Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Backdoor:MSIL/Bladabindi.AJ copies itself to the following locations:
c:\documents and settings\administrator\application data\flashplayerplugin.exe
c:\documents and settings\administrator\start menu\programs\startup\ec75da55df7bc76b2f5430df05849464.exe
The malware changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "ec75da55df7bc76b2f5430df05849464" With data: ""c:\documents and settings\administrator\application data\flashplayerplugin.exe" .."
Payload
Changes system security settings
Backdoor:MSIL/Bladabindi.AJ adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:
Adds value: "C:\Documents and Settings\Administrator\Application Data\FlashPlayerPlugin.exe" With data: "c:\documents and settings\administrator\application data\flashplayerplugin.exe:*:enabled:flashplayerplugin.exe" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Allows backdoor access and control
The malware gives a hacker access and control of your PC. They can then perform a number of different actions, including:
Downloading and running files
Uploading files
Spreading malware to other PCs
Logging your keystrokes or stealing your sensitive data
Modifying your system settings
Running or stopping applications
Deleting files
This malware description was produced and published using automated analysis of file SHA1 4b14613f52018a8e5372a0febd27e8fcddfadec0.
The following could indicate that you have this threat on your PC:
You have these files:
c:\documents and settings\administrator\application data\flashplayerplugin.exe c:\documents and settings\administrator\start menu\programs\startup\ec75da55df7bc76b2f5430df05849464.exe
You see these entries or keys in your registry:
Sets value: "ec75da55df7bc76b2f5430df05849464" With data: ""c:\documents and settings\administrator\application data\flashplayerplugin.exe" .." In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "C:\Documents and Settings\Administrator\Application Data\FlashPlayerPlugin.exe" With data: "c:\documents and settings\administrator\application data\flashplayerplugin.exe:*:enabled:flashplayerplugin.exe" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
