Installation
Threats in this family can install themselves to the following locations:
They set the file attributes to read-only, hidden, and system.
They can also create the following files:
<install folder>\SecureDll.dll - this file contains the functionality to steal keystrokes, and is detected as TrojanSpy:Win32/Dexter!dll
<install folder>\strokes.log - this file contains encrypted data
<install folder>\tmp.log - this file also contains encrypted data
Where <install folder> is the folder in which this threat is currently running from
Variants can create an encrypted copy as %APPDATA%\settings.ini.
They can also change the following registry entries so that they run each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows NT Service"
With data: "%APPDATA%\adobeflashplayer\mswinhost.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows NT Service"
With data: "%APPDATA%\oraclejava\javaw.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Media Player Fast Start"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Media Player Fast Start"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKCU\Software\Microsoft\Active Setup\Installed Components\<machine GUID>
Sets value: "StubPath"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<machine GUID>
Sets value: "StubPath"
With data: "%APPDATA%\media player classic\mplayerc.exe"
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\<machine GUID>
Sets value: "StubPath"
With data: "%APPDATA%\navigator\winmgmt.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random characters>", for example "wlsjrvxy"
With data: "<system folder>\<random characters>.exe", for example "<system folder>\wlsjrvxy.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random characters>", for example "wlsjrvxy"
With data: "%APPDATA%\<random characters>.exe" like "%APPDATA%\wlsjrvxy.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Sun Java Security Plugin"
With data: "%Appdata%\Java Security Plugin\javaplugin.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value:"Sun Java Security Plugin"
With data:"%Appdata%\Java Security Plugin\javaplugin.exe"
Variants can also create these entries as part of their installation routine:
In subkey: HKCU\Software\HelperSolutions Software
Sets value: "Digit"
With data: "<GUID>", for example, "16129044-7d76-4870-9cf7-3bf969ae1b0e"
In subkey: HKCU\Software\HelperSolutions Software
Sets value: "val1"
With data: "<malware installation folder>\strokes.log"
In subkey: HKCU\Software\HelperSolutions Software
Sets value: "val2"
With data: "<malware installation folder>\tmp.log"
The malware can use code injection to make it harder to detect and remove. It can inject code into running processes, including the following:
The injected code monitors the main process. If the main process is terminated, it will decrypt its copy from settings.ini, create the file %APPDATA%\winservs.exe and then run it.
Payload
Steals your personal information
Threats in this family can steal your personal information and send it to a malicious hacker, including your:
- bank account numbers
- credit card information
- PC name
- user name
It generates a unique id and saves it in the following registry:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion
Sets value: "identifier"
With data: "<generated unique id>", for example "pnjezyo"
To gather the information the malware enumerates running processes. It parses each running processes and searches for possible account numbers. It excludes a number of files, including those with the following hashes:
- 0BF1 - explorer
- 7C7E - chrome
- 3773 - firefox
- 0768 - iexplore
- 310A - svchost
- 0CC6 - smss
- 352E - csrss
- 3102 - wininit
- 0388 - devenv
- 0CED - winlogon
- 0364 - services
- 3F26 - lssas
- 3616 - spoolsv
- 3434 - alg
- 0884 - mscorsvw
- 0B9A - mysqld
- 72FD - wmiprvse
- 3D7D - LogonUI
- 07F1 - taskhost
- 3F85 - wuauclt
Connects to a remote server
This threat connects to a remote server to upload stolen information and receive instructions from a malicious hacker. We have seen it connect to the following sites using port 443:
-
151.248.<removed>.107
- 62.76.<removed>44.111
-
backup-service.in.ua
-
biketools.ru/<removed>/showtopic.php
-
cyclingtools.ru/<removed>/showtopic.php
-
kitchentools.ru/<removed>/showtopic.php
-
pop3smtp5imap2.com/<removed>/fly.php
-
stenfirthsta.com/<removed>/viewtopic.php
-
wetinulaf.com/<removed>/viewtopic.php
It can receive the following commands from a malicious hacker:
- Change the remote server it connects to
- Downloads and run files. These files are saved to %TEMP%\<random file name>
- Terminate the injected thread and itself
- Update itself
- Uninstalls itself
Lowers browser security settings
Variants in this family can make changes to lower your Internet Explorer security settings, including setting EXE, BAT, REG, and VBS files to low-risk. These file types are often used to run malware. It does this by changing the following security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Sets value: "LowRiskFileTypes"
With data: ".exe;.bat;.reg;.vbs;"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1806"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1806"
With data: "0"
Additional information
This threat can create the following mutex:
-
aMD6qt7lWb1N3TNBSe4N
-
Undsa8301nskal
It checks if a previous version of the malware exists in the system and removes it. It then opens for the following mutex:
Analysis by Marianne Mallen