TrojanSpy.VBS.URSNIF.AA

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following processes:

• During debugger mode:
  • calc.exe
• During Non-debugger mode:
  • rundll32 %User Temp%\climate.ogm,DllRegisterServer

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It executes then deletes itself afterward.

It terminates itself if it finds the following processes in the affected system's memory:

• frida-winjector-helper-64.exe
• frida-winjector-helper-32.exe
• pythonw.exe
• pyw.exe
• cmdvirth.exe
• alive.exe
• filewatcherservice.exe
• ngvmsvc.exe
• sandboxierpcss.exe
• analyzer.exe
• fortitracer.exe
• nsverctl.exe
• sbiectrl.exe
• angar2.exe
• goatcasper.exe
• ollydbg.exe
• sbiesvc.exe
• apimonitor.exe
• GoatClientApp.exe
• peid.exe
• scanhost.exe
• apispy.exe
• hiew32.exe
• perl.exe
• scktool.exe
• apispy32.exe
• hookanaapp.exe
• petools.exe
• sdclt.exe
• asura.exe
• hookexplorer.exe
• pexplorer.exe
• sftdcc.exe
• autorepgui.exe
• httplog.exe
• ping.exe
• shutdownmon.exe
• autoruns.exe
• icesword.exe
• pr0c3xp.exe
• sniffhit.exe
• autorunsc.exe
• iclicker-release.exe
• .exe
• prince.exe
• snoop.exe
• autoscreenshotter.exe
• idag.exe
• procanalyzer.exe
• spkrmon.exe
• avctestsuite.exe
• idag64.exe
• processhacker.exe
• sysanalyzer.exe
• avz.exe
• idaq.exe
• processmemdump.exe
• syser.exe
• behaviordumper.exe
• immunitydebugger.exe
• procexp.exe
• systemexplorer.exe
• bindiff.exe
• importrec.exe
• procexp64.exe
• systemexplorerservice.exe
• BTPTrayIcon.exe
• imul.exe
• procmon.exe
• sython.exe
• capturebat.exe
• Infoclient.exe
• procmon64.exe
• taskmgr.exe
• cdb.exe
• installrite.exe
• python.exe
• taslogin.exe
• ipfs.exe
• tcpdump.exe
• clicksharelauncher.exe
• iprosetmonitor.exe
• qq.exe
• tcpview.exe
• closepopup.exe
• iragent.exe
• qqffo.exe
• timeout.exe
• commview.exe
• iris.exe
• qqprotect.exe
• totalcmd.exe
• cports.exe
• joeboxcontrol.exe
• qqsg.exe
• trojdie.kvpcrossfire.exe
• joeboxserver.exe
• raptorclient.exe
• txplatform.exe
• dnf.exe
• lamer.exe
• regmon.exe
• virus.exe
• dsniff.exe
• LogHTTP.exe
• regshot.exe
• vx.exe
• dumpcap.exe
• lordpe.exe
• RepMgr64.exe
• winalysis.exe
• emul.exe
• malmon.exe
• RepUtils32.exe
• winapioverride32.exe
• ethereal.exe
• mbarun.exe
• RepUx.exe
• windbg.exe
• ettercap.exe
• mdpmon.exe
• runsample.exe
• windump.exe
• fakehttpserver.exe
• mmr.exe
• samp1e.exe
• winspy.exe
• fakeserver.exe
• sample.exe
• wireshark.exe
• Fiddler.exe
• multipot.exe
• sandboxiecrypto.exe
• XXX.exe
• filemon.exe
• netsniffer.exe
• sandboxiedcomlaunch.exe

Dropping Routine

This Trojan Spy drops the following files:

• %User Temp%\adobe.url → a shortcut targeting https://adobe.com
• %User Temp%\climate.ogm

Information Theft

This Trojan Spy gathers the following data:

• Computer name
• OS information (name, version)
• Execution time
• Username

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}.{BLOCKED}einov.com/{Random characters}
• http://{BLOCKED}.{BLOCKED}are.com/{Random characters}
• http://{BLOCKED}.{BLOCKED}nady.com/{Random characters}
• http://{BLOCKED}.{BLOCKED}torna.com/{Random characters}

Other Details

This Trojan Spy does the following:

• It has two modes:
  • Debugger mode
    • A file %User Profile%\Downloads\33855.txt must exists
    • File name must contain "33855"
  • Non-debugger mode
• Terminates and delete itself if any of the following conditions are met:
  • Total disk size is less than 50 Gb
  • Total physical memory (RAM) is less than 1030 Mb
  • Processor's number of cores is less than 3
  • Debugger and/or analysis tools/softwares are found running in machine
  • Number of files in %User Profile%\Downloads is less than 3
  • Number of files in %User Temp% is less than 3
  • Last Boot Up time is less than 10 minutes ago
• During Debugger mode, it does the following exclusively:
  • Display message boxes that contains strings that varies relative to the execution's progress.
  • It does not terminate and delete itself even if the conditions are met.
• It displays a fake error containing the following strings:
  • "Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem."

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)