ThreatExpert Report: Trojan.Inject

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 3 October 2012, 15:55:40
Processing time: 9 min 27 sec
Submitted sample:

File MD5: 0xEAA175D4357EB810FF12D5CAB4D2670F
File SHA-1: 0x785FD978C6F47F20EB0E5B5D3A99976240936659
Filesize: 400,797 bytes
Alias & packer info:

Trojan.Inject [Ikarus]
packed with: Memod [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Creates a startup registry entry.

Technical Details:

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%System%\Bifrost\server.exe [file and pathname of the sample #1]	400,797 bytes	MD5: 0xEAA175D4357EB810FF12D5CAB4D2670F SHA-1: 0x785FD978C6F47F20EB0E5B5D3A99976240936659	Trojan.Inject [Ikarus] packed with Memod [Kaspersky Lab]

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The following directory was created:

%System%\Bifrost

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
server.exe	%System%\Bifrost\server.exe	32,768 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	417,792 bytes

Attention! The following processes were intentionally hidden from the user:

Process Name	Main Module Size
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes
IEXPLORE.EXE	102,400 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
server.exe	%System%\bifrost\server.exe	2,060,288 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Bifrost

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}]

stubpath = "%System%\Bifrost\server.exe s"

so that server.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost]

nck = EC 0D E8 32 AD 44 A2 32 74 C3 CD 74 FA 93 5B 67

[HKEY_CURRENT_USER\Software\Bifrost]

klg = 00

Other details

To mark the presence in the system, the following Mutex object was created:

Bif1234

The following Host Name was requested from a host database:

badheart.no-ip.biz

There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host	Port Number
badheart.no-ip.biz	81

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 81:

00000000 | 0501 0000 994F B271 E274 8C02 5AF2 B131 | .....O.q.t..Z..1
00000010 | 89FB 2F06 7625 A461 3F32 2BB6 F5EB 3C21 | ../.v%.a?2+...<!
00000020 | 3143 83AE DA73 56AE D0EC A9A3 71F2 03E0 | 1C...sV.....q...
00000030 | 06B4 6797 F439 1921 8DC4 0502 D76E 076A | ..g..9.!.....n.j
00000040 | 5046 6306 D0D7 85EF 5959 1266 C056 17D8 | PFc.....YY.f.V..
00000050 | EDDC 7E83 016C 4F16 B0AC 11FD 48D6 7BA0 | ..~..lO.....H.{.
00000060 | 83AB B598 2A37 E357 61E5 359B 9C8E 7493 | ....*7.Wa.5...t.
00000070 | 504F 5C8E B2AF 821F 0794 493C F5DD 1435 | PO\.......I<...5
00000080 | 67EF 16AF 66B3 64B3 11C0 0D4A 8846 01B6 | g...f.d....J.F..
00000090 | 07CC AB20 64D8 23DA 044D BCF5 6BFE A5F8 | ... d.#..M..k...
000000A0 | 5679 0780 BFA5 1CFA 9883 7887 9119 97A5 | Vy........x.....
000000B0 | AD99 A70D C23A 9C51 8699 2384 338F 34FC | .....:.Q..#.3.4.
000000C0 | 7B05 DF21 2D70 6B8E ACDC 6CE9 BDCD AB9B | {..!-pk...l.....
000000D0 | 4CAE 9EF1 2B43 7CE8 F208 17B2 3555 642C | L...+C|.....5Ud,
000000E0 | 5F23 A11B 410B FA44 A4FB 74AA 8EA7 8CFD | _#..A..D..t.....
000000F0 | 5BC2 47BF 7BB3 F1DC 253B B423 298E BB31 | [.G.{...%;.#)..1
00000100 | FD31 5A55 AA3F FD3D F3                  | .1ZU.?.=.

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.