TROJ_NEUREVT.TVA

 Analysis by: Pearl Charlaine Espejo

 ALIASES:

Trojan-Ransom.Win32.Foreign.lyvr (Kaspersky); Trojan:Win32/Neurevt.gen!A (Microsoft); Trojan.Agent.DED (Malwarebytes)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

387,584 bytes

File Type:

EXE

Initial Samples Received Date:

23 Apr 2015

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %ProgramData%\6b407430\{random filename}.exe (for Windows Vista and above)
  • %Program Files%\6b407430\{random filename}.exe (for Windows XP and below)

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

It drops the following files:

  • %ProgramData%\6b407430\desktop.ini (for Windows Vista and above)
  • %Program Files%\Common Files\6b407430\desktop.ini (for Windows XP and below)

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

It creates the following folders:

  • %ProgramData%\6b407430 (for Windows Vista and above)
  • %Program Files%\Common Files\6b407430 (for Windows XP and below)

(Note: %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%ProgramData%\6b407430\{random filename}.exe" (for Windows Vista and above)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = "%ProgramData%\6b407430\{random filename}.exe" (for Windows Vista and above)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = "%Program Files%\Common Files\6b407430\{random filename}.exe (for Windows XP and below)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%Program Files%\Common Files\6b407430\{random filename}.exe (for Windows XP and below)

It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{random filename}.exe
DisableExceptionChainValidation =

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\AppDataLow\
Toolkit

HKEY_CURRENT_USER\Software\AppDataLow\
Software\MyMailClient

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Barksdale

HKEY_CURRENT_USER\Software\AppDataLow\
Software\{UID}

HKEY_CURRENT_USER\Software\Apple Computer, Inc.

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = "1"

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://www6.{BLOCKED}sarago.com.br/js/prototype/order.php
  • http://www6.{BLOCKED}sarago.com.br/js/prototype/order.php?page=27
  • http://www6.{BLOCKED}sarago.com.br/js/prototype/order.php?id=6319934
  • http://www6.{BLOCKED}sarago.com.br/js/prototype/order.php?pid=51
  • http://www6.{BLOCKED}sarago.com.br/js/prototype/order.php?pid=521
  • http://www6.{BLOCKED}irashotelmg.com.br/js/prototype/order.php

It deletes itself after execution.