TrojanSpy.Win32.NOON.TIOIBEDF

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops a copy of itself in the following folders using different file names:

• %Program Files%\{random name 1}\{random name 2}.exe
• %User Temp%\{random name 1}\{random name 2}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• {Malware filepath}\{Malware filename}

It creates the following folders:

• %Program Files%\{random name 1}
• %User Temp%\{random name 1}
• %Application Data%\{random name 1}

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It injects threads into the following normal process(es):

• explorer.exe

It injects codes into the following process(es):

• {Malware filepath}\{Malware filename} (The process added by the malware)

Information Theft

This Trojan Spy gathers the following data:

• Keystrokes
• User's SID
• Operating system version
• Operating system architecture
• Username
• Clipboard content

It attempts to steal stored email credentials from the following:

• Microsoft Outlook
• Mozilla Thunderbird

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Google Chrome
• Internet Explorer
• Firefox
• Opera

Stolen Information

This Trojan Spy saves the stolen information in the following file:

• %Application Data%\{random characters}\{random characters}log.ini – Keystrokes
• %Application Data%\{random characters}\{random characters}logrg.ini - Google passwords
• %Application Data%\{random characters}\{random characters}logim.jpeg - Screenshot
• %Application Data%\{random characters}\{random characters}logrv.ini - Windows Vault passwords
• %Application Data%\{random characters}\{random characters}logri.ini - Internet Explorer passwords
• %Application Data%\{random characters}\{random characters}logrf.ini - Firefox passwords
• %Application Data%\{random characters}\{random characters}logrt.ini - Thunderbird passwords
• %Application Data%\{random characters}\{random characters}logrc.ini - Outlook passwords
• %Application Data%\{random characters}\{random characters}logcl.ini - Clipboard content
• %Application Data%\{random characters}\{random characters}logro.ini - Opera passwords

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It sends the gathered information via HTTP POST to the following URL:

• http://www.{BLOCKED}wling.com/o55/
• http://www.{BLOCKED}-one.com/o55/
• http://www.{BLOCKED}aylodge.com/o55/
• http://www.{BLOCKED}tureupdate.com/o55/
• http://www.{BLOCKED}t.com/o55/
• http://www.{BLOCKED}westtradingco.com/o55/
• http://www.{BLOCKED}spital.wtf/o55/
• http://www.{BLOCKED}s.agency/o55/
• http://www.{BLOCKED}fly.com/o55/
• http://www.{BLOCKED}wealthgroup.com/o55/
• http://www.{BLOCKED}h.com/o55/
• http://www.{BLOCKED}52.com/o55/
• http://www.{BLOCKED}l.com/o55/

Other Details

This Trojan Spy does the following:

• It creates and injects codes to the following processes to inject thread to explorer.exe:
  • svchost.exe
  • msiexec.exe
  • wuauclt.exe
  • lsass.exe
  • wlanext.exe
  • msg.exe
  • lsm.exe
  • dwm.exe
  • help.exe
  • chkdsk.exe
  • cmmon32.exe
  • nbtstat.exe
  • spoolsv.exe
  • rdpclip.exe
  • control.exe
  • taskhost.exe
  • rundll32.exe
  • systray.exe
  • audiodg.exe
  • wininit.exe
  • services.exe
  • autochk.exe
  • autoconv.exe
  • autofmt.exe
  • cmstp.exe
  • colorcpl.exe
  • cscript.exe
  • explorer.exe
  • WWAHost.exe
  • ipconfig.exe
  • msdt.exe
  • mstsc.exe
  • NAPSTAT.EXE
  • netsh.exe
  • NETSTAT.EXE
  • reserver.exe
  • wscript.exe
  • wuapp.exe
  • cmd.exe

It deletes the initially executed copy of itself