SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  BackDoor.FDKM_14
BackDoor.FDKM_14 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • DBWinMutex
  • C:\DOCUME~1\TestMachine\LOCALS~1\Temp\c67d8827e0b0fbd10a1134d78791c49b.bin


Directory level activity
  • create - dir - C:\Program Files\AppPatch


File level activity
  • delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\c67d8827e0b0fbd10a1134d78791c49b.bin


Registry level activity
  • write - registry - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Yqrstk MnfghMarkTime
  • write - registry - SYSTEM\CurrentControlSet\Services\Yqrstk MnfghDescription


Library level activity
  • load - library - KERNEL32
  • load - library - KERNEL32.dll
  • load - library - MFC42.DLL
  • load - library - MSVCRT.dll
  • load - library - USER32.dll
  • load - library - GDI32.dll
  • load - library - ADVAPI32.dll
  • load - library - SHELL32.dll
  • load - library - ole32.dll
  • load - library - OLEAUT32.dll
  • load - library - urlmon.dll
  • load - library - WINMM.dll
  • load - library - WS2_32.dll
  • load - library - MSVCP60.dll
  • load - library - iphlpapi.dll
  • load - library - WTSAPI32.dll
  • load - library - NETAPI32.dll
  • load - library - PSAPI.DLL
  • load - library - KERNEL32.DLL
  • load - library - mscoree.dll
  • load - library - mscoree.dll


Process API calls used
  • NtOpenSection
  • VirtualProtectEx
  • NtFreeVirtualMemory
  • ShellExecuteExW
  • NtCreateSection
  • ZwMapViewOfSection
  • ExitProcess


Registry API calls used
  • RegOpenKeyExA
  • RegCreateKeyExA
  • RegSetValueExA
  • RegCloseKey
  • RegOpenKeyExW
  • RegEnumKeyW
  • RegQueryValueExW
  • RegCloseKey


System API calls used
  • LdrGetDllHandle
  • LdrGetProcedureAddress
  • LdrLoadDll
  • NtDelayExecution
  • LdrGetDllHandle


Filesystem API calls used
  • NtCreateFile
  • CreateDirectoryW
  • CopyFileA
  • NtOpenFile
  • NtSetInformationFile
  • FindFirstFileExW

Network

UDP source >> destination
  • 192.168.30.3 >> 8.8.8.8


TCP source >> destination



    Domains:
    • zxl520.f3322.org with IP - 181.63.32.11

    DNS Request:
    • zxl520.f3322.org

    HTTP Request:
    • NA

    DLL related data
    Number of DLL's imported = 7
    • KERNEL32.dll
    • USER32.dll
    • GDI32.dll
    • WINSPOOL.DRV
    • ADVAPI32.dll
    • SHELL32.dll
    • COMCTL32.dll


    Relevant Information