Trojan.Python.KILLAV.YPCBO

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• {Malware Path}\example.log → Used for logging

Information Theft

This Trojan accepts the following parameters:

• 1 {path of file containing list of hosts}
  • It stores a list of available machines via SMB in the following file:
  • {Malware Path}\result_with_working_files.txt
• 2 {path of file containing list of hosts} {path of file containing list of AV name}
  • It logs the running AV processes found from the AV listed in the config file.
• 3 {path of file containing list of hosts} {path of AV killer file} {Additional arguments used as commandline arguments for the AV Killer process}
  • It sends and executes the killer AV file via SMB
• 4 {path of file containing list of hosts} {path of file containing list of AV name}
  • It sends and executes the following bat file to disable the cloud capabilities of the AV.
  • specific_cloud_switch_off.bat
  • It sends and execute the following bat files to uninstall AV products listed in the config file:
  • get_uninstall_key_{String1}_{String2}.bat → Used to Query the specified AV name saves as {String1}.txt
  • uninstall_by_key_{String 2}.bat → used to uninstall AV products via msiexec
  • where String 1 can be : AV name
  • where String 2 can be : Machine name
  • Downloads {String1}.txt for the gathered key

Other Details

This Trojan does the following:

• It tries to connect to obtained IP addresses via SMB port 445.