TROJ_PHULLI.A
Trojan.Luminrat (Symantec) ; Mal/MSIL-TH (Sophos); VirTool:MSIL/Subti.N (Microsoft)
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
2,154,008 bytes
EXE
21 Mar 2017
Arrival Details
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Worm drops the following files:
- %Application Data%\conhost\Guard\1
- %Application Data%\conhost\Screenshots\{DATE}\{TIME}
- %Application Data%\rat.exe
- %Application Data%\svchost.exe
- %Application Data%\Windows Update.exe
- %Program Files%\Client\svchost.exe
- %System%\clientmonitor.exe
- %System%\Tasks\adorbe
- %User Startup%\BGInfo.lnk
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows XP, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)
It creates the following folders:
- %Application Data%\conhost\Logs
- %Application Data%\conhost\Files
- %Application Data%\conhost\Screenshot
- %Application Data%\conhost\Guard
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)
Other System Modifications
This Worm adds the following registry entries:
HKEY_CURRENT_USER\Software\s
sgrbBHDMOetyRkExVphQ== = RFTOim3TdAczhLTaDSizdxjwt336geGUtGenylg+am0=
HKEY_CURRENT_USER\Software\ZGDbZx4E
XnSXF8mqincQA== = 4fbtXk5r4LkQK0vi0v2OsQZ10pFACK4j4YqRkpj7sEs=
HKEY_CURRENT_USER\Software
MTX = 0bcf24549a8536869fa6e8c81d24506f35b5fbb1
HKEY_CURRENT_USER\Software
PTH = "%Program Files%\Client\svchost.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
shell = "explorer.exe,"%System%\clientmonitor.exe""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Schedule\
TaskCache\Tree\adorbe
Index = "3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
adorbe = "cmd /c "start "adorbe" "%Program Files%\Client\svchost.exe""
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Update = %Application Data%\svehost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Update = %Application Data%\svehost.exe
Other Details
This Worm connects to the following possibly malicious URL:
- enugu0421.{BLOCKED}s.net
- s.{BLOCKED}d.com
- sw.{BLOCKED}d.com
- s.{BLOCKED}b.com
- sw.{BLOCKED}b.com
- s2.{BLOCKED}b.com
- s1.{BLOCKED}b.com
- sv.{BLOCKED}d.com
- sv.{BLOCKED}b.com
- ss.{BLOCKED}d.com
- gn.{BLOCKED}d.com
It adds the following scheduled tasks:
- Name: adorbe
- Trigger: on startup
- Executes: Program Files%\Client\svchost.exe