Trojan.Win32.SEPOS.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

As of this writing, the said sites are inaccessible.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• %User Temp%\{Random characters}.TMP\Verita.png (script used to create component files)
• %User Temp%\{Random characters}.TMP\Chi.png (malicious AutoIt3 script) → renamed to J
• %User Temp%\{Random characters}.TMP\Detto.png (encrypted payload to be loaded)
• %User Temp%\{Random characters}.TMP\Era.png → contains Scotendosi.exe.com
• %User Temp%\{Random characters}.TMP\Scotendosi.exe.com → used to execute AutoIt3 scripts
• %User Temp%\{Random Characters}.vbs → script used for IP logging

It adds the following processes:

• dllhost.exe
• cmd /c cmd < Verita.png
• findstr /V /R "^cjfrXtCHDtyoCzLMuzRXpbumzTgxzzLlANEkKqdstKzKAbenGwaDZjkXyQJtPohlzUHPPAeyemSmtvYWRPOawikgBGyTsjCVvpsFPhJyYjBmz$" Era.png
• Scotendosi.exe.com J
• ping localhost -n 30

It creates the following folders:

• %ProgramData%\Posse

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce → to delete component files
wextract_cleanup0 = rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 "%User Temp%\{Random characters}.TMP\"

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Rootkit Capabilities

This Trojan does not have rootkit capabilities.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}o.co/21dTi3
  • → If Country Code is any of the following:
    • CL
    • FR
    • US
    • CY
    • FI
    • HR
    • HU
    • RO
    • PL
    • IT
    • PT
    • ES
    • CA
    • DK
    • AT
    • NL
    • AU
    • AR
    • NP
    • SE
    • BE
    • NZ
    • SK
    • GR
    • BG
    • NO
    • GE
• http://{BLOCKED}.{BLOCKED}.43.188/carlosi345679/sdfg5433456787654.exe
  • → If Country Code is "US"

It saves the files it downloads using the following names:

• %User Temp%\oihgrodpcgme.exe
• %User Temp%\dqjwakfmqppo.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

As of this writing, the said sites are inaccessible.

Other Details

This Trojan terminates itself if any of the following file(s) are present:

• %User Profile%\Desktop\report.doc
• C:\aaa_TouchMeNot_.txt
• folders:
  • %ProgramData%\AVG
  • %ProgramData%\AVAST Software
  • %ProgramData%\Posse

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It terminates itself if any of the following computer name(s) are found in the affected system:

• DESKTOP-QO5QU33
• tz
• NfZtFbPfH
• ELICZ

It does not exploit any vulnerability.

It deletes the following files to remove its traces in the system:

• %User Temp%\{Random characters}.TMP

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

NOTES:

It connects to the following URL to get Country Code:

• http://{BLOCKED}i.com/json → saved as %User Temp%\{Random Hex}.tmp

It connects to the following URLs to log the connecting machine's IP address:

• https://{BLOCKED}er.org/1mBRf7

It terminates itself based on the following additional conditions:

• If number of Processors == 1
• If the amount of actual physical memory < 2GB