Trojan.PS1.SILENTKILL.THHOIBC

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

• cmd.exe /c assoc .README=txtfile
• wbadmin stop job
• wbadmin delete catalog -quiet
• wbadmin delete systemstatebackup
• wbadmin delete systemstatebackup - keepversions:0
• wbadmin delete backup
• wmic shadowcopy delete
• vssadmin delete shadows /all /quiet
• bcedit /set {default} bootstatuspolicy ignoreallfailures
• bcedit /set {default} recoveryenabled no
• wevtutil cl Security
• wevtutil cl Application
• wevtutil cl System

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\
Control\Terminal Server
fDenyTSConnections = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Real-Time Protection
SpyNetReporting = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Real-Time Protection
SubmitSamplesConsent = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender\Features
TamperProtection = 4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticecaption = Welcome

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticecaption = Welcome aboard

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server\WinStations\
RDP-TCP
PortNumber = 4000

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
TrendMicro\PC-cillinNTCorp\CurrentVersion\
Misc.
Allow Uninstall = 1

Process Termination

This Trojan terminates the following services if found on the affected system:

• Backup
• Exchange
• HvHost
• Malwarebytes
• Oracle
• Quest
• Sharepoint
• SQL
• Veeam
• vmcompute
• vmicguestinterface
• vmicheartbeat
• vmickvpexchange
• vmicrdv
• vmicshutdown
• vmictimesync
• vmicvmsession
• vmicvss
• vmms

It terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• AV related processes:
  • acronis
  • Agent
  • agent
  • agntsvc.exe
  • agntsvc.exeagntsvc.exe
  • agntsvc.exeencsvc.exe
  • agntsvc.exeisqlplussvc.exe
  • anvir.exe
  • anvir64.exe
  • arcserve
  • barracuda
  • ccleaner.exe
  • ccleaner64.exe
  • Endpoint
  • endpoint
  • Kaspersky
  • Malware
  • microsoft
  • monitor
  • protect
  • secure
  • security
  • segurda
  • Veeam
  • veeam
• adobe
• AlwaysOn
• anydesk
• apache
• apache.exe
• autodesk
• Backup
• backup.exe
• center
• chrome
• Core.Service
• database
• dbeng50.exe
• dbsnmp.exe
• def
• dev
• encsvc.exe
• engine
• exchange
• far.exe
• firefox
• firefoxconfig.exe
• Framework
• http
• infopath.exe
• isqlplussvc.exe
• java
• kingdee.exe
• logmein
• manage
• Mongo
• msaccess.exe
• msftesql.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• ncsvc.exe
• ocautoupds.exe
• ocomm.exe
• OCS Inventory
• ocssd.exe
• office
• oracle.exe
• oracle.exe
• procexp.exe
• QBCF
• QBData
• QBDB
• QuickBooks
• regedit.exe
• sage
• server
• silverlight
• solarwinds
• sprout
• sqbcoreservice.exe
• sql
• SQL
• sql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlserver.exe
• sqlservr.exe
• sqlwriter.exe
• synctime.exe
• tbirdconfig.exe
• teamviewer
• tomcat.exe
• tomcat6.exe
• u8.exe
• ufida.exe
• visio.exe
• vnc
• web
• xfssvccon.exe

Other Details

This Trojan does the following:

• It adds the following local group accounts with Administrator privileges:
  • Administrators
  • Remote Desktop Users
• It enables the firewall rule that allows RDP connections.
• It sends the MAC address of the victim via UDP to the broadcast IP.
• It modifies the Administrator user passsword.
• It modifies the Windows Defender settings to disable malware scanning and detection.
• It disables the following AV-related services:
  • WdNisSvc
  • WinDefend
  • Sense
  • WdnisDrv
  • wdfilter
  • wdboot
• It deletes the ComputerRestorePoint to prevent system recovery.
• It attempts to uninstall the following AV programs:
  • Bitdefender
  • TrendMicro
  • Kaspersky
• It enables PowerShell remoting.
• It enables WinRm execution.
• It checks if a specific IP in its network has a running WinDefend service.
• It modifies the machine's lock screen title into the following strings:
  • Welcome
  • Welcome aboard
• It deletes all files in %User Temp%.
• It modifies the listening RDP port to 4000 and sets a Firewall rule to allow inbound connections.
• It modifies the Windows Defender settings to disable scanning of files and processes in all drives.

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)