.Ponmocup
Fortinet Nothing FOUND
AVG Generic24.CNWY
Panda Trj/CI.A
Avast5 Win32:Pirminay-DE [Trj]
CRDF Anti Malware CRDF.Trojan.Downloader-Generic.92057514299
Sandbox report (Comodo SandBox)
* File Info
NAME
VALUE
Size
249344
MD5
6e4f168b202bcae89ab6c5d60638b2a0
SHA1
35c28d7a106d4dbcccf5932b5d7828a766dd39f5
SHA256
cc2006b3dfe7e14152d8acba89d4ad899b57807960168e3c72609b8b12594abc
* Values Created
NAME
TYPE
SIZE
VALUE
CUSoftwareMicrosoftWindowsCurrentVersionInternet Settings6
REG_BINARY
5
?
LMSoftwareMicrosoftWindowsCurrentVersionInternet Settings6
REG_BINARY
5
?
LMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRunMWGBC
REG_SZ
64
"C:WINDOWSsystem32kbdpl1X.exe"
LMSystemCurrentControlSetControlSession
ManagerPendingFileRenameOperations
REG_MULTI_SZ
50
"??C:TESTsample.exe"
* Files Changed
C:WINDOWSsystem32driversetchosts
734/1003
2007.07.27 12:00:00.000/2009.01.09 10:54:27.203
2007.07.27 12:00:00.000/2007.07.27 12:00:00.000
2008.08.08 09:14:46.187/2008.08.08 09:14:46.187
0x20/0x20
* DNS Queries
DNS QUERY TEXT
middlechrist.com IN A +
imagehut4.cn IN A +
* HTTP Queries
HTTP QUERY TEXT
middlechrist.com GET /html/license_43EC92[removed]CA82.html HTTP/1.1
middlechrist.com GET /html/license_43EC92[removed]8785F8.html HTTP/1.1
imagehut4.cn GET /update/utu.dat HTTP/1.1
* Verdict
AUTO ANALYSIS VERDICT
Suspicious++
* Description
SUSPICIOUS ACTIONS DETECTED
Copies self to other locations
Creates files in windows system directory
Deletes self
Hides files from user
Modifies the windows host file
----------------------------------------------------------------------------------------------------