Trojan.Win32.ZENPAK.GFCY
Trojan.Win32.Zenpak.auzi (Kaspersky); a variant of Win32/Kryptik.HFUN trojan (NOD32)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes then deletes itself afterward.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- %Application Data%\Laqika\seimhu.exe
- %User Temp%\Anradipu\certutil.exe
- %User Temp%\Anradipu\freebl3.dll
- %User Temp%\Anradipu\libnspr4.dll
- %User Temp%\Anradipu\libplc4.dll
- %User Temp%\Anradipu\libplds4.dll
- %User Temp%\Anradipu\msvcr100.dll
- %User Temp%\Anradipu\nspr4.dll
- %User Temp%\Anradipu\nss3.dll
- %User Temp%\Anradipu\nssdbm3.dll
- %User Temp%\Anradipu\nssutil3.dll
- %User Temp%\Anradipu\smime3.dll
- %User Temp%\Anradipu\softokn3.dll
- %User Temp%\Anradipu\sqlite3.dll
- %User Temp%\fiygurra.crt
- %User Temp%\hoox.tmp
- %User Temp%\uvylkuh.tmp
- %User Temp%\zouvpo.tmp
- %Application Data%\Apip\ubmaabu.ep
- %Application Data%\Iwerfu\ysappy.yxog
- %Application Data%\Ropa\zoatirko.ceva
- %Application Data%\Uffexo\bazy.fa
- %Application Data%\Wiudo\ezinube.vii
- %Application Data%\Wypoez\usond.eguf
- %Application Data%\Yvagi\myqiunxe.keyml
- %Application Data%\Zeyp\omugy.piwu
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It adds the following processes:
- cmd.exe /c ipconfig /all
- ipconfig /all
- cmd.exe /c net config workstation
- net config workstation;
- %System%\net1 config workstation
- cmd.exe /c net view /all
- net view /all
- cmd.exe /c net view /all /domain
- net view /all /domain
- cmd.exe /c nltest /domain_trusts
- nltest /domain_trusts
- cmd.exe /c nltest /domain_trusts /all_trusts
- nltest /domain_trusts /all_trusts
- "%User Temp%\Anradipu\certutil.exe" -A -n "ovfoxud" -t "C,C,C" -i "%User Temp%\fiygurra.crt" -d "%Application Data%\Mozilla\Firefox\Profiles\dxxbjsgn.default"
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It executes then deletes itself afterward.
Other System Modifications
This Trojan adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
toxm
ugba = {hex values}
HKEY_CURRENT_USER\Software\Microsoft\
Agpiafe
miypafa = {hex values}
HKEY_CURRENT_USER\Software\Microsoft\
Agpiafe
palocem = {hex values}
Other Details
This Trojan adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Agpiafe
HKEY_CURRENT_USER\Software\Microsoft\
toxm
It connects to the following possibly malicious URL:
- http://{BLOCKED}234135.xyz/LKhwojehDgwegSDG/gateJKjdsh.php
- http://{BLOCKED}234135.org/LKhwojehDgwegSDG/gateJKjdsh.php