BKDR_HUPIGON.ARQ
TrojanDropper:Win32/Hupigon.gen!A (Microsoft); Backdoor.Win32.Hupigon.aai (Kaspersky); Backdoor.Graybird (Symantec)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
301,056 bytes
EXE
Yes
07 Jun 2017
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Backdoor drops the following copies of itself into the affected system:
- %Program Files%\Internet Explorer\Connection Wizard\msicw.exe
(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)
It drops and executes the following files:
- %Windows%\uninstal.bat
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Autostart Technique
This Backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Description = ±¾µØÖ´ÐÐϵͳ»¹Ô¹¦ÄÜ¡£ Ҫֹͣ·þÎñ£¬Çë´Ó¡°ÎҵĵçÄÔ¡±µÄÊôÐÔÖеÄϵͳ»¹ÔÑ¡Ï¹Ø±Õϵͳ»¹Ô
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
DisplayName = System local Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
ErrorControl = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
ImagePath = “%Program Files%\Internet Explorer\Connection Wizard\msicw.exe”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
ObjectName = LocalSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Start = 2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Type = 110
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srservice
Other Details
This Backdoor deletes the initially executed copy of itself