TSPY_URSNIF.NZX
Windows
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Trojan Spy
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
730,112 bytes
EXE
30 Dec 2017
Arrival Details
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan Spy adds the following folders:
- %Application Data%\{string1}{string2}
where:
{string1} = first four letters of a dll file under System directory
{string2} = last four letters of a dll file under System directory
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following copies of itself into the affected system and executes them:
- %Application Data%\{string1}{string2}\{string1}{string2}.exe
where:
{string1} = first four letters of a dll file under System directory
{string2} = last four letters of a dll file under System directory
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following files:
- %User Temp%\{random filename}.bin
- %User Temp%\{random filename}.bin1
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops and executes the following files:
- %User Temp%\{random folder name}\{random filename}.bat ← used to delete itself; deleted afterwards
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Autostart Technique
This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{string1}{string2} = "%Application Data%\{string1}{string2}\{string1}{string2}.exe"
Other System Modifications
This Trojan Spy adds the following registry keys:
HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Vars
HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Files
HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Config
HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Run
It adds the following registry entries:
HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{UID} = "{hex value}"
HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{Value Name} = "{data}"
where {Value Name} may be any of the following:
- Main
- Block
- Temp
- Client
- Ini
- Keys
- Scr
- LastTask
- LastConfig
- CrHook
- OpHook
- Exec
- TorClient
- TorCrc
Other Details
This Trojan Spy connects to the following possibly malicious URL:
- https://{BLOCKED}ofel.com/images/{random path}.{bmp/jpeg/gif}
- https://{BLOCKED}ndra.com/images/{random path}.{gif/jpeg/bmp}