Analysis by: Maria Emreen Viray
 ALIASES:

HackTool:Win32/GendowsBatch (MICROSOFT)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Tipo de compactação: 36,437,501 bytes
Tipo de arquivo: EXE
Residente na memória: No
Data de recebimento das amostras iniciais: 05 Oct 2021

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

  • %Program Files%\{BLOCKED}C51
  • %System%\{BLOCKED}JSPCSP
  • %Common Programs%\{BLOCKED}
  • %Common Programs%\{BLOCKED}\51楷翑忒
  • After uninstallation through ControlPanel or uninst.exe:
    • %User Temp%\~nsuA.tmp

It drops the following files:

  • %Program Files%\{BLOCKED}C51\51boxtrace.eti
  • %Program Files%\{BLOCKED}C51\51fapiao.cer
  • %Program Files%\{BLOCKED}C51\51fapiaotest.cer
  • %Program Files%\{BLOCKED}C51\Assist.exe
  • %Program Files%\{BLOCKED}C51\Assist.exe.Config
  • %Program Files%\{BLOCKED}C51\BSWJURL.ini
  • %Program Files%\{BLOCKED}C51\C51CloudInvoiceAdapter.exe
  • %Program Files%\{BLOCKED}C51\C51CloudInvoiceProtect.exe
  • %Program Files%\{BLOCKED}C51\C51InvoiceAssist.exe
  • %Program Files%\{BLOCKED}C51\C51InvoiceGuide.exe
  • %Program Files%\{BLOCKED}C51\CertDecoder.dll
  • %Program Files%\{BLOCKED}C51\CertSecurity.dll
  • %Program Files%\{BLOCKED}C51\CloudInvoiceAdapterService.exe
  • %Program Files%\{BLOCKED}C51\DataTransferToolDownload.exe
  • %Program Files%\{BLOCKED}C51\FQFQFQFQ.cer
  • %Program Files%\{BLOCKED}C51\FWS51PTC.cer
  • %Program Files%\{BLOCKED}C51\JSDiskDLL.dll
  • %Program Files%\{BLOCKED}C51\JsDevInfoDll.dll
  • %Program Files%\{BLOCKED}C51\JspInterface.dll
  • %Program Files%\{BLOCKED}C51\LogCtrl.cfg
  • %Program Files%\{BLOCKED}C51\NISEC_UKEYC.dll
  • %Program Files%\{BLOCKED}C51\Net_Util.dll
  • %Program Files%\{BLOCKED}C51\QWER1234.cer
  • %Program Files%\{BLOCKED}C51\RSADecrypt.dll
  • %Program Files%\{BLOCKED}C51\ReadAreaCode.dll
  • %Program Files%\{BLOCKED}C51\RegAsm.exe
  • %Program Files%\{BLOCKED}C51\SOFC.dll
  • %Program Files%\{BLOCKED}C51\Sm2Clt.dll
  • %Program Files%\{BLOCKED}C51\TaxBox.dll
  • %Program Files%\{BLOCKED}C51\TaxUKeyBase.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-core-file-l1-2-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-core-file-l2-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-core-localization-l1-2-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-core-processthreads-l1-1-1.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-core-synch-l1-2-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-core-timezone-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-convert-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-environment-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-filesystem-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-heap-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-locale-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-math-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-multibyte-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-runtime-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-stdio-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-string-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-time-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\api-ms-win-crt-utility-l1-1-0.dll
  • %Program Files%\{BLOCKED}C51\cryp_api.dll
  • %Program Files%\{BLOCKED}C51\decodecert.dll
  • %Program Files%\{BLOCKED}C51\delUKeyLog.bat
  • %Program Files%\{BLOCKED}C51\download.exe
  • %Program Files%\{BLOCKED}C51\ebasic__{BLOCKED}.dat
  • %Program Files%\{BLOCKED}C51\gbfw.bat
  • %Program Files%\{BLOCKED}C51\imgdecoder-gdip.dll
  • %Program Files%\{BLOCKED}C51\imgdecoder-png.dll
  • %Program Files%\{BLOCKED}C51\interface.ini
  • %Program Files%\{BLOCKED}C51\libcrypto-1_1.dll
  • %Program Files%\{BLOCKED}C51\libcurl.dll
  • %Program Files%\{BLOCKED}C51\libcurl_7.67.0.dll
  • %Program Files%\{BLOCKED}C51\libeay32.dll
  • %Program Files%\{BLOCKED}C51\libssl-1_1.dll
  • %Program Files%\{BLOCKED}C51\log4cxx.dll
  • %Program Files%\{BLOCKED}C51\logo.ico
  • %Program Files%\{BLOCKED}C51\msvcr100.dll
  • %Program Files%\{BLOCKED}C51\msvcr71.dll
  • %Program Files%\{BLOCKED}C51\paho-mqtt3c.dll
  • %Program Files%\{BLOCKED}C51\privcfg.ini
  • %Program Files%\{BLOCKED}C51\pthreadVC2.dll
  • %Program Files%\{BLOCKED}C51\public.pem
  • %Program Files%\{BLOCKED}C51\regasm.exe.config
  • %Program Files%\{BLOCKED}C51\render-gdi.dll
  • %Program Files%\{BLOCKED}C51\resprovider-7zip.dll
  • %Program Files%\{BLOCKED}C51\sangfor.dll
  • %Program Files%\{BLOCKED}C51\softSysVersion
  • %Program Files%\{BLOCKED}C51\soui.dll
  • %Program Files%\{BLOCKED}C51\sqlite3.dll
  • %Program Files%\{BLOCKED}C51\ssleay32.dll
  • %Program Files%\{BLOCKED}C51\swukeyinstaller.exe
  • %Program Files%\{BLOCKED}C51\trust.txt
  • %Program Files%\{BLOCKED}C51\trusttest.txt
  • %Program Files%\{BLOCKED}C51\ucrtbase.dll
  • %Program Files%\{BLOCKED}C51\uires.7z
  • %Program Files%\{BLOCKED}C51\uires_ypy.7z
  • %Program Files%\{BLOCKED}C51\ukeyinfo.ini
  • %Program Files%\{BLOCKED}C51\uniAcceptFramework.dll
  • %Program Files%\{BLOCKED}C51\uninst.ico
  • %Program Files%\{BLOCKED}C51\update.exe
  • %Program Files%\{BLOCKED}C51\utilities.dll
  • %Program Files%\{BLOCKED}C51\vcredist.x86_2015.exe
  • %Program Files%\{BLOCKED}C51\xihaa.dll
  • %Program Files%\{BLOCKED}C51\ykpzs.cait
  • %Program Files%\{BLOCKED}C51\zlib1.dll
  • %Program Files%\{BLOCKED}C51\zlibwapi.dll
  • %System%\ai109b_gm.dll
  • %System%\CTptkcs.dll
  • %System%\{BLOCKED}JSPCSP\{BLOCKED}_service_admin.exe
  • %System%\{BLOCKED}JSPCSP\cspPinDlg.dll
  • %System%\{BLOCKED}JSPCSP\cspsign.dll
  • %System%\{BLOCKED}JSPCSP\LYFCSP.dll
  • %System%\{BLOCKED}JSPCSP\tokenh.dll
  • %Common Programs%\{BLOCKED}\51楷翑忒\51楷翑忒.lnk
  • %Common Programs%\{BLOCKED}\51楷翑忒\迠婥 51楷翑忒.lnk
  • %Program Files%\{BLOCKED}C51\uninst.exe
  • %User Temp%\dd_vcredist_x86_{YYYYMMDD}{Random Digits}.log
  • Temporary files (attempt to delete afterwards):
    • %User Temp%\ns{Random Characters}.tmp\killer.dll
    • %User Temp%\ns{Random Characters}.tmp\System.dll
    • %User Temp%\ns{Random Characters}.tmp\KillProcDLL.dll
    • %User Temp%\ns{Random Characters}.tmp\nsExec.dll
    • %User Temp%\ns{Random Characters}.tmp\ns{Random Characters}.tmp
    • %User Temp%\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll
    • %User Temp%\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\{Random Digits}\license.rtf
    • %User Temp%\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\thm.xml
    • %User Temp%\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\thm.wxl
    • %User Temp%\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png
    • %User Temp%\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\license.rtf
    • %User Temp%\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\{Random Digits}\thm.wxl
    • %User Temp%\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\BootstrapperApplicationData.xml
  • After uninstallation through ControlPanel or uninst.exe:
    • %User Temp%\~nsuA.tmp\Un_A.exe
    • %User Temp%\~nsuA.tmp\Un_B.exe

It adds the following processes:

  • "%User Temp%p\ns{Random Characters}.tmp\ns{Random Characters}.tmp" "vcredist.x86_2015.exe" /quiet /install /norestart
  • "vcredist.x86_2015.exe" /quiet /install /norestart
  • "%Program Files%\{BLOCKED}C51\vcredist.x86_2015.exe" /quiet /install /norestart -burn.unelevated BurnPipe.{Generated GUID 1} {Generated GUID 2} {Random Value}
  • "%Program Files%\{BLOCKED}C51\C51InvoiceGuide.exe"
  • After uninstallation through ControlPanel or uninst.exe:
    • "%User Temp%p\~nsuA.tmp\Un_B.exe" _?=%Program Files%\{BLOCKED}C51\
    • "%User Temp%p\ns{Random Characters}.tmp\ns{Random Characters}.tmp" "%System%\{BLOCKED}JSPCSP\{BLOCKED}_service_admin.exe" /stop
    • "%System%\{BLOCKED}JSPCSP\{BLOCKED}_service_admin.exe" /stop
    • "%User Temp%p\ns{Random Characters}.tmp\ns{Random Characters}.tmp" "%System%\{BLOCKED}JSPCSP\{BLOCKED}_service_admin.exe" /remove
    • "%System%\{BLOCKED}JSPCSP\{BLOCKED}_service_admin.exe" /remove

Other System Modifications

This Trojan Spy adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\
Provider\{BLOCKED} JSP SKF V1.0
Image Path = %System%\ai109b_gm.dll

HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\
Provider\{BLOCKED} JSP SKF V1.0
DefaultApplication = SM2

HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\
Provider\{BLOCKED} JSP SKF V1.0
DefaultContainer = SM2CONTAINER

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Cryptography\Defaults\Provider\
{BLOCKED} Cryptographic Service Provider V1.0
Image Path = %System%\{BLOCKED}JSPCSP\cspsign.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Cryptography\Defaults\Provider\
{BLOCKED} Cryptographic Service Provider V1.0
Signature = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Cryptography\Defaults\Provider\
{BLOCKED} Cryptographic Service Provider V1.0
Type = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Cryptography\Calais\SmartCards\
{BLOCKED}Soft JSP UsbKey
ATR = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Cryptography\Calais\SmartCards\
{BLOCKED}Soft JSP UsbKey
ATRMask = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Cryptography\Calais\SmartCards\
{BLOCKED}Soft JSP UsbKey
Crypto Provider = {BLOCKED} Cryptographic Service Provider V1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒
DisplayName = 51楷翑忒 1.3.8

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒
DisplayIcon = %Program Files%\{BLOCKED}C51\logo.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒
UninstallString = %Program Files%\{BLOCKED}C51\uninst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒
DisplayVersion = 1.3.8

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒
URLInfoAbout = http://www.{BLOCKED}.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒
Publisher = {BLOCKED}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒
GroupFlag = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒
LocalFlag = 0

Other Details

This Trojan Spy adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\gbskf

HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\
Provider

HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\
Provider\{BLOCKED} JSP SKF V1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Cryptography\Defaults\Provider\
{BLOCKED} Cryptographic Service Provider V1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Cryptography\Calais\SmartCards\
{BLOCKED}Soft JSP UsbKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
51楷翑忒

  SOLUTION

Mecanismo de varredura mínima: 9.800
Primeiro arquivo padrão VSAPI: 17.116.05
Data do lançamento do primeiro padrão VSAPI: 07 Oct 2021
VSAPI OPR Pattern Version: 17.117.00
VSAPI OPR Pattern veröffentlicht am: 08 Oct 2021

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Remove TrojanSpy.Win32.PSKEYLOGGER.A by using its own Uninstall option

[ Learn More ]
To uninstall the grayware process

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\Provider\{BLOCKED} JSP SKF V1.0
    • Image Path = %System%\ai109b_gm.dll
  • In HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\Provider\{BLOCKED} JSP SKF V1.0
    • DefaultApplication = SM2
  • In HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\Provider\{BLOCKED} JSP SKF V1.0
    • DefaultContainer = SM2CONTAINER
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\{BLOCKED}Soft JSP UsbKey
    • ATR = {Hex Values}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\{BLOCKED}Soft JSP UsbKey
    • ATRMask = {Hex Values}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\{BLOCKED}Soft JSP UsbKey
    • Crypto Provider = {BLOCKED} Cryptographic Service Provider V1.0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\{BLOCKED} Cryptographic Service Provider V1.0
    • Image Path = %System%\{BLOCKED}JSPCSP\cspsign.dll
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\{BLOCKED} Cryptographic Service Provider V1.0
    • Signature = {Hex Values}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\{BLOCKED} Cryptographic Service Provider V1.0
    • Type = 1

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • HKEY_LOCAL_MACHINE\SOFTWARE\gbskf
  • HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\Provider
  • HKEY_LOCAL_MACHINE\SOFTWARE\gbskf\Provider\{BLOCKED} JSP SKF V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\{BLOCKED} Cryptographic Service Provider V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\{BLOCKED}Soft JSP UsbKey

Step 6

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\ns{Random Characters}.tmp\killer.dll
  • %User Temp%\ns{Random Characters}.tmp\System.dll
  • %User Temp%\ns{Random Characters}.tmp\KillProcDLL.dll
  • %User Temp%\ns{Random Characters}.tmp\nsExec.dll
  • %User Temp%\ns{Random Characters}.tmp\ns{Random Characters}.tmp
  • %System%\ai109b_gm.dll
  • %System%\CTptkcs.dll

Step 7

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %User Temp%\ns{Random Characters}.tmp

Step 8

Scan your computer with your Trend Micro product to delete files detected as TrojanSpy.Win32.PSKEYLOGGER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.