Trojan.MSIL.FRS.VSNW0BK24

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following folders:

• If -o | --output parameter is used:
  • {Path Set by the User}\EyeWitness_{Date}_{Time}
  • {Path Set by the User}\EyeWitness_{Date}_{Time}\headers
  • {Path Set by the User}\EyeWitness_{Date}_{Time}\images
  • {Path Set by the User}\EyeWitness_{Date}_{Time}\src
  
  Otherwise:
  • %Application Data%\EyeWitness_{Date}_{Time}
  • %Application Data%\EyeWitness_{Date}_{Time}\headers
  • %Application Data%\EyeWitness_{Date}_{Time}\images
  • %Application Data%\EyeWitness_{Date}_{Time}\src

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• If -o | --output parameter is used:
  • {Path Set by the User}\EyeWitness_{Date}_{Time}\headers\{URL Accessed}.txt → contains the HTTP response headers from the captured webpage
  • {Path Set by the User}\EyeWitness_{Date}_{Time}\images\{URL Accessed}.bmp → contains screenshot of the webpage as rendered by EyeWitness
  • {Path Set by the User}\EyeWitness_{Date}_{Time}\src\{URL Accessed}.txt → contains the full HTML, JavaScript, and CSS source code of the webpage
  • {Path Set by the User}\EyeWitness_{Date}_{Time}\report_page1.html → contains the generated report, showing details of the web request, HTTP headers, source code, and a screenshot of the captured webpage
  
  Otherwise:
  • %Application Data%\EyeWitness_{Date}_{Time}\headers\{URL Accessed}.txt
  • %Application Data%\EyeWitness_{Date}_{Time}\images\{URL Accessed}.bmp
  • %Application Data%\EyeWitness_{Date}_{Time}\src\{URL Accessed}.txt
  • %Application Data%\EyeWitness_{Date}_{Time}\report_page1.html
    
    
• It compresses the above files into the following if -c | --compress parameter is used:
  • {Path Set by the User}\EyeWitness_{Date}_{Time}.zip or
  • %Application Data%\EyeWitness_{Date}_{Time}.zip

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan does the following:

• It captures screenshots of web pages, analyzing HTTP responses, and generating reports for reconnaissance and security assessments.
• It uses the following version of EyeWitness:
  • EyeWitness v1.1

It accepts the following parameters:

• -b | --bookmarks → Searches for bookmark files for IE/Chrome, parses them, and adds them to the list of screenshot URLs
• -f | --file → Specify a new-line separated file of URLs
• -i | --cidr → Specify an IP CIDR
• -o | --output → Specify an output directory (one will be created if non-existent)
• -d | --delay → (Default: 30) Specify a delay to use before cancelling a single URL request
• -c | --compress → (Default: false) Compress output directory
• --http → (Default: false) Prepend http:// to all URLs
• --https → (Default: false) Prepend https:// to all URLs
• --help → Display this help screen.
• --version → Display version information.