A forum for reverse engineering, OS internals and malware analysis 

Trojan:Win32/Cleaman.G

Forum for analysis and discussion about malware.

Trojan:Win32/Cleaman.G

 #14337  by rkhunter
 Thu Jun 28, 2012 10:16 am
Dropper

MD5: 1cb27d4ecd25c2030ebb6a1a9b7e3321
SHA1: 8d502546c344a16c66ff4ee82dda3004343d3ff9

33 / 42 https://www.virustotal.com/file/83230bd ... /analysis/

Dropped:
%appdata%\dplaysvr.exe -> MD5: 71d1aaf8150ae6b2ffa60b241d84b365
%appdata%\dplayx.dll -> MD5: ebe71d129858f2f5e9fd81940b25d251
Autorun from:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr
Modifies hosts:
94.63.147.16 hxxp://www.google.com
94.63.147.17 hxxp://www.bing.com
Contains user mode "rootkit" functionality (infects processes in memory):

function hooking for hide autostart keys and files in appdata
and PEB-hiding

Image
Image
Attachments
pass:infected
(155.49 KiB) Downloaded 57 times
pass:infected
(45.11 KiB) Downloaded 53 times
pass:infected
(28.77 KiB) Downloaded 55 times

Re: Trojan:Win32/Cleaman.G

 #14341  by Tigzy
 Thu Jun 28, 2012 12:45 pm
Fun :)
Thanks for sharing it

RogueKiller V7.6.1 [28/06/2012] par Tigzy
mail: tigzyRK<at>gmail<dot>com
Remontees: http://www.sur-la-toile.com/discussion- ... ntees.html
Blog: http://tigzyrk.blogspot.com

Systeme d'exploitation: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Demarrage : Mode normal
Utilisateur: Administrateur [Droits d'admin]
Mode: Recherche -- Date: 28/06/2012 14:44:42

¤¤¤ Processus malicieux: 1 ¤¤¤
[SUSP PATH] dplayx.dll -- C:\Documents and Settings\Administrateur\Application Data\dplayx.dll -> UNLOADED

¤¤¤ Entrees de registre: 3 ¤¤¤
[HJPOL] HKCU\[...]\Policies\Explorer\Explorer : NoSMHelp (1) -> FOUND
[HIDDEN VAL] HKCU\[...]\Run : dplaysvr (C:\Documents and Settings\Administrateur\Application Data\dplaysvr.exe) -> FOUND
[HIDDEN VAL] HKLM\[...]\Run : dplaysvr (C:\Documents and Settings\Administrateur\Application Data\dplaysvr.exe) -> FOUND

¤¤¤ Fichiers / Dossiers particuliers: ¤¤¤

¤¤¤ Driver: [CHARGE] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ Fichier HOSTS: ¤¤¤
94.63.147.16 http://www.google.com
94.63.147.17 http://www.bing.com


¤¤¤ MBR Verif: ¤¤¤

+++++ PhysicalDrive0: VBOX HARDDISK +++++
--- User ---
[MBR] c708b764ca9daa4f8f33e4e8b3b517da
[BSP] f4eb87199eee8a432bb482bb55118447 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 4086 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Termine : << RKreport[1].txt >>
RKreport[1].txt

EDIT: Wide hook injection indeed
Capture.PNG
Capture.PNG (286.08 KiB) Viewed 521 times
Last edited by Tigzy on Thu Jun 28, 2012 12:57 pm, edited 2 times in total.

Re: Trojan:Win32/Cleaman.G

 #14343  by Tigzy
 Thu Jun 28, 2012 12:56 pm
translating it to english would be great
The problem my VM is in french... :/
But the program runs in english on english OS :D
¤¤¤ infected processes: 1 ¤¤¤
[SUSPicious PATH] dplayx.dll -- C:\Documents and Settings\Administrateur\Application Data\dplayx.dll -> UNLOADED (from explorer.exe)

¤¤¤ Registry entries: 3 ¤¤¤
[HJPOL] HKCU\[...]\Policies\Explorer\Explorer : NoSMHelp (1) -> FOUND
[HIDDEN VAL] HKCU\[...]\Run : dplaysvr (C:\Documents and Settings\Administrateur\Application Data\dplaysvr.exe) -> FOUND
[HIDDEN VAL] HKLM\[...]\Run : dplaysvr (C:\Documents and Settings\Administrateur\Application Data\dplaysvr.exe) -> FOUND
 Return to “Malware”