Backdoor.ASP.WEBSHELL.KEPN

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This Backdoor does not have any propagation routine.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• List logical drives
• List directories and files in a specified path
• Read the contents of a file
• Write data to a file
• Delete a directory or a file
• Serve a file to the client
• Write binary data to a file
• Copy files and directories
• Move a directory or a file
• Create a new directory
• Change timestamps of a file or directory
• Download a file from a URL
• Execute a process and capture its output
• Connect to a SQL database and return its name
• Retrieve and list database schema information
• List columns of a specific table
• Execute a SQL query or command

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Information Theft

This Backdoor gathers the following data:

• List of logical drives in the server
• List of directories and files in a specified path
• Contents of a specified file
• Output of an executed process
• SQL database name
• List of SQL database schema information
• List of columns of a specified table in a SQL database
• Output of a SQL query or command

Other Details

This Backdoor does not exploit any vulnerability.

It requires being hosted on a web server in order to proceed with its intended routine.