BKDR_BIFROSE.WINP
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
30,208 bytes
EXE
05 Aug 2016
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops a copy of itself in the following folders using different file names:
- %System%\wminanp.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{UID}
HKEY_CURRENT_USER\Identities
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{UID}
StubPath = "%System%\wminanp.exe -a"
HKEY_CURRENT_USER\Identities
Last Name = "{hex values}"
Other Details
This backdoor connects to the following possibly malicious URL:
- a3release070108.{BLOCKED}ix.com
- wqertbbs.{BLOCKED}n.com
It deletes the initially executed copy of itself