PUA_DEXON

December 02, 2015
 Analysis by: Anthony Joe Melgarejo
 ALIASES:

Win32/Dexon.A potentially unsafe (ESET)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Potentially Unwanted Application

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This potentially unwanted application arrives as a component bundled with malware/grayware packages.

  TECHNICAL DETAILS

File Size:

7,168 bytes

Initial Samples Received Date:

19 Aug 2015

Arrival Details

This potentially unwanted application arrives as a component bundled with malware/grayware packages.

Installation

This potentially unwanted application drops the following files:

  • %System%\dat\Dexon\Agent\Agent.exe
  • %System%\dat\Dexon\Agent\Agent_Distrib.exe
  • %System%\dat\Dexon\Agent\dexon_browser.exe
  • %System%\dat\Dexon\Agent\Dial_w.exe
  • %System%\dat\Dexon\Agent\DynamicService.exe
  • %System%\dat\Dexon\Agent\HD_Agent.exe
  • %System%\dat\Dexon\Agent\logmessages.dll
  • %System%\dat\Dexon\Agent\module01.dll
  • %System%\dat\Dexon\Agent\module02.dll
  • %System%\dat\Dexon\Agent\module04.dll
  • %System%\dat\Dexon\Agent\module05.dll
  • %System%\dat\Dexon\Agent\module09.dll
  • %System%\dat\dxn\{random letters}.dat
  • %User Profile%\Public\Documents\dat\dxn\{random letters}.dat
  • %AppDataLocal%\VirtualStore\Windows\System32\dat\dxn\{random letters}.dat

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

  • "%System%\dat\Dexon\Agent\dummy.exe"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It creates the following folders:

  • %AppDataLocal%\VirtualStore\Windows\System32\dat\Dexon
  • %AppDataLocal%\VirtualStore\Windows\System32\dat\Dexon\Agent
  • %AppDataLocal%\VirtualStore\Windows\System32\dat\dxn
  • %User Profile%\Public\Documents\dat\dxn
  • %System%\dat\Dexon
  • %System%\dat\Dexon\Agent
  • %System%\dat\dxn

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This potentially unwanted application registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent
ImagePath = "%System%\dat\Dexon\Agent\dummy.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent
DisplayName = "DexonAgent"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent
DelayedAutostart = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent
FailureActions = "{hex values}"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Dexon = "%System%\dat\Dexon\Agent\dummy.exe"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\DexonAgent

Other System Modifications

This potentially unwanted application adds the following registry keys:

HKEY_CURRENT_USER\Software\Classes\
VirtualStore\MACHINE\SOFTWARE\
Dexon

HKEY_CURRENT_USER\Software\Classes\
VirtualStore\MACHINE\SOFTWARE\
Dexon\DAT

HKEY_CURRENT_USER\Software\Classes\
VirtualStore\MACHINE\SOFTWARE\
Dexon

HKEY_CURRENT_USER\Software\Classes\
VirtualStore\MACHINE\SOFTWARE\
Dexon\DAT

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Classes\
VirtualStore\MACHINE\SOFTWARE\
Dexon\DAT
{random letters} = {random characters}

HKEY_CURRENT_USER\Software\Classes\
VirtualStore\MACHINE\SOFTWARE\
Dexon\DAT
{random letters} = {random characters}