Backdoor.Win32.SDBBOT.AA.tmsr

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

• When ran with administrator privileges:
  • When ran in a system with a version lower than or equal to Windows 7:
    • %User Temp%\sdb{4 digit Hex Number}.tmp
    • %Windows%\AppPatch\Custom\{hex-values}.sdb
  • When ran in a system with a version greater than Windows 7:
    • %System%\mswinload0.dll
• When ran without administrator privileges:
  • %Application Data%\mswinload.dll

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• When ran with administrator privileges:
  • %System%\sdbinst.exe -q -p %User Temp%\sdb{4 digit Hex Number}.tmp (While running in a system with a version lower than or equal to Windows 7)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• windows_7_windows_10_check_running_once_mutex

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
mswinload = rundll32 %AppData\mswinload.dll,#1

It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
winlogon.exe
VerifierDlls = mswinload0.dll

Other System Modifications

This Backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
{3 random letters}
{1 letter} = {Hex Values}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
{3 random letters}
{1 letter} = {Hex Values}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\AppCompatFlags\
Custom\services.exe
{hex-values}.sdb = {Timestamp}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{hex-values}.sdb
DisplayName = Microsoft KB2720155

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{hex-values}.sdb
UninstallString = %System%\sdbinst.exe -u %Windows%\AppPatch\Custom\{hex-values}.sdb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsot\
Windows NT\CurrentVersion\AppCompatFlags\
InstalledSDB\{hex-values}
DatabasePath = %Windows%\AppPatch\Custom\{hex-values}.sdb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsot\
Windows NT\CurrentVersion\AppCompatFlags\
InstalledSDB\{hex-values}
DatabaseType = {Numbers}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsot\
Windows NT\CurrentVersion\AppCompatFlags\
InstalledSDB\{hex-values}
DatabaseDescription = Microsoft KB2720155

HKEY_LOCAL_MACHINE\SOFTWARE\Microsot\
Windows NT\CurrentVersion\AppCompatFlags\
InstalledSDB\{hex-values}
DatabaseInstallTimeStamp = {Timestamp}

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Execute CMD Commands
• Reboot the System
• Sleep
• Record Video
• Enable/Disable RDP
• Port Forward
• Inject PE Files
• Get Drive Information and Directories/Files
• Manage Files (Create,Read,Write,Delete)
• Create Directory

It connects to the following websites to send and receive information:

• {BLOCKED}analtyic.com:443

Information Theft

This Backdoor gathers the following data:

• Domain Name
• Computer Name
• Country Code
• OS Version and Architecture
• User Privilege
• Proxy Settings

Other Details

This Backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
{3 random letters}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
{3 random letters}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\AppCompatFlags\
Custom\services.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
{hex-values}.sdb

HKEY_LOCAL_MACHINE\SOFTWARE\Microsot\
Windows NT\CurrentVersion\AppCompatFlags\
InstalledSDB\{hex-values}

It does the following:

• After installing itself in the system, the system it is running on needs to be rebooted in order for it to proceed with its other malicious routines.
• It checks the user privilege it is run with and depending on what was used it will use the following registry tree:
  • HKEY_LOCAL_MACHINE → When run with administrator rights
  • HKEY_CURRENT_USER → When run without administrator rights
• The created registry key contains the loader for the encrypted RAT component and the encrypted RAT component itself.
• It checks the version of the system it is running on and depending on the result will use different ways of establishing persistence:
  • For systems running with a version lower than or equal to Windows 7:
    • Via Applications Shims (Installed with sdbinst.exe)→ When run with administrator rights
    • Via Registry Run Keys → When run without administrator rights
  • For systems running with a version greater than Windows 7:
    • Via Registry Run Keys → When run without administrator rights
    • Via Image File Execution Options Keys → When run with administrator rights