BKDR_MANGIT.SM

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk. It connects to a website to send and receive information.

It gathers information and reports it to its servers.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following component file(s):

• %Application Data%\arrow1.cur
• %Application Data%\date.dat
• %Application Data%\link1.cur
• %Application Data%\select1.cur
• %Application Data%\semtitulo.cur
• %Application Data%\winup00.dat
• %Application Data%\winupdate.dat
• %Desktop%\%Application Data%\{random file name 1}.exe.lnk

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %All Users Profile%\Microsoft\Windows\Start Menu\Programs\Startup\{random file name 1}.exe
• %Application Data%\{random file name 1}.exe
• %Program Data%\Microsoft\Windows\Start Menu\Programs\Startup\{random file name 1}.exe

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• SW2016

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name 2} = "%Application Data%\{random file name 1}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random file name 2} = "%Application Data%\{random file name 1}.exe"

It drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:

• C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\{random file name 1}.exe.lnk
• %All Users Profile%\Microsoft\Windows\Start Menu\Programs\Startup\{random file name 1}.exe.lnk

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Backdoor Routine

This backdoor executes the following command(s) from a remote malicious user:

• Clipboard log
• Keyboard log
• Snapshot
• File Manipulation (Create, Modify, Delete)
• Execute Shell comands

It connects to the following websites to send and receive information:

• http://www.{BLOCKED}m.org.cn/libraries/pear/graph.php

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

• http://www.foschiattisrl.it/libraries/phputf8/utils/JK2017.exe

It saves the files it downloads using the following names:

• %User Temp%\{random file name 3}.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This backdoor connects to the following URL(s) to get the affected system's IP address:

• http://meuip.net.br/
• http://www.qualmeuip.com.br/

It gathers the following information and reports it to its servers:

• Username
• Computer name
• Installed AV
• Plugins
• Processor info
• Os Version
• External IP
• Date