BKDR_KELIHOS.SM1

July 14, 2015
 Analysis by: RonJay Kristoffer Caragay
 ALIASES:

Backdoor:Win32/Kelihos (Microsoft); Trojan.Win32.Kelihos (Ikarus); Win32/Kelihos.G (ESET-NOD32); Backdoor.Win32.Hlux.dca (Kaspersky)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

1,067,508 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

13 Jul 2015

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random parameter 1}{random parameter 2} = "{malware path and file name}"

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.29.224/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.200.111/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.52.170/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.180.254/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.108.55/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.154.233/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.153.121/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.104.29/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.63.95/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.56.114/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.156.245/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.183.215/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.143.94/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.183.146/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.95.215/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.149.19/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.221.220/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.49.92/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.233.235/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.250.47/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.130.68/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.165.58/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.198.141/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.96.211/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.87.243/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.190.126/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.252.67/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.202.53/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.68.92/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.67.27/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.73.217/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.169.207/{URI}.htm
  • http://{BLOCKED}.{BLOCKED}.104.231/{URI}.htm
  • where {URI} can be any of the following:
    • file
    • online
    • main
    • start
    • install
    • login
    • setup
    • welcome
    • search
    • home
    • default
    • index

NOTES:

The auto-run registry {random parameter 1} can be any of the following:

  • Network
  • Time
  • CrashReport
  • Database
  • Icon
  • Desktop
  • Tray
  • Video
  • Media

The auto-run registry {random parameter 2} can be any of the following:

  • Informer
  • Verifyer
  • Saver
  • Notifyer
  • Checker
  • Updater

For example:

  • NetworkVerifyer
  • TrayNotifyer
  • CrashReportUpdater