TROJ_MSIL.FE

 Analysis by: Anthony Joe Melgarejo

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

505,344 bytes

File Type:

EXE

Initial Samples Received Date:

14 Sep 2015

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • %Application Data%\{GUID}\run.dat

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

  • %Program Files%\{file name 1}{file name 2}.exe

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{registry name 1} {registry name 2} = "%Program Files%\{file name 1}{file name 2}.exe"

Other Details

This Trojan connects to the following possibly malicious URL:

  • marcrapport.{BLOCKED}s.net
  • amaralcarlo.{BLOCKED}s.net

NOTES:

The variable {file name 1} may be any of the following:

  • agp
  • arp
  • ddp
  • dhcp
  • dns
  • dos
  • dpi
  • dsl
  • imap
  • iss
  • lan
  • nas
  • nat
  • ntfs
  • pci
  • saas
  • scsi
  • smtp
  • tcp
  • udp
  • upnp
  • wan
  • wpa

The variable {file name 2} may be any of the following:

  • host
  • mgr
  • mon
  • ss
  • sv
  • svc

The variable {registry value name 1} may be any of the following:

  • AGP
  • ARP
  • DDP
  • DHCP
  • DNS
  • DOS
  • DPI
  • DSL
  • IMAP
  • ISS
  • LAN
  • NAS
  • NAT
  • NTFS
  • PCI
  • SAAS
  • SCSI
  • SMTP
  • TCP
  • UDP
  • UPNP
  • WAN
  • WPA

The variable {registry value name 2} may be any of the following:

  • Host
  • Manager
  • Monitor
  • Service
  • Subsystem

Note that the registry value name should match the file name of the dropped copy, for example:

SAAS Manager = "%Program Files%\saasmgr.exe"