Backdoor.Win64.OYSTER.B

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded from remote sites by other malware.

It does not have any propagation routine.

It connects to a website to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from remote site(s) by the following malware:

• Backdoor.Win64.OYSTER.A

Propagation

This Backdoor does not have any propagation routine.

Backdoor Routine

This Backdoor connects to the following websites to send and receive information:

• https://{BLOCKED}.{BLOCKED}.166.27

It posts the following information to its command and control (C&C) server:

• Computer Name

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Other Details

This Backdoor does the following:

• It checks whether the system is joined to a domain or in a workgroup.
• It checks for the existence of the following file:
  • %User Temp%\s01bafg
    • Contains an encrypted data used for decrypting fallback C&C servers if the malware fails to receive data from main C&C server.
• It reconnects to C&C server every 300 seconds.
• It deletes itself by executing the following processes:
  • cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "{Malware Path}\{Malware Filename}"
  • schtasks.exe /Create /SC MINUTE /TN GoogleUpdateTask /TR "cmd.exe /C del "{Malware Path}\{Malware Filename}" && schtasks.exe /Delete /TN GoogleUpdateTask /F" /F

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It does not exploit any vulnerability.