TrojanSpy.Win32.AVEMARIA.E

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to a website to send and receive information.

It logs a user's keystrokes to steal information.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

• %User Temp%\ellocnak.xml
• %Application Data%{9 Random Characters}.exe -> detected as Trojan.Win32.MIMIKATZ.ADY
• %System%\dismcore.dll -> detected as Trojan.Win32.ANTIAV.AB

It drops the following non-malicious file:

• %User Temp%\nss3.dll
• %User Temp%\mozglue.dll
• %User Temp%\softokn3.dll
• %User Temp%\msvcp140.dll
• %User Temp%\vcruntime140.dll
• %User Temp%\freebl3.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

It adds the following processes:

• %System%\cmd.exe
• powershell add-MpPreference -executionPath C:\
• "%System%\dism.exe" /online /norestart /apply-unattend:"%User Temp%\ellocnak.xml" -> executed via DISM Dll hijacking vulnerability for UAC bypass

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

It injects codes into the following process(es):

• %System%\cmd.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Trojan Spy adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
AllowMultipleTSSessions = 0

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fDenyTSConnections = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server\Licensing Core
EnableConcurrentSessions = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server\AddIns\
Clip Redirector
Name = RDPCLip

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server\AddIns\
Clip Redirector
Type = 3

Backdoor Routine

This Trojan Spy connects to the following websites to send and receive information:

• {BLOCKED}eys.{BLOCKED}dns.com
• {BLOCKED}.{BLOCKED}.123.196

Download Routine

This Trojan Spy accesses the following websites to download files:

• http://{BLOCKED}.{BLOCKED}.225.104/dll/upnp.exe

It connects to the following URL(s) to download its component file(s):

• http://{BLOCKED}.{BLOCKED}.225.104/dll/sogtokn3.dll
• http://{BLOCKED}.{BLOCKED}.225.104/dll/msvcp140.dll
• http://{BLOCKED}.{BLOCKED}.225.104/dll/mozglue.dll
• http://{BLOCKED}.{BLOCKED}.225.104/dll/vcruntime140.dll
• http://{BLOCKED}.{BLOCKED}.225.104/dll/freebl3.dll
• http://{BLOCKED}.{BLOCKED}.225.104/dll/nss3.dll

Information Theft

This Trojan Spy logs a user's keystrokes to steal information.

Other Details

This Trojan Spy connects to the following URL(s) to check for an Internet connection:

• https://google.com

It does the following:

• Steals user credentials such as user name and passwords, which are related to the following application:
  
  • Microsoft Outlook
  • HTTP
  • IMAP
  • POP3
  • SMTP
  • Windows Messaging
  • Firefox Browser -> steal all credentials stored
  • Thunderbird
• It can elevate its privilege via the following:
  
  • UAC bypass via DLL hijacking