Trojan:Win32/Oficla.AI is a trojan that attempts to download and execute arbitrary files.
Installation
In the wild, this trojan was observed to be distributed in spam email as an attachment, as in the following examples:
![Win32/Oficla attached to spam email](msoinline/61d6216ecffb4aed)
For this sample email, the extracted file attachment appears as the following:
![Win32/Oficla attached to spam email](msoinline/edae66f51d2540d7)
For this sample email, the extracted file attachment appears as the following:
When run, it creates a mutex named the following to prevent more than one instance of the trojan from executing at a time:
- zentoworld_<8 to 10 digit number>_dada
Trojan:Win32/Oficla.AI drops a copy of itself as the following:
For example
The registry is modified to run the trojan at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
From data: "<original data>" such as "explorer.exe”
To data: "explorer.exe "<path of Trojan:Win32/Oficla.AH>\csrss.exe""
To hinder analysis, this variant of Oficla attempts to avoid any of the following virtualization and sandbox technologies by checking if it is running under any of these environments and technologies:
Anubis
CWSandbox
JoeBox
Parallels
Sandboxie
ThreatExpert
VMWare
Virtual Box
It also tries to check for user names and a computer name that are consistent with a sandbox system.
Payload
Bypasses Windows firewall
This trojan adds a Windows Firewall exception by posing as a program named "ldrsoft" and adding the following registry entry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds value: "<path to Trojan:Win32/Oficla.AI file>"
With data: "<path to Trojan:Win32/Oficla.AI file>:*:enabled:ldrsoft"
Disables security application
Trojan:Win32/Oficla.AI checks for the presence of Rapport, an online banking security application from Trusteer. If it finds that it is present in the affected system, it attempts to overwrite the following component files of Rapport to disable them:
- %ProgramFiles%\Trusteer\Rapport\js\config.js
- %ProgramFiles%\Trusteer\Rapport\bin\RapportService.exe
- %ProgramFiles%\Trusteer\Rapport\bin\RapportMgmtService.exe
Searches for financial transaction activity
This trojan searches the affected user's browser cookies and Internet cache for evidence of online financial transaction activity by comparing data against any of these URIs and strings:
%offshor
.anz.com
/ab.lv/
/bsi.dll
abbeynational.co.uk
access.jpmorgan.com
adalptonline.it
advancial.org
albanybankonline.com
alerusfinancial.com
alliance-leicester.co.uk
alltimetreasury.pacificcapitalbank.com
americansavingsnj2.com
asbnow.com
bancobuenaventura.com
banking.calbanktrust.com
bankofcyprus.com
bankofeverettonline.com
bankoffortbendonline.com
bankofhr.com
bankofscotland.co.uk
bankofscotlandhalifax-online.co.uk
barclays.co.uk
bayportcu.org
bnycash.bankofny.com
business-eb.ibanking-services.com
businessaccess.citibank.citigroup.com
businessonline.huntington.com
businessonline.tdbank.com
businessonlineaccess.web-cashplus.com
bz555ankofamerica.com
capitalone.com
cashmgt.firsttennessee.biz
ccbankonline.com
cedacri.it
centurysb.com
chase.com
citibank.co.uk
citizensbank.ebanking-services.com
cm.netteller.com
columbiabankonline.com
commbank.com.au
commerceconnections.commercebank.com
commercial.wachovia.com
commerzbanking.de
cornerbanksonline.com
csebanking.it
csebo.it
ctreporter.coletaylor.com
cybersource.com
czz55hase.com
deutsche-bank.de
directline4biz.com
e-access.compassbank.com
easterntreasuryconnect.com
eastwestbankhb.com
ebank-monticello.com
ebanking-services.com
ecathay.com
emarquettebankonline.com
express.53.com
ffsbkyonline.com
fhbankna.com
fidelitybankofpa.com
fiducia.de
finanzportal.fiducia.de
firstdirect.com
firstrepublichb.com
fiservdmecorp1.net
goldleafach.com
gruppocarige.it
halifax-online.co.uk
halifax.co.uk
hellenicnetbanking.com
hsbc.co.uk
ibank.alfabank.ru
ibscassbank.com
independentcm.com
isideonline.it
itreasury.regions.com
jpmorgan.com
laiki.com
lakecitybank.webcashmgmt.com
libertyreserve.com
lloydsbankinternational.es
lloydstsb.co.uk
metlifebanksecure.com
mibank.com
mibusinessonlinebanking.ebanking-services.com
monetaonline.it
myib.firstmerchants.com
myunionstate.com
nab.com.au
nassaued.org
nationalcity.com
nationalinterbank.com
natwest.co.uk
netconnect.bokf.com
nwolb.co.uk
nwolb.com
onb.webcashmgmt.com
online.westpac.com.au
onlineaccess.ncsecu.org
onlinencr.com
onlinetreasurymanager.suntrust.com
payment.ru
penfed.org
perfectmoney.com
postbank.de
poste.it
quercia.com
rbs.co.uk
rbsdigital.com
s2b.standardchartered.com
santander.co.uk
sboff.com
schwab.com
scotiabank.com
secure.fundsxpress.com
secure.paymentech.com
securechemicalbankmi.com
securentrycorp.calbanktrust.com
server14.cey-ebanking.com
singlepoint.usbank.com
skagitonlinebanking.com
sparkasse.de
sterlingcorporatenetbanking.com
sterlingnetbanking.com
sterlingwires.com
stgeorge.com.au
summitbankingonline.com
suncorpbank.com.au
sunnb.blilk.com
targobank.de
top.capitalonebank.com
trading.scottrade.com
treas-mgt.frostbank.com
treasurydirect.tdbank.com
treasurypathways.com
twinstarcu.com
wcmfd/wcmpw/CustomerLogi
web-cashplus.com
webexpress.tdbanknorth.com
wellsoffice.wellsfargo.com
westamericabankonline.com
whitneybank.web-access.com
ws2.bankbyweb.net
wtb.ebanking-services.com
www8.comerica.com
If evidence was discovered by the trojan, it may report this back to its remote control server.
Downloads and executes arbitrary files
This malware is capable of executing commands received from its control server, such as downloading and executing arbitrary files. Trojan:Win32/Oficla.AI was observed attempting to communicate with numerous remote servers through TCP port 80. The following are some of the servers contacted by the trojan:
194.247.58.105
2aa726aadx.ru
91.217.162.151
bacrm.ru
blirm.ru
cnnus.ru
deniq.ru
dnsipnd.ru
euutwouukw.ru
ipdnslegalserv.com
loadsi.cz.cc
onlineloads.cz.cc
rqq418qqh1.ru
ruuieyuugz.ru
statementsltd.com
systrackgeo.com
taayqiaafq.ru
waa529aam2.ru
wageri.ru
yaawufaawu.ru
Additional Information
Trojan:Win32/Oficla.AI modifies a configuration file "%windir%\win.ini" by appending some of its data for storage. This trojan also creates additional registry data.
In subkey: HKCU\Software\Microsoft
Sets value: "setiasworld"
With data: "<identifier>" for example: "fyviwcdccczdp23fb2ebgrexzaldftu"
Analysis by Gilou Tenebro