TSPY_BEBLOH.YMNOV

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be downloaded by other malware/grayware from remote sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It connects to certain websites to send and receive information. It gathers information and reports it to its servers.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded by the following malware/grayware from remote sites:

• X2KM_POWLOAD.TIAOEGM

It may be downloaded from the following remote sites:

• http://{BLOCKED}rama.com/hope

Installation

This Trojan Spy drops the following copies of itself into the affected system:

• %Program Files%\Windows NT\{random string}.exe
  (Note: Creation of this copy is triggered when the affected system is shutting down)

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

It drops the following files:

• {Malware Path}\mp

It adds the following processes:

• explorer.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Uz{Random Hex}

It injects codes into the following process(es):

• created explorer.exe

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random string} = "%Program Files%\Windows NT\{random string}.lnk"
(Note: Creation of this registry entry is triggered when the affected system is shutting down)

It drops the following files:

• %Program Files%\Windows NT\{random string}.lnk <- points to the copy
  (Note: Creation of this file is triggered when the affected system is shutting down, appends parameter "-autorun" to executed copy)

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Other System Modifications

This Trojan Spy adds the following registry keys:

HKEY_CURRENT_USER\Software\{random key}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{random key}
(Default) = {hex values}

Propagation

This Trojan Spy does not have any propagation routine.

Backdoor Routine

This Trojan Spy does not have any backdoor routine.

Rootkit Capabilities

This Trojan Spy does not have rootkit capabilities.

Download Routine

This Trojan Spy connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}t.cz/olex.exe
  NOTE: The download site may vary depending on the C&C server

It saves the files it downloads using the following names:

• %User Temp%\olex.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Trend Micro detects the dowloaded file as:

• TSPY_URSNIF.TIBAIAR

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}ran.com/auth/?tver={value}&vcmd={value}&cc={value}&hh={Hex Value}&ipcnf={Ip address}+&sckport={value}&pros={value}&keret={value};&email={value}

Other Details

This Trojan Spy connects to the following URL(s) to check for an Internet connection:

• www.google.com

It connects to the following website to send and receive information:

• {Random Generated Domain}.com
• {Random Generated Domain}.net
• {BLOCKED}ran.com/auth/

It does the following:

• Update itself
• It does not proceed to its malicious routine if it detects that it is running in a VMWare environment
• It deletes the cache files of Google Chrome and Mozilla Firefox
• This malware does any of the following depending on the reply from the C&C:
  • Sleep and wait for next reply
  • Receive download URL to download other possibly malicious files

It gathers the following information and reports it to its servers:

• Machine Name
• OS Information (Version, Product ID, Name, Install Date)
• Explorer File Information
• Volume Serial Number
• Network Configuration (IP address, Socket, Ports)
• Keyboard Layout