TrojanSpy.Win32.FAUXPERSKY.AA

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following processes:

• %System%\cmd.exe /c ping -n 1 -w 1000 www.google.com.my>Ping.sb → checks internet connection
• {Malware file path}\winlogin.exe → if not running in the system
• %AppData%\Temp.exe → if file is downloaded successfully

Other System Modifications

This Trojan Spy deletes the following files:

• {Malware file path}\S_Core.txt
• {Malware file path}\S_CMD.txt
• {Malware file path}\S_PTC.txt

Process Termination

This Trojan Spy terminates the following processes if found running in the affected system's memory:

• msiexec.exe

Download Routine

This Trojan Spy accesses the following websites to download files:

• https://kasperskypure.{BLOCKED}pp.com/S_Core.txt
• https://kasperskypure.{BLOCKED}pp.com/S_CMD.txt
• https://kasperskypure.{BLOCKED}pp.com/S_PTC.txt
• https://kasperskypure.{BLOCKED}pp.com/spoolsvc.exe → downloaded to update existing files in the system
• https://kasperskypure.{BLOCKED}pp.com/Temp.exe → downloaded to update existing files in the system

It saves the files it downloads using the following names:

• {Malware file path}\S_Core.txt
• {Malware file path}\S_CMD.txt
• {Malware file path}\S_PTC.txt
• {Malware file path}\spoolsvc.exe
• %AppData%\Temp.exe

Information Theft

This Trojan Spy gathers the following data:

• OS Version
• Computer Name
• User Name
• IP Address
• Content:
  • Update number of downloaded files, spoolsvc.exe and Temp.exe
  • Success message if execution of downloaded files are successful

Other Details

This Trojan Spy connects to the following URL(s) to check for an Internet connection:

• www.google.com.my

It connects to the following website to send and receive information:

• https://docs.google.com/forms/d/e/{BLOCKED}LSe6oGStKSshScVonAyCVFOrhANSfnmm0Im-aabnBX5ZjLabbA/viewform?entry.{BLOCKED}914=%A_OSVersion%&entry.{BLOCKED}477=%A_ComputerName%&entry.{BLOCKED}695=%A_UserName%&entry.{BLOCKED}0660=%A_IPAddress1%

It does the following:

• It checks the contents of Ping.sb if it contains the string "could not find".
  • If found, it repeatedly checks for internet connection.
• It checks if all the components of the malware are already running.
• It checks if the following files are present in the directory where the sample is located:
  • winlogin.exe → executed if found
  • spoolsvc.exe
    • If found:
      • It compares the last update time of spoolsvc.exe with S_Core.txt.
      • If outdated, it downloads the updated version of the file.
• It checks if the following files are present in %AppData%:
  • Temp.exe
    • It downloads the file if not found.
    • It compares the last update time of Temp.exe with S_CMD.txt.
    • If outdated, it downloads the updated version of the file.
• It sets the file attributes of the following files to Read-Only, Hidden, and System:
  • {Malware file path}\spoolsvc.exe
  • %AppData%\Temp.exe
• It exfiltrates information via Google Forms.