Trojan.Win32.SHELMA.ANM

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following folders:

• %User Temp%\_MEI2242
• %User Temp%\_MEI2242\Include
• %User Temp%\_MEI2242\certifi
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\_MEI2242\Crypto.Cipher._AES.pyd
• %User Temp%\_MEI2242\Crypto.Cipher._ARC4.pyd
• %User Temp%\_MEI2242\Crypto.Cipher._DES.pyd
• %User Temp%\_MEI2242\Crypto.Cipher._DES3.pyd
• %User Temp%\_MEI2242\Crypto.Hash._MD4.pyd
• %User Temp%\_MEI2242\Crypto.Hash._SHA256.pyd
• %User Temp%\_MEI2242\Crypto.Random.OSRNG.winrandom.pyd
• %User Temp%\_MEI2242\Crypto.Util._counter.pyd
• %User Temp%\_MEI2242\Crypto.Util.strxor.pyd
• %User Temp%\_MEI2242\Microsoft.VC90.CRT.manifest
• %User Temp%\_MEI2242\MyExploiter.exe.manifest
• %User Temp%\_MEI2242\_cffi_backend.pyd
• %User Temp%\_MEI2242\_ctypes.pyd
• %User Temp%\_MEI2242\_hashlib.pyd
• %User Temp%\_MEI2242\_socket.pyd
• %User Temp%\_MEI2242\_ssl.pyd
• %User Temp%\_MEI2242\bz2.pyd
• %User Temp%\_MEI2242\cryptography.hazmat.bindings._constant_time.pyd
• %User Temp%\_MEI2242\cryptography.hazmat.bindings._openssl.pyd
• %User Temp%\_MEI2242\msvcm90.dll
• %User Temp%\_MEI2242\msvcp90.dll
• %User Temp%\_MEI2242\msvcr90.dll
• %User Temp%\_MEI2242\pyexpat.pyd
• %User Temp%\_MEI2242\python27.dll
• %User Temp%\_MEI2242\select.pyd
• %User Temp%\_MEI2242\unicodedata.pyd
• %User Temp%\_MEI2242\Include\pyconfig.h
• %User Temp%\_MEI2242\certifi\cacert.pem
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\AUTHORS.rst
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\INSTALLER
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\LICENSE
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\LICENSE.APACHE
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\LICENSE.BSD
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\METADATA
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\RECORD
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\WHEEL
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\top_level.txt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Trojan deletes the following files:

• %User Temp%\_MEI2242\Crypto.Cipher._AES.pyd
• %User Temp%\_MEI2242\Crypto.Cipher._ARC4.pyd
• %User Temp%\_MEI2242\Crypto.Cipher._DES.pyd
• %User Temp%\_MEI2242\Crypto.Cipher._DES3.pyd
• %User Temp%\_MEI2242\Crypto.Hash._MD4.pyd
• %User Temp%\_MEI2242\Crypto.Hash._SHA256.pyd
• %User Temp%\_MEI2242\Crypto.Random.OSRNG.winrandom.pyd
• %User Temp%\_MEI2242\Crypto.Util._counter.pyd
• %User Temp%\_MEI2242\Crypto.Util.strxor.pyd
• %User Temp%\_MEI2242\Microsoft.VC90.CRT.manifest
• %User Temp%\_MEI2242\MyExploiter.exe.manifest
• %User Temp%\_MEI2242\_cffi_backend.pyd
• %User Temp%\_MEI2242\_ctypes.pyd
• %User Temp%\_MEI2242\_hashlib.pyd
• %User Temp%\_MEI2242\_socket.pyd
• %User Temp%\_MEI2242\_ssl.pyd
• %User Temp%\_MEI2242\bz2.pyd
• %User Temp%\_MEI2242\cryptography.hazmat.bindings._constant_time.pyd
• %User Temp%\_MEI2242\cryptography.hazmat.bindings._openssl.pyd
• %User Temp%\_MEI2242\msvcm90.dll
• %User Temp%\_MEI2242\msvcp90.dll
• %User Temp%\_MEI2242\msvcr90.dll
• %User Temp%\_MEI2242\pyexpat.pyd
• %User Temp%\_MEI2242\python27.dll
• %User Temp%\_MEI2242\select.pyd
• %User Temp%\_MEI2242\unicodedata.pyd
• %User Temp%\_MEI2242\Include\pyconfig.h
• %User Temp%\_MEI2242\certifi\cacert.pem
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\AUTHORS.rst
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\INSTALLER
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\LICENSE
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\LICENSE.APACHE
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\LICENSE.BSD
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\METADATA
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\RECORD
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\WHEEL
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info\top_level.txt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It deletes the following folders:

• %User Temp%\_MEI2242
• %User Temp%\_MEI2242\Include
• %User Temp%\_MEI2242\certifi
• %User Temp%\_MEI2242\cryptography-2.4.2-py2.7.egg-info

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan requires being executed with a specific argument/parameter, an additional component, or in a specific environment in order to proceed with its intended routine.