Dropper.Generic5.BENN | Joachim De Zutter
March 2012
Filename: jag331149.exe
Filesize: 156160
MD5: ddb69cd67556d6c2d6e38e3066092a30
SHA1: 7d3da11cdf8b8c30e2ce9becb803fe290998a443
SHA256: 5f8b53b02d57c523871b2dff8bbb93aa6321ca61702903d3cb32167509f662aa
SSDeep: 3072:OdoH13lXAlknmIwgUhlZJLeDdrrGVIWhBHNOkoJNs9wUouv:Sm1N+kmjZI5rrGuW/NnLo0
https://www.virustotal.com/#/file/5f8b53b02d57c523871b2dff8bbb93aa6321ca61702903d3cb32167509f662aa
Description: Editor Onion Cicada
Company: Cyber Power System Inc.
File Version: 6.5
Internal Name: Val Canon Rum
Language: English (United States)
Win32 DLL file. Executed with a command like regsvr32 -s %USERPROFILE%\AppData\Local\Temp\jag331149.exe

The file was UPX compressed. The decompressed version has the following properties:
File size: 209408
MD5: 7982bf48b5f13e1397e6788f09ca321f
SHA1: 3c2c7c62a9895dd77fd763344b9897a8265ac169
SHA256: 61b508b979cf7ce110d4b0437f606601f89dfe9a013ec21b244cacd814d7281d
SSDeep: 3072:zGfDNA3AJELE8V18A7+1mtSYXAsWkWPwhdFGX7bwNp/T5DOo8qzrEZvOxhvmDs9O:aft4XV1P+MtlXAsWFPw7FGX4ioX79d9
https://www.virustotal.com/#/file/61b508b979cf7ce110d4b0437f606601f89dfe9a013ec21b244cacd814d7281d

Hides all active processes.

Disables the task manager by modifying the registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 0x00000001
Creates a LNK file in the startup folder containing:
Target: %WINDIR%\system32\rundll32.exe [insert location of jag331149.exe here],NameFunEx
Start in: %WINDIR%\system32\

On reboot all active processes were hidden.

notepad.exe processes were created with process filename set to %WINDIR%\system32\notepad.exe

An HTTP connection was attempted with 195.189.227.216 by executing the Internet Explorer executable IEXPLORE.EXE with parameter http://195.189.227.216/

An HTTP GET request was performed for MSS1.rar
Filename: MSS1.rar
Filesize: 629528
MD5: 291876e0b5a2620c001b6573185507c0
SHA1: ac800ca45e193ee19afaad8c7c6fb8e6656755cf
SHA256: a4403533a452c016825fca050619566e6a9baeb2d64a6512c54d1ea8c362c8b3
http://www.utrace.de/?query=195.189.227.216
Provider: SERVER.UA Ukraine Dedicated Service
Region: Mykolayiv (Ukraine)