Dropper.Generic5.BENN | Joachim De Zutter
March 2012
Filename: jag331149.exe
Filesize: 156160
MD5: ddb69cd67556d6c2d6e38e3066092a30
SHA1: 7d3da11cdf8b8c30e2ce9becb803fe290998a443
SHA256: 5f8b53b02d57c523871b2dff8bbb93aa6321ca61702903d3cb32167509f662aa
Description: Editor Onion Cicada
Company: Cyber Power System Inc.
File Version: 6.5
Internal Name: Val Canon Rum
Language: English (United States)
Win32 DLL file. Executed with a command like regsvr32 -s %USERPROFILE%\AppData\Local\Temp\jag331149.exe

Hides all active processes.

Disables the task manager by modifying the registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 0x00000001
Creates a LNK file in the startup folder containing:
Target: %WINDIR%\system32\rundll32.exe [insert location of jag331149.exe here],NameFunEx
Start in: %WINDIR%\system32\

On reboot all active processes were hidden.

notepad.exe processes were created with process filename set to %WINDIR%\system32\notepad.exe

An HTTP connection was attempted with 195.189.227.216 by executing the Internet Explorer executable IEXPLORE.EXE with parameter http://195.189.227.216/

An HTTP GET request was performed for MSS1.rar
Filename: MSS1.rar
Filesize: 629528
MD5: 291876e0b5a2620c001b6573185507c0
SHA1: ac800ca45e193ee19afaad8c7c6fb8e6656755cf
SHA256: a4403533a452c016825fca050619566e6a9baeb2d64a6512c54d1ea8c362c8b3
http://www.utrace.de/?query=195.189.227.216
Provider: SERVER.UA Ukraine Dedicated Service
Region: Mykolayiv (Ukraine)


http://www.virustotal.com/file/5f8b53b02d57c523871b2dff8bbb93aa6321ca61702903d3cb32167509f662aa/analysis/