TrojanSpy.Win32.PYXIE.A
HEUR:Trojan-PSW.Win32.Mimikatz.gen (KASPERSKY); a variant of Win32/PyXie.B trojan (NOD32)
Windows
Threat Type:
Trojan Spy
Destructiveness:
No
Encrypted:
Yes
In the wild::
Yes
OVERVIEW
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Instalación
Infiltra los archivos siguientes:
- %User Temp% or %Temp%\{random characters} → HKLM\SECURITY registry dump
- %User Temp% or %Temp%\{random characters} → HKLM\SYSTEM registry dump
- %User Temp% or %Temp%\{random characters} → HKLM\SAM registry dump
- %User Temp% or %Temp%\tmp{6 random characters}.zip → Zip file containing all Stolen Information and Files.
- %User Temp% or %Temp%\tmp{6 random characters}.bin → Encrypted Zip file.
(Nota: %Temp% es la carpeta de archivos temporales de Windows, que suele estar en C:\Windows\Temp o C:\WINNT\Temp).
)Agrega los procesos siguientes:
- When ran with a User account:
- %Windows%\write.exe (or %Windows%\notepad.exe or %Windows%\explorer.exe)
- %System%\cmd.exe /c "reg.exe save hklm\security %User Temp%\{random characters}"
- %System%\cmd.exe /c "reg.exe save hklm\system %User Temp%\{random characters}"
- %System%\cmd.exe /c "reg.exe save hklm\sam %User Temp%\{random characters}"
- wmic path win32_VideoController get name
- wmic cpu get name
- When ran with a SYSTEM account:
- {Processes ran with a User account}
- arp -a
- cmdkey /list
- dclist
- gpresult /z
- ipconfig /all
- ipconfig /displaydns
- klist
- manage-bde -status
- net config workstation
- net group "domain admins" /domain
- net group "Domain Admins"
- net group "Enterprise Admins"
- net localgroup administrators
- net localgroup
- net share
- net use
- net user
- net view /all /domain
- net view /all
- netstat -an
- nltest /domain_trusts /all_trusts
- nltest /domain_trusts
- nslookup -type=any %userdnsdomain%
- qwinsta
- route print
- systeminfo
- tasklist /V
- vssadmin List Shadows
- wmic process
- wmic qfe list
(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).
)Crea las carpetas siguientes:
- When ran with a User account:
- %User Temp%\tmp{6 random characters}
- %User Temp%\tmp{6 random characters}\cookies
- %User Temp%\tmp{6 random characters}\desk_files
- When ran with a SYSTEM account:
- %Temp%\tmp{6 random characters}
- %Temp%\tmp{6 random characters}\files
(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).
. %Temp% es la carpeta de archivos temporales de Windows, que suele estar en C:\Windows\Temp o C:\WINNT\Temp).)Este malware inyecta códigos en el/los siguiente(s) proceso(s):
- Spawned %Windows%\write.exe (or %Windows%\notepad.exe or %Windows%\explorer.exe)
(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).
)Robo de información
Recopila los siguientes datos:
- When ran with either SYSTEM or User Account:
- General System Info:
- CPU, RAM, GPU Information
- Drives Information (Name, Size, Available Space)
- Machine Uptime
- User Accounts
- Local IP Address
- Timezone
- OS Version
- Installed Anti-Virus
- If Installed:
- LogMeIn Data
- Citrix Data
- KeePass Safes
- Stored Credentials (via Mimikatz and Lazagne)
- Uninstall Registry List
- Software List
- Desktop Files List
- SMB Info
- Wifi Info
- General System Info:
- When ran with a User Account:
- Desktop Screenshot
- Recent Files List
- Copies of Desktop Files
- Cookies
- When ran with a SYSTEM Account:
- Detailed System Info
- Network Information (IP Configurations, ARP Information etc.)
- Network Shares List
- Network Users List
- Running Process List
- Volume Shadow Copies List
- Group Policies
- Installed Updates
- Copies of Files (based on certain criteria from its configuration)
Información sustraída
Este malware envía la información recopilada a la siguiente URL a través de HTTP POST:
- {BLOCKED}.{BLOCKED}.2.59:8443/data
Otros detalles
Hace lo siguiente:
- It archives the stolen information in a zip file and encrypts the zip file before exfiltrating.
- It makes use of the following criteria when searching for files to copy:
- Filesize must not exceed 5MB
- Inside directories whose names that contain the strings:
- actifio
- aldelo
- altaro
- avamar
- avs
- back-up
- backup
- bank
- bitmessage
- client
- cobaltstrike
- coin
- diebold
- filemaker
- htape
- magtek
- ncr
- passw
- payment
- rapid7
- replication
- screenconnect
- swift
- tivoli
- unitrends
- vault
- veeam
- vranger
- wallet
- wincor
- Inside the following directories:
- %ALLDRIVESROOTS%\Alliance
- %Application Data%\Agama
- %Application Data%\Armory
- %Application Data%\B3-CoinV2
- %Application Data%\BeerMoney
- %Application Data%\Bitcloud
- %Application Data%\Bitcoin
- %Application Data%\BitcoinZ
- %Application Data%\bitconnect
- %Application Data%\Bither
- %Application Data%\bitmonero
- %Application Data%\BlocknetDX
- %Application Data%\Cybroscoin
- %Application Data%\Daedalus
- %Application Data%\DashCore
- %Application Data%\DeepOnion
- %Application Data%\DigiByte
- %Application Data%\Dogecoin
- %Application Data%\ElectronCash
- %Application Data%\Electrum
- %Application Data%\Electrum-LTC
- %Application Data%\Ember
- %Application Data%\EmeraldWallet
- %Application Data%\Ethereum Wallet
- %Application Data%\Exodus
- %Application Data%\FairCoin
- %Application Data%\faircoin2
- %Application Data%\Florincoin
- %Application Data%\FORT
- %Application Data%\GambitCoin
- %Application Data%\GeyserCoin
- %Application Data%\GreenCoinV2
- %Application Data%\GridcoinResearch
- %Application Data%\Gulden
- %Application Data%\Hush
- %Application Data%\IOTA Wallet
- %Application Data%\Komodo
- %Application Data%\Learncoin
- %Application Data%\lisk-nano
- %Application Data%\Litecoin
- %Application Data%\Minexcoin
- %Application Data%\mSIGNA_Bitcoin
- %Application Data%\MultiBitHD
- %Application Data%\MultiDoge
- %Application Data%\Neon
- %Application Data%\NXT
- %Application Data%\Parity
- %Application Data%\Particl
- %Application Data%\Peercoin
- %Application Data%\pink2
- %Application Data%\PPCoin
- %Application Data%\Qtum
- %Application Data%\RainbowGoldCoin
- %Application Data%\RoboForm
- %Application Data%\StartCOIN-v2
- %Application Data%\straks
- %Application Data%\Stratis
- %Application Data%\StratisNode
- %Application Data%\TREZOR Bridge
- %Application Data%\TrumpCoinV2
- %Application Data%\VeriCoin
- %Application Data%\Verium
- %Application Data%\Viacoin
- %Application Data%\VivoCore
- %Application Data%\Xeth
- %Application Data%\Zcash
- %Application Data%\ZcashParams
- %Application Data%\Zetacoin
- %AppDataLocal%\bisq
- %AppDataLocal%\copay
- %AppDataLocal%\programs\zap-desktop
- %AppDataLocal%\RippleAdminConsole
- %AppDataLocal%\StellarWallet
- %Program Data%\bitmonero
- %Program Data%\electroneum
- %Program Data%\Tiger Technology
- %Program Data%\tivoli
- Contains the following strings in its filename:
- 10-q
- 10-sb
- access
- avamar
- admin
- attack
- aws
- amazon
- backup
- balance
- bitcoin
- bitlocker
- bribery
- cardholder
- censored
- checking
- clandestine
- cobaltstrike
- compromate
- concealed
- confidential
- contraband
- convict
- credent
- cyber
- disclosure
- engineering
- esxi
- ethereum
- explosive
- finance
- fraud
- hidden
- illegal
- infrastruct
- instruction
- investigation
- logins
- marketwired
- military
- n-csr
- nasdaq
- nda
- newswire
- operation
- passport
- passw
- personal
- privacy
- private
- restricted
- routing
- saving
- secret
- security
- spy
- statement
- storage
- submarine
- suspect
- tactical
- treason
- username
- vault
- victim
- vsphere
- wallet
- wasabi
- wire
- Has the following file extensions:
- .doc
- .docx
- .xls
- .xlsx
- .txt
- .rtf
- .rdp
- .kdbx
- .vnc
- .cpp
- .c
- .ica
- .sln
- .vcproj
- .h
- .asm
- .ovpn
- .pcf
- .conf
- Does not following strings in its filename:
- Default.rdp
- Microsoft June
- Release_Note
- Release Note
- desktop.ini
- Microsoft Silverlight
- localhost_access_log
- dd_clwireg.txt
- Does not contain the following strings in its filepath:
- \microsoft\windows
- \gfi\languard
- \microsoft\windows\cookies
- \vmware\vcenterserver
- \autoupdate\cache
- \microsoft office\root
- It checks if the following software are installed:
- OPOS
- Aldelo
- Actifio
- Alliance WebStation
- Alliance Workstation
- Altaro
- Back-up
- Rapid7
- Backup
- Bank
- Blockchain
- Boot Camp
- Box Sync
- BridgeHead
- CAM Commerce Solutions
- Card Processing
- Cash
- Cisco
- Citrix
- Cloud
- Coin
- Dashlane
- Diskeeper
- Double-Take
- Dropbox
- Elcomsoft
- FileZilla Server
- FortiClient
- Fund
- iDrive
- Ledger
- LexisNexis
- LogMeIn
- M262x
- Microsoft Dynamics RMS Store Operations
- Microsoft POS
- vRanger
- Money
- mRemoteNG
- MSR
- Password
- Payment
- Private
- Protect
- PuTTY
- QuickBooks
- Replication
- ScreenConnect
- Shadow
- SII RP-D10
- Storage
- SWIFT
- TeamViewer
- Token
- Trade
- Treasury
- Trezor
- Vault
- Unitrends
- VIP Access
- VMware
- Vnc
- VPN
- Wallet
- Withdraw
- It checks if the following registry keys exist:
- SOFTWARE\Ammyy
- SOFTWARE\Cppcheck
- SOFTWARE\DASH
- SOFTWARE\Dash
- SOFTWARE\DeterministicNetworks
- SOFTWARE\GitForWindows
- SOFTWARE\GlavSoft LLC.
- SOFTWARE\GnuPG
- SOFTWARE\Hex-Rays
- SOFTWARE\Hex-Rays SA
- SOFTWARE\HexaD
- SOFTWARE\ITarian
- SOFTWARE\LogMeIn Ignition
- SOFTWARE\LogMeIn
- SOFTWARE\MetaQuotes Software
- SOFTWARE\Microsoft\ResKit\Robocopy
- SOFTWARE\Nmap
- SOFTWARE\Pulse Secure
- SOFTWARE\PyBitmessage
- SOFTWARE\PyBitmessage
- SOFTWARE\S.W.I.F.T.
- SOFTWARE\ShrewSoft
- SOFTWARE\SimonTatham
- SOFTWARE\SonicWall
- SOFTWARE\TortoiseSVN
- SOFTWARE\Veeam
- SOFTWARE\VisualSVN
- SOFTWARE\Whole Tomato
- SOFTWARE\WinLicense
- It scans the following ports and logs the Status, IP Addresses and Programs/Protocols using it:
- [8332,8333] : Bitcoin
- [53] : DNS
- [9200,9300] : Elasticsearch
- [21] : FTP
- [22443,4172,9427,32111] : Horizon Agent
- [80,5000,9043] : HTTP
- [443,8443,1311,5001,8200],1150018200] : HTTPS
- [34571,1099,1090,1098,1099,4444,11099,47001,47002,10999] : JAVA-RMI
- [27017] : MongoDB
- [1433] : MSSQL
- [3306] : MySQL
- [7687] : neo4j
- [5637] : NetBackup
- [139] : NETBIOS
- [1521] : Oracle
- [110] : POP3
- [995] : POP3s
- [5432] : PostgreSQL
- [1723] : PPTP
- [4899] : RADMIN
- [3389] : RDP
- [25] : SMTP
- [4433],433] : SonicWall-VPN
- [22] : SSH
- [23] : Telnet
- [1500,1581] : Tivoli
- [9050] : TOR
- [9877],877] : AcronixBackup
- [22024,902,903,10080,10443] : vCenter
- [9392,9393,9394,9397,9398,9399] : Veeam
- [5900, 5800] : VNC
- [5985,5986] : WinRM
- [10050,10051],51] : Zabbix
- [45000,45001] : JDWP
- [8686,9012,50500] : JMX
- [11111,4444,4445] : jBoss
- [4786] : Cisco Smart Install
- [5555,5556] : HP Data Protector
- [4848] : GlassFish
SOLUTION
Step 2
Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.
Step 3
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 4
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como TrojanSpy.Win32.PYXIE.A En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Did this description help? Tell us how we did.