TrojanSpy.Win32.QAKBOT.TIGOCDP

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to a website to send and receive information.

It prevents users from visiting antivirus-related websites that contain specific strings.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

• %Application Data%\Microsoft\{random folder}\{random name}.dat - encrypted component
• %Application Data%\Microsoft\{random folder}\{random name}32.dll - encrypted configuration file
• %User Profile%\{random name}.wpl - dropped JavaScript file
• %System%\Tasks\{random ID}.job

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It drops the following copies of itself into the affected system:

• %Application Data%\Microsoft\{random folder}\{random file name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %Windows%\explorer.exe
• {Malware FilePath}\{Malware FileName}.exe /C ← for checking if being analyzed or running in Virtual Environment

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Autostart Technique

This Trojan Spy creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Application Data%\Microsoft\{random folder}\{random name}.exe"

Backdoor Routine

This Trojan Spy connects to the following websites to send and receive information:

• {generated domain}.(com|net|org|info|biz|org)

Process Termination

This Trojan Spy terminates the following processes if found running in the affected system's memory:

• ChromeUpdate.exe
• msdev.exe
• dbgview.exe
• ollydbg.exe
• ctfmon.exe
• Proxifier.exe
• nav.exe
• Microsoft.Notes.exe
• ShellExperienceHost.exe
• SecHealthUI.exe
• windbg.exe

Information Theft

This Trojan Spy monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• .hsbcnet.com
• .ntrs.com
• .web-access.com
• .webcashmgmt.com
• /achupload
• /cashman/
• /cashplus/
• /clkccm/
• /cmserver/
• /corpach/
• /ibws/
• /payments/ach
• /payments/ach
• /stbcorp/
• /wcmpr/
• /wcmpw/
• /wcmtr/
• /wires/
• /wiret
• access.jpmorgan.com
• accessmoneymanager.com
• accessonline.abnamro.com
• achbatchlisting
• avgthreatlabs.com
• bankeft.com
• blilk.com
• businessaccess.citibank.citigroup.com
• businessbankingcenter.synovus.com
• business-eb.ibanking-services.com
• business-eb.ibanking-services.com
• businessinternetbanking.synovus.com
• businessonline.huntington.com
• businessonline.tdbank.com
• cashmanageronline.bbt.com
• cashproonline.bankofamerica.com
• cashproonline.bankofamerica.com
• cbs.firstcitizensonline.com
• chsec.wellsfargo.com
• cmol.bbt.com
• cmoltp.bbt.com
• commerceconnections.commercebank.com
• commercial.bnc.ca
• commercial.wachovia.com
• commercial2.wachovia.com
• commercial3.wachovia.com
• commercial4.wachovia.com
• corporatebanking
• cpw-achweb.bankofamerica.com
• ctm.53.com
• directline4biz.com
• directpay.wellsfargo.com
• each.bremer.com
• ebanking-services.com
• ecash.arvest.com
• e-facts.org
• e-moneyger.com
• express.53.com
• firstmeritib.com
• firstmeritib.com/defaultcorp.aspx
• goldleafach.com
• iachwellsprod.wellsfargo.com
• ibc.klikbca.com
• intellix.capitalonebank.com
• iris.sovereignbank.com
• itreasury.regions.com
• itreasurypr.regions.com
• jsp/mainWeb.jsp
• ktt.key.com
• moneymanagergps.com
• netconnect.bokf.com
• nj00-wcm
• ocm.suntrust.com
• olb-ebanking.com
• onlineserv/CM
• otm.suntrust.com
• paylinks.cunet.org
• paylinks.cunet.org
• premierview.membersunited.org
• premierview.membersunited.org
• providentnjolb.com
• safeweb.norton.com
• schwabinstitutional.com
• scotiaconnect.scotiabank.com
• securentrycorp.amegybank.com
• securentrycorp.zionsbank.com
• singlepoint.usbank.com
• siteadvisor.com
• svbconnect.com
• tcfexpressbusiness.com
• tdcommercialbanking.com
• tdetreasury.tdbank.com
• tmcb.amegybank.com
• tmcb.zionsbank.com
• tmconnectweb
• treas-mgt.frostbank.com
• treasury.pncbank.com
• treasurygateway
• trz.tranzact.org
• trz.tranzact.org
• tssportal.jpmorgan.com
• wc.wachovia.com
• wcp.wachovia.com
• web-cashplus.com
• webexpress.tdbank.com
• webinfoplus.mandtbank.com
• wellsoffice.wellsfargo.com

It gathers the following data:

• Windows Cookies
• Macromedia Flash Cookies
• Browser Cookies
• System Information
• Network Information
• GeoIP Locations
• Digital Certificates

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• 100.{BLOCKED}.{BLOCKED}.8:443
• 104.{BLOCKED}.{BLOCKED}.45:995
• 104.{BLOCKED}.{BLOCKED}.20:995
• 104.{BLOCKED}.{BLOCKED}.213:2222
• 104.{BLOCKED}.{BLOCKED}.18:443
• 105.{BLOCKED}.{BLOCKED}.97:995
• 107.{BLOCKED}.{BLOCKED}.181:443
• 108.{BLOCKED}.{BLOCKED}.244:443
• 108.{BLOCKED}.{BLOCKED}.213:8443
• 108.{BLOCKED}.{BLOCKED}.59:443
• 108.{BLOCKED}.{BLOCKED}.66:443
• 108.{BLOCKED}.{BLOCKED}.221:443
• 110.{BLOCKED}.{BLOCKED}.117:443
• 111.{BLOCKED}.{BLOCKED}.30:2222
• 116.{BLOCKED}.{BLOCKED}.130:443
• 117.{BLOCKED}.{BLOCKED}.149:995
• 12.{BLOCKED}.{BLOCKED}.146:443
• 12.{BLOCKED}.{BLOCKED}.3:443
• 123.{BLOCKED}.{BLOCKED}.47:443
• 137.{BLOCKED}.{BLOCKED}.25:443
• 138.{BLOCKED}.{BLOCKED}.214:443
• 159.{BLOCKED}.{BLOCKED}.115:995
• 162.{BLOCKED}.{BLOCKED}.166:443
• 162.{BLOCKED}.{BLOCKED}.30:443
• 166.{BLOCKED}.{BLOCKED}.194:2078
• 168.{BLOCKED}.{BLOCKED}.71:443
• 172.{BLOCKED}.{BLOCKED}.246:443
• 172.{BLOCKED}.{BLOCKED}.176:443
• 172.{BLOCKED}.{BLOCKED}.13:995
• 173.{BLOCKED}.{BLOCKED}.169:995
• 173.{BLOCKED}.{BLOCKED}.216:443
• 173.{BLOCKED}.{BLOCKED}.3:443
• 173.{BLOCKED}.{BLOCKED}.11:2222
• 173.{BLOCKED}.{BLOCKED}.249:443
• 173.{BLOCKED}.{BLOCKED}.90:22
• 173.{BLOCKED}.{BLOCKED}.90:990
• 173.{BLOCKED}.{BLOCKED}.90:995
• 174.{BLOCKED}.{BLOCKED}.120:995
• 174.{BLOCKED}.{BLOCKED}.160:443
• 174.{BLOCKED}.{BLOCKED}.155:995
• 179.{BLOCKED}.{BLOCKED}.31:443
• 181.{BLOCKED}.{BLOCKED}.118:443
• 181.{BLOCKED}.{BLOCKED}.138:995
• 181.{BLOCKED}.{BLOCKED}.162:443
• 184.{BLOCKED}.{BLOCKED}.203:2222
• 184.{BLOCKED}.{BLOCKED}.78:443
• 184.{BLOCKED}.{BLOCKED}.234:995
• 187.{BLOCKED}.{BLOCKED}.188:995
• 190.{BLOCKED}.{BLOCKED}.18:443
• 190.{BLOCKED}.{BLOCKED}.18:995
• 192.{BLOCKED}.{BLOCKED}.2:2222
• 192.{BLOCKED}.{BLOCKED}.185:443
• 193.{BLOCKED}.{BLOCKED}.19:995
• 196.{BLOCKED}.{BLOCKED}.208:2222
• 197.{BLOCKED}.{BLOCKED}.191:995
• 199.{BLOCKED}.{BLOCKED}.231:995
• 2.{BLOCKED}.{BLOCKED}.198:443
• 2.{BLOCKED}.{BLOCKED}.151:443
• 2.{BLOCKED}.{BLOCKED}.236:443
• 201.{BLOCKED}.{BLOCKED}.180:995
• 203.{BLOCKED}.{BLOCKED}.72:443
• 206.{BLOCKED}.{BLOCKED}.179:443
• 206.{BLOCKED}.{BLOCKED}.106:50002
• 207.{BLOCKED}.{BLOCKED}.228:443
• 207.{BLOCKED}.{BLOCKED}.91:443
• 209.{BLOCKED}.{BLOCKED}.217:443
• 217.{BLOCKED}.{BLOCKED}.212:443
• 222.{BLOCKED}.{BLOCKED}.36:2078
• 23.{BLOCKED}.{BLOCKED}.215:443
• 24.{BLOCKED}.{BLOCKED}.155:443
• 24.{BLOCKED}.{BLOCKED}.58:2222
• 24.{BLOCKED}.{BLOCKED}.152:443
• 24.{BLOCKED}.{BLOCKED}.28:443
• 24.{BLOCKED}.{BLOCKED}.105:2078
• 24.{BLOCKED}.{BLOCKED}.105:2083
• 24.{BLOCKED}.{BLOCKED}.105:2087
• 24.{BLOCKED}.{BLOCKED}.105:2222
• 24.{BLOCKED}.{BLOCKED}.105:61201
• 24.{BLOCKED}.{BLOCKED}.9:443
• 36.{BLOCKED}.{BLOCKED}.250:443
• 47.{BLOCKED}.{BLOCKED}.85:443
• 47.{BLOCKED}.{BLOCKED}.154:443
• 47.{BLOCKED}.{BLOCKED}.154:995
• 47.{BLOCKED}.{BLOCKED}.10:995
• 47.{BLOCKED}.{BLOCKED}.230:443
• 47.{BLOCKED}.{BLOCKED}.253:443
• 47.{BLOCKED}.{BLOCKED}.26:465
• 5.{BLOCKED}.{BLOCKED}.156:443
• 50.{BLOCKED}.{BLOCKED}.220:443
• 50.{BLOCKED}.{BLOCKED}.74:995
• 62.{BLOCKED}.{BLOCKED}.217:995
• 64.{BLOCKED}.{BLOCKED}.29:995
• 64.{BLOCKED}.{BLOCKED}.172:443
• 65.{BLOCKED}.{BLOCKED}.83:443
• 65.{BLOCKED}.{BLOCKED}.240:995
• 66.{BLOCKED}.{BLOCKED}.176:443
• 67.{BLOCKED}.{BLOCKED}.98:2222
• 67.{BLOCKED}.{BLOCKED}.102:443
• 67.{BLOCKED}.{BLOCKED}.13:443
• 68.{BLOCKED}.{BLOCKED}.223:443
• 68.{BLOCKED}.{BLOCKED}.136:443
• 68.{BLOCKED}.{BLOCKED}.27:443
• 69.{BLOCKED}.{BLOCKED}.172:995
• 69.{BLOCKED}.{BLOCKED}.167:443
• 70.{BLOCKED}.{BLOCKED}.69:443
• 70.{BLOCKED}.{BLOCKED}.71:443
• 70.{BLOCKED}.{BLOCKED}.126:2222
• 71.{BLOCKED}.{BLOCKED}.250:443
• 71.{BLOCKED}.{BLOCKED}.170:443
• 71.{BLOCKED}.{BLOCKED}.251:443
• 71.{BLOCKED}.{BLOCKED}.114:443
• 71.{BLOCKED}.{BLOCKED}.90:443
• 72.{BLOCKED}.{BLOCKED}.194:995
• 72.{BLOCKED}.{BLOCKED}.198:465
• 72.{BLOCKED}.{BLOCKED}.107:995
• 72.{BLOCKED}.{BLOCKED}.233:443
• 72.{BLOCKED}.{BLOCKED}.77:2083
• 72.{BLOCKED}.{BLOCKED}.182:443
• 73.{BLOCKED}.{BLOCKED}.150:443
• 73.{BLOCKED}.{BLOCKED}.6:443
• 73.{BLOCKED}.{BLOCKED}.222:80
• 73.{BLOCKED}.{BLOCKED}.237:443
• 74.{BLOCKED}.{BLOCKED}.181:443
• 74.{BLOCKED}.{BLOCKED}.250:2222
• 75.{BLOCKED}.{BLOCKED}.106:443
• 75.{BLOCKED}.{BLOCKED}.89:443
• 75.{BLOCKED}.{BLOCKED}.82:443
• 75.{BLOCKED}.{BLOCKED}.82:995
• 75.{BLOCKED}.{BLOCKED}.69:443
• 75.{BLOCKED}.{BLOCKED}.122:443
• 75.{BLOCKED}.{BLOCKED}.155:3389
• 75.{BLOCKED}.{BLOCKED}.193:443
• 75.{BLOCKED}.{BLOCKED}.223:995
• 76.{BLOCKED}.{BLOCKED}.81:443
• 76.{BLOCKED}.{BLOCKED}.223:443
• 76.{BLOCKED}.{BLOCKED}.226:443
• 79.{BLOCKED}.{BLOCKED}.119:995
• 80.{BLOCKED}.{BLOCKED}.42:2222
• 86.{BLOCKED}.{BLOCKED}.248:443
• 90.{BLOCKED}.{BLOCKED}.155:2222
• 96.{BLOCKED}.{BLOCKED}.27:2222
• 96.{BLOCKED}.{BLOCKED}.86:443
• 98.{BLOCKED}.{BLOCKED}.64:443
• 98.{BLOCKED}.{BLOCKED}.8:443
• 98.{BLOCKED}.{BLOCKED}.192:995
• 99.{BLOCKED}.{BLOCKED}.183:995

Other Details

This Trojan Spy connects to the following URL(s) to check for an Internet connection:

• baidu.com
• cnn.com
• facebook.com
• linkedin.com
• mail.ru
• microsoft.com
• qq.com
• wikipedia.org
• yahoo.com

It connects to the following URL(s) to get the affected system's IP address:

• http://www.ip-adress.com

It does the following:

• It monitors the browsing activities of the affected computer and logs all information related to websites containing the following strings:
  • comet.yahoo.com
  • .hiro.tv
  • safebrowsing.google.com
  • geo.query.yahoo.com
  • googleusercontent.com
  • salesforce.com
  • officeapps.live.com
  • storage.live.com
  • messenger.live.com
  • .twimg.com
  • api.skype.com
  • mail.google.com
  • .bing.com
  • playtoga.com
  • .mozilla.com
  • .mozilla.org
  • hotbar.com
  • lphbs.com
  • contacts.msn.com
  • search.msn.com
  • clients.mindbodyonline.com
  • loyaltyconnect.ihg.com
  • .amazonaws.com
  • audatexsolutions.com
  • mail.services.live.com
  • etsy.com
  • .king.com
  • phantomefx.com
  • facebook.com
  • .gator.com
  • doubleclick.
  • zango.com
  • 180solutions.com
  • wildtangent.com
  • webhancer.com
  • tbreport.bellsouth.net
  • spamblockerutility.com
  • internet-optimizer.com
  • .adworldmedia.com
  • seekmo.com
  • r777r.info
  • sipuku.com
  • eorezo.com
  • newasp.com.cn
  • wpzkq.com
  • radialpoint.com
  • owlforce.com
  • .microsoft.com
  • localhost
  • 127.0.0.1
  • securestudies.com
  • farmville.com
  • mybrowserbar.com
  • auditude.com
  • digitalmediacommunications.com
  • mapquest.com
  • kixeye.com
  • myshopres.com
  • conduit-services.com
  • zynga.com
  • .5min.com
  • netflix.com
  • tubemogul.com
  • youtube.com
  • brightcove.com
  • mochibot
• It is capable of doing the following:
  • Terminate processes
  • Upload stolen information
  • Perform FTP commands
  • Download configuration and updates
• After the injection, the loader overwrites its original executable with the 32-bit version of calc.exe:
  • “C:\Windows\System32\cmd.exe” /c ping.exe -n 6 127.0.0.1 & type “C:\Windows\System32\calc.exe” > {Executed MalwareFilePath\Malware Filename}.exe"
• It terminate itself if the following processes is found in the memory:
  • vmtoolsd.exe
  • vmacthlp.exe
  • metsvc-server.exe
  • windump.exe
• It attempts to drop copies of itself to other machines in the same network via IPC$ shares
• It checks the presence of the following Anti-Virus and Security Applications:
  • ccSvcHst.exe
  • avgcsrvx.exe
  • vgsvcx.exe
  • avgcsrva.exe
  • MsMpEng.exe
  • mcshield.exe
  • avp.exe
  • egui.exe
  • ekrn.exe
  • bdagent.exe
  • vsserv.exe
  • vsservppl.exe
  • AvastSvc.exe
  • coreServiceShell.exe
  • PccNTMon.exe
  • NTRTScan.exe
  • SAVAdminService.exe
  • SavService.exe
  • fshoster32.exe
  • WRSA.exe
  • vkise.exe
  • isesrv.exe
  • cmdagent.exe
  • ByteFence.exe
  • MBAMService.exe
  • fmon.exe
• It sends the following information to the C&C server:
  • ext_ip - External IP
  • dnsname - DNS Name
  • hostname - Host Name
  • user - User Name
  • domain - Domain
  • is_admin - (YES/NO)
  • os - OS Version
  • qbot_version - QBOT Version
  • install_time - Install Time
  • exe - Execution Name and Path
  • prod_id - ID
• It terminates itself if the following DLL is loaded on its memory:
  • ivm-inject.dll
  • SbieDll.dll
  • sf2.dll
• It terminates itself when executed in the following Virtual Environments:
  • Virtual HD
  • VirtualProtect
  • VirtualBox
  • CWSandbox
  • VMWare
  • RedHat
  • QEMU
• It checks if the following Anti-Virus Software are installed:
  • Avast
  • AVG
  • Bitdefender
  • Kaspersky
  • Mcafee
  • Microsoft Security Essentials
  • NOD32
  • Norton
  • Trend Micro

It prevents users from visiting antivirus-related websites that contain the following strings:

• safeweb.norton.com
• siteadvisor.com
• avgthreatlabs.com

It adds the following scheduled tasks:

• Task Name: {random ID}
  • Schedule: Every 5 Hours
  • Task to be run: %Application Data%\Microsoft\{random folder}\{random name}.exe
  Task Name: {random ID}
  • Schedule: Weekly, Every Tuesday and Wednesday at 12:00:00
  • Task to be run: "cmd.exe /C \ "start /MIN %System%\cscript.exe //E:javascript \ "%User Profile%\{random name}.wpl \"

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)