TrojanSpy.Win32.QAKBOT.YXDBN

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Ejecuta comandos desde un usuario remoto malicioso que pone en peligro el sistema afectado.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega los procesos siguientes:

• Depending on the number of AV products that was found to be running in the system and the machine architecture it would choose from the following:
  • %system%\AtBroker.exe
  • %System%\wermgr.exe
  • %System%\msra.exe
  • %System%\backgroundTaskHost.exe
  • %Program Files%\Internet Explorer\iexplorer.exe
• %System%\schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /tn {Random} /tr "rundll32.exe \"{Malware Full Path and Name}.dll,Wind\"" /SC ONCE /Z /ST {Start Time} /ET {End Time}
• whoami /all
• cmd /c set
• arp -a
• ipconfig /all
• net view /all
• nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
• nltest /domain_trusts /all_trusts
• net share
• route print
• netstat -nao
• net localgroup
• qwinsta

(Nota: %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).

Agrega las siguientes exclusiones mutuas para garantizar que solo se ejecuta una de sus copias en todo momento:

• Global\{GUID}

Este malware inyecta códigos en el/los siguiente(s) proceso(s):

• Depending on the number of AV products that was found to be running in the system and the machine architecture it would choose from the following:
  • %Windows%\wermgr.exe
  • %System%\backgroundTaskHost.exe
  • %System%\msra.exe
  • %System%\AtBroker.exe
  • %Program Files%\Internet Explorer\iexplorer.exe

(Nota: %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).

Técnica de inicio automático

Agrega las siguientes entradas de registro para permitir su ejecución automática cada vez que se inicia el sistema:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random} = rundll32.exe {Malware Full Path and Name}.dll,Wind

Rutina de puerta trasera

Ejecuta los comandos siguientes desde un usuario remoto malicioso:

• Update Self
• Update Configuration
• Download and Install Plugins
• Terminate Processes
• Drop Files
• Drop Files and Run

Robo de información

Recopila los siguientes datos:

• Computer Name
• Username
• IP address
• Operating System Information
• Processor Information
• Installed Antivirus Products
• Running Processes

Información sustraída

Este malware envía la información recopilada a la siguiente URL a través de HTTP POST:

• {BLOCKED}.{BLOCKED}.186.195:443/t5
• {BLOCKED}.{BLOCKED}.31.249:443/t5
• {BLOCKED}.{BLOCKED}.112.14:50000/t5
• {BLOCKED}.{BLOCKED}.176.218:443/t5
• {BLOCKED}.{BLOCKED}.176.97:443/t5
• {BLOCKED}.{BLOCKED}.45.81:2222/t5
• {BLOCKED}.{BLOCKED}.204.71:443/t5
• {BLOCKED}.{BLOCKED}.14.72:2222/t5
• {BLOCKED}.{BLOCKED}.25.165:443/t5
• {BLOCKED}.{BLOCKED}.236.149:443/t5
• {BLOCKED}.{BLOCKED}.147.177:2222/t5
• {BLOCKED}.{BLOCKED}.42.67:443/t5
• {BLOCKED}.{BLOCKED}.72.139:2222/t5
• {BLOCKED}.{BLOCKED}.101.164:50000/t5
• {BLOCKED}.{BLOCKED}.24.154:443/t5
• {BLOCKED}.{BLOCKED}.184.149:443/t5
• {BLOCKED}.{BLOCKED}.110.133:443/t5
• {BLOCKED}.{BLOCKED}.173.82:50001/t5
• {BLOCKED}.{BLOCKED}.17.149:2222/t5
• {BLOCKED}.{BLOCKED}.144.105:2222/t5
• {BLOCKED}.{BLOCKED}.7.6:995/t5
• {BLOCKED}.{BLOCKED}.204.82:2222/t5
• {BLOCKED}.{BLOCKED}.156.14:2222/t5
• {BLOCKED}.{BLOCKED}.53.166:443/t5
• {BLOCKED}.{BLOCKED}.158.118:995/t5
• {BLOCKED}.{BLOCKED}.69.229:2222/t5
• {BLOCKED}.{BLOCKED}.216.238:443/t5
• {BLOCKED}.{BLOCKED}.105.242:443/t5
• {BLOCKED}.{BLOCKED}.112.40:61202/t5
• {BLOCKED}.{BLOCKED}.206.65:995/t5
• {BLOCKED}.{BLOCKED}.14.107:443/t5
• {BLOCKED}.{BLOCKED}.154.19:443/t5
• {BLOCKED}.{BLOCKED}.173.82:995/t5
• {BLOCKED}.{BLOCKED}.204.2:2222/t5
• {BLOCKED}.{BLOCKED}.51.138:995/t5
• {BLOCKED}.{BLOCKED}.69.244:443/t5
• {BLOCKED}.{BLOCKED}.119.20:443/t5
• {BLOCKED}.{BLOCKED}.241.104:443/t5
• {BLOCKED}.{BLOCKED}.196.114:443/t5
• {BLOCKED}.{BLOCKED}.80.210:443/t5
• {BLOCKED}.{BLOCKED}.204.71:993/t5
• {BLOCKED}.{BLOCKED}.176.234:443/t5
• {BLOCKED}.{BLOCKED}.173.82:20/t5
• {BLOCKED}.{BLOCKED}.112.40:2078/t5
• {BLOCKED}.{BLOCKED}.86.238:995/t5
• {BLOCKED}.{BLOCKED}.200.140:443/t5
• {BLOCKED}.{BLOCKED}.22.28:2222/t5
• {BLOCKED}.{BLOCKED}.175.42:2222/t5
• {BLOCKED}.{BLOCKED}.210.63:2222/t5
• {BLOCKED}.{BLOCKED}.102.224:443/t5
• {BLOCKED}.{BLOCKED}.173.82:465/t5
• {BLOCKED}.{BLOCKED}.23.67:443/t5
• {BLOCKED}.{BLOCKED}.30.133:443/t5
• {BLOCKED}.{BLOCKED}.42.122:443/t5
• {BLOCKED}.{BLOCKED}.72.56:443/t5
• {BLOCKED}.{BLOCKED}.126.3:443/t5
• {BLOCKED}.{BLOCKED}.120.191:443/t5
• {BLOCKED}.{BLOCKED}.208.137:995/t5
• {BLOCKED}.{BLOCKED}.41.77:2222/t5
• {BLOCKED}.{BLOCKED}.48.205:443/t5
• {BLOCKED}.{BLOCKED}.123.159:2222/t5
• {BLOCKED}.{BLOCKED}.177.88:443/t5
• {BLOCKED}.{BLOCKED}.138.217:2222/t5
• {BLOCKED}.{BLOCKED}.173.82:32101/t5
• {BLOCKED}.{BLOCKED}.216.98:2222/t5
• {BLOCKED}.{BLOCKED}.117.95:2222/t5
• {BLOCKED}.{BLOCKED}.173.82:2087/t5
• {BLOCKED}.{BLOCKED}.252.153:995/t5
• {BLOCKED}.{BLOCKED}.48.233:443/t5
• {BLOCKED}.{BLOCKED}.26.14:995/t5
• {BLOCKED}.{BLOCKED}.196.11:443/t5
• {BLOCKED}.{BLOCKED}.173.82:990/t5
• {BLOCKED}.{BLOCKED}.221.16:443/t5
• {BLOCKED}.{BLOCKED}.214.138:2222/t5
• {BLOCKED}.{BLOCKED}.132.174:2222/t5
• {BLOCKED}.{BLOCKED}.100.207:995/t5
• {BLOCKED}.{BLOCKED}.243.113:50000/t5
• {BLOCKED}.{BLOCKED}.231.59:2222/t5
• {BLOCKED}.{BLOCKED}.101.183:443/t5
• {BLOCKED}.{BLOCKED}.202.22:443/t5
• {BLOCKED}.{BLOCKED}.51.242:993/t5
• {BLOCKED}.{BLOCKED}.191.120:2222/t5
• {BLOCKED}.{BLOCKED}.12.217:2222/t5
• {BLOCKED}.{BLOCKED}.204.71:995/t5
• {BLOCKED}.{BLOCKED}.108.183:995/t5
• {BLOCKED}.{BLOCKED}.98.62:995/t5
• {BLOCKED}.{BLOCKED}.115.68:32100/t5
• {BLOCKED}.{BLOCKED}.98.62:443/t5
• {BLOCKED}.{BLOCKED}.163.165:443/t5
• {BLOCKED}.{BLOCKED}.250.18:443/t5
• {BLOCKED}.{BLOCKED}.180.14:995/t5
• {BLOCKED}.{BLOCKED}.180.154:995/t5
• {BLOCKED}.{BLOCKED}.240.16:995/t5
• {BLOCKED}.{BLOCKED}.72.114:443/t5
• {BLOCKED}.{BLOCKED}.77.115:443/t5
• {BLOCKED}.{BLOCKED}.115.126:995/t5
• {BLOCKED}.{BLOCKED}.50.151:995/t5
• {BLOCKED}.{BLOCKED}.63.203:443/t5
• {BLOCKED}.{BLOCKED}.159.67:2222/t5
• {BLOCKED}.{BLOCKED}.111.66:995/t5
• {BLOCKED}.{BLOCKED}.17.92:443/t5
• {BLOCKED}.{BLOCKED}.74.165:443/t5
• {BLOCKED}.{BLOCKED}.84.65:443/t5
• {BLOCKED}.{BLOCKED}.186.116:2222/t5
• {BLOCKED}.{BLOCKED}.51.138:443/t5
• {BLOCKED}.{BLOCKED}.19.254:995/t5
• {BLOCKED}.{BLOCKED}.184.134:995/t5
• {BLOCKED}.{BLOCKED}.71.201:443/t5
• {BLOCKED}.{BLOCKED}.132.224:2222/t5
• {BLOCKED}.{BLOCKED}.173.82:995/t5
• {BLOCKED}.{BLOCKED}.122.74:443/t5
• {BLOCKED}.{BLOCKED}.125.215:995/t5
• {BLOCKED}.{BLOCKED}.116.233:443/t5
• {BLOCKED}.{BLOCKED}.91.69:443/t5
• {BLOCKED}.{BLOCKED}.7.228:443/t5
• {BLOCKED}.{BLOCKED}.226.137:995/t5
• {BLOCKED}.{BLOCKED}.175.47:2222/t5
• {BLOCKED}.{BLOCKED}.104.2:2222/t5
• {BLOCKED}.{BLOCKED}.95.10:443/t5
• {BLOCKED}.{BLOCKED}.97.83:995/t5

Otros detalles

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_CURRENT_USER\Software\Microsoft\
{Random}

Hace lo siguiente:

• It checks the presence of the following Anti-Virus and Security Applications:
  • ccSvcHst.exe
  • NortonSecurity.exe
  • nsWscSvc.exe
  • avgcsrvx.exe
  • avgcsvcx.exe
  • avgcsrva.exe
  • MsMpEng.exe
  • mcshield.exe
  • avp.exe
  • kavtray.exe
  • egui.exe
  • ekrn.exe
  • bdagent.exe
  • vsserv.exe
  • vsservppl.exe
  • AvastSvc.exe
  • aswEngSrv.exe
  • aswToolsSvc.exe
  • afwServ.exe
  • aswidsagent.exe
  • AvastUI.exe
  • coreServiceShell.exe
  • PccNTMon.exe
  • NTRTScan.exe
  • SophosUI.exe
  • SAVAdminService.exe
  • SavService.exe
  • fshoster32.exe
  • WRSA.exe
  • vkise.exe
  • isesrv.exe
  • cmdagent.exe
  • Bytefence.exe
  • MBAMService.exe
  • mbamgui.exe
  • fmon.exe
  • dwengine.exe
  • dwarkdaemon.exe
  • dwwatcher.exe
  • SentinelServiceHost.exe
  • SentinelStaticEngine.exe
  • SentinelAgent.exe
  • SentinelStaticEngineScanner.exe
  • SentinelUI.exe
  • SonicWallClientProtectionService.exe
  • CynetEPS.exe
  • CynetMS.exe
  • CynetConsole.exe
  • CSFalconService.exe
  • CSFalconContainer.exe
  • RepUx.exe
  • CrAmTray.exe
  • csc_ui.exe
  • xagtnotif.exe
  • AppUIMonitor.exe
• After it is succesful in injecting its codes into its target process, it will wipe its original binary with zeros and leave only the headers intact.
• It establishes its persistence with the following routine:
  • It will only create its autostart registry entry if it detects that the system it is running on is about to restart or shutdown.
  • It will also write its code again in the original binary that was wiped previously before the system reboots or shutdowns.
  • When the system it is running on boots again, it would proceed to inject itself again to its target process and then proceed to wipe the binary and delete the autostart registry entry and binary.
• It stores its encrypted configuration in the registry key that it creates.