HackTool.Win32.Radmin.GD

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• TrojanSpy.Win32.BANRAP.AS

Installation

This Hacking Tool drops the following files:

• %Program Files%\RDP Wrapper\rdpwrap.ini
• %Program Files%\RDP Wrapper\rdpwrap.dll

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %Program Files%\RDP Wrapper

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Hacking Tool modifies the following registry entries:

HKLM\SYSTEM\ControlSet001\
services\TermService\Parameters
ServiceDll = %ProgramFiles%\RDP Wrapper\rdpwrap.dll

HKLM\SYSTEM\ControlSet001\
Control\Terminal Server
fDenyTSConnections = 0

HKLM\SYSTEM\ControlSet001\
Control\Terminal Server\Licensing Core
EnableConcurrentSessions = 1

HKLM\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
AllowMultipleTSSessions = 1

Download Routine

This Hacking Tool connects to the following URL(s) to download its configuration file:

• https://{BLOCKED}.{BLOCKED}usercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini

Other Details

This Hacking Tool sets the attributes of the following file(s) to Hidden and System:

• %AppDataLocal%\Microsoft\Windows\Temporary Internet Files\Content.IE5
• %Application Data%\Microsoft\Windows\Cookies
• %AppDataLocal%\Microsoft\Windows\History\History.IE5

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It does the following:

• Executes the following command to add itself to firewall allowed profiles:
  • netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
• It has capabilities of the following depending on its configuration:
  • General Settings:
    • Single user per session
    • Hide users on logon screen
    • Allow to start custom programs
  • Authentication Mode:
    • GUI Authentication Only
    • Default RDP Authentication
    • Network Level Authentication
  • Session Shadowing Mode:
    • Disable Shadowing
    • Full access with user's permission
    • Full access without permission
    • View only with user's permission
    • View only without permission