TSPY_URSNIF.NZX

January 09, 2018

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Trojan Spy
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size:

730,112 bytes

File Type:

EXE

Initial Samples Received Date:

30 Dec 2017

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

%Application Data%\{string1}{string2}
where:
{string1} = first four letters of a dll file under System directory
{string2} = last four letters of a dll file under System directory

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system and executes them:

%Application Data%\{string1}{string2}\{string1}{string2}.exe
where:
{string1} = first four letters of a dll file under System directory
{string2} = last four letters of a dll file under System directory

It drops the following files:

%User Temp%\{random filename}.bin
%User Temp%\{random filename}.bin1

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops and executes the following files:

%User Temp%\{random folder name}\{random filename}.bat ← used to delete itself; deleted afterwards

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{string1}{string2} = "%Application Data%\{string1}{string2}\{string1}{string2}.exe"

Other System Modifications

This Trojan Spy adds the following registry keys:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Vars

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Files

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Config

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Run

It adds the following registry entries:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{UID} = "{hex value}"

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{Value Name} = "{data}"
where {Value Name} may be any of the following:

Main
Block
Temp
Client
Ini
Keys
Scr
LastTask
LastConfig
CrHook
OpHook
Exec
TorClient
TorCrc

Other Details

This Trojan Spy connects to the following possibly malicious URL:

https://{BLOCKED}ofel.com/images/{random path}.{bmp/jpeg/gif}
https://{BLOCKED}ndra.com/images/{random path}.{gif/jpeg/bmp}

TSPY_URSNIF.NZX

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

TSPY_URSNIF.NZX

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific