Threat Database Backdoors Backdoor.Baccamun

Backdoor.Baccamun

By GoldSparrow in Backdoors

Threat Scorecard

Popularity Rank: 19,989
Threat Level: 80 % (High)
Infected Computers: 161
First Seen: July 28, 2014
Last Seen: March 29, 2026
OS(es) Affected: Windows

Backdoor.Baccamun is a backdoor Trojan horse infection that is apt to exploit ActiveX controls within Windows Common Controls. Through its actions, Backdoor.Baccamun may make a system vulnerable to attacks where a remote attacker could gain access. It is in a computer user’s best interest to utilize the proper tools for detecting and removing the Backdoor.Baccamun threat before it causes serious system damage. Backdoor.Baccamun may also be used to attack documents mostly on Korean based systems.

File System Details

Backdoor.Baccamun may create the following file(s):
# File Name Detections
1. %Windir%\Tasks\taskmgr.exe

Registry Details

Backdoor.Baccamun may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Java Run Environment 1.1.0023\" = "%Windir%\tasks\taskmgr.exe"

URLs

Backdoor.Baccamun may call the following URLs:

www.telecom.ntdll.net

Analysis Report

General information

Family Name: Trojan.Dinwod.B
Signature status: Self Signed

Known Samples

MD5: b579a13779c72d1993708f3b9531093b
SHA1: f42d89b04566900d6e30bcd74213b6db5eea49a0
SHA256: 0F5E30229809FA86ED62C90B144D246333A015E259135F21775C90DE18383A52
File Size: 412.03 KB, 412032 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Digital Signatures

Signer Root Status
AOL Inc. VeriSign Class 3 Code Signing 2009-2 CA Self Signed

File Traits

  • HighEntropy
  • x86

Files Modified

File Attributes
c:\users\user\appdata\local\temp\nswa4c7.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswa4c7.tmp\context.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswa4c7.tmp\context.ini Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswa4c7.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswa4c7.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\sdcdm\context.ini Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\sdcdm\downloadmanager.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\sdcdm\libcurl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\sdcdm\zlib1.dll Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • ShellExecute
Network Winsock2
  • WSAStartup
Anti Debug
  • OutputDebugString
Network Winsock
  • closesocket
  • gethostbyname
  • inet_addr
  • socket

Shell Command Execution

Open C:\Users\Deizknru\AppData\Local\Temp\SDCDM\DownloadManager.exe

Trending

Most Viewed

Loading...