SYSIE

September 22, 2014
 ALIASES:

Rabasheeta

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

SYSIE or also known as Rabasheeta is a Trojan which opens a backdoor on a compromised computer. This malware drops a main module and a configuration file. The configuration file of SYSIE contains the board category, BBS ID, and the URL where this malware will upload files.

This backdoor has the capability to execute several commands from a malicious user, including downloading and executing files and capturing screenshots.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

It deletes itself after execution.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Downloads files, Executes files

Installation

This backdoor drops the following component file(s):

  • {malware path}\cfg.dat
  • %AppDataLocal%\Microsoft\iesys\cfg.dat
  • %AppDataLocal%\Microsoft\iesys\iesys.exe
  • {malware path}\del.bat

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)

It creates the following folders:

  • %AppDataLocal%\Microsoft\iesys

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename}.exe = "{malware path}\{malware filename}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
iesys = "%AppDataLocal%\Microsoft\iesys\iesys.exe"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Capture screenshots
  • Download files
  • Upload files
  • Enumerate files and folders
  • Execute files
  • Get default Internet browser
  • Navigate and open a URL in a hidden browser
  • Log user keystrokes and mouse clicks
  • Update self
  • Update configuration file
  • Update bulletin thread used
  • Sleep for a specified amount of time
  • Remove self from system

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}k.{BLOCKED}t.me/upld.php
  • http://{BLOCKED}s.{BLOCKED}or.jp/bbs/rawmode.cgi/{boardcategory}/{bbsID}/{threadID}/
  • http://{BLOCKED}s.{BLOCKED}or.jp/bbs/write.cgi/{boardcategory}/{bbsID}
  • http://{BLOCKED}s.{BLOCKED}or.jp/bbs/write.cgi/study/11825/
  • http://{BLOCKED}s.{BLOCKED}or.jp/bbs/write.cgi/music/27190/

It deletes itself after execution.