SYSIE
Rabasheeta
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
SYSIE or also known as Rabasheeta is a Trojan which opens a backdoor on a compromised computer. This malware drops a main module and a configuration file. The configuration file of SYSIE contains the board category, BBS ID, and the URL where this malware will upload files.
This backdoor has the capability to execute several commands from a malicious user, including downloading and executing files and capturing screenshots.
This backdoor executes commands from a remote malicious user, effectively compromising the affected system.
It deletes itself after execution.
TECHNICAL DETAILS
Yes
Compromises system security, Downloads files, Executes files
Installation
This backdoor drops the following component file(s):
- {malware path}\cfg.dat
- %AppDataLocal%\Microsoft\iesys\cfg.dat
- %AppDataLocal%\Microsoft\iesys\iesys.exe
- {malware path}\del.bat
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)
It creates the following folders:
- %AppDataLocal%\Microsoft\iesys
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)
Other System Modifications
This backdoor adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename}.exe = "{malware path}\{malware filename}.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
iesys = "%AppDataLocal%\Microsoft\iesys\iesys.exe"
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Capture screenshots
- Download files
- Upload files
- Enumerate files and folders
- Execute files
- Get default Internet browser
- Navigate and open a URL in a hidden browser
- Log user keystrokes and mouse clicks
- Update self
- Update configuration file
- Update bulletin thread used
- Sleep for a specified amount of time
- Remove self from system
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}k.{BLOCKED}t.me/upld.php
- http://{BLOCKED}s.{BLOCKED}or.jp/bbs/rawmode.cgi/{boardcategory}/{bbsID}/{threadID}/
- http://{BLOCKED}s.{BLOCKED}or.jp/bbs/write.cgi/{boardcategory}/{bbsID}
- http://{BLOCKED}s.{BLOCKED}or.jp/bbs/write.cgi/study/11825/
- http://{BLOCKED}s.{BLOCKED}or.jp/bbs/write.cgi/music/27190/
It deletes itself after execution.