WORM_PHULLI.B
Trojan.Luminrat (Symantec) ; Mal/MSIL-TH (Sophos)
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
2,202,584 bytes
EXE
31 Mar 2017
Arrival Details
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Worm drops the following files:
- %All Users Profile%\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat
- %All Users Profile%\Microsoft\RAC\StateData\RacWmiEventData.dat
- %AppDataLocal%Low\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
- %Application Data%\conhost\Guard\1
- %Application Data%\conhost\Screenshots\{DATE}\{TIME}
- %Application Data%\hawkeye.exe
- %Application Data%\rat.exe
- %Application Data%\svchost.exe
- %Application Data%\Windows Update.exe
- %Program Files%\Client\svchost.exe
- %System%\clientmonitor.exe
- %System%\Tasks\adorbe
- %User Temp%\1934
- %User Temp%\3742
- %User Temp%\3919
- %User Temp%\4445
- %User Temp%\5185
- %User Temp%\7635
- %User Temp%\8280
- %User Temp%\8856
- %Windows%\Temp\fwtsqmfile01.sqm
- %User Startup%\BGInfo.lnk
- %Application Data%\conhost\Logs\07-03-2018
- {Removable Drive}\autorun.inf
- {Removable Drive}\Sys.exe
(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)
It creates the following folders:
- %Application Data%\conhost\Logs
- %Application Data%\conhost\Files
- %Application Data%\conhost\Screenshot
- %Application Data%\conhost\Guard
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Other System Modifications
This Worm adds the following registry entries:
HKEY_CURRENT_USER\Software
PTH = "%Program Files%\Client\svchost.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
shell = "explorer.exe,"%System%\clientmonitor.exe""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Schedule\
TaskCache\Tree\adorbe
Index = "3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
adorbe = "cmd /c "start "adorbe" "%Program Files%\Client\svchost.exe""
Other Details
This Worm connects to the following possibly malicious URL:
- enugu0421.{BLOCKED}s.net
- s.{BLOCKED}d.com
- sw.{BLOCKED}d.com
- s.{BLOCKED}b.com
- sw.{BLOCKED}b.com
- s2.{BLOCKED}b.com
- s1.{BLOCKED}b.com
- sv.{BLOCKED}d.com
- sv.{BLOCKED}b.com
- ss.{BLOCKED}d.com
- gn.{BLOCKED}d.com
It adds the following scheduled tasks:
- Name: adorbe
- Trigger: on startup
- Executes: Program Files%\Client\svchost.exe