Analysis by: David John Agni
ALIASES:

Backdoor:Win32/Vawtrak.F (Microsoft), Gen:Heur.Vawtrak.1 (BitDefender)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 265520 bytes
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 30 Jul 2015

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • %All Users Profile%\{random 1}\{random 2}.{3 random characters}

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = 0

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = 3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Search\Gather\Windows\
SystemIndex\StreamLog
CurrentStreamLog = 8

HKEY_CURRENT_USER\Software\{CLSID}
{random} = {hex values}

HKEY_CURRENT_USER\Software\{CLSID}
{random} = {hex values}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random 1} = regsvr32.exe "%All Users Profile%\{random 1}\{random 2}.{3 random characters}"

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://{BLOCKED}dgy.ru/spreadsheets/00000385/96409e35-00/edit#gid={value}
  • http://{BLOCKED}dgy.ru/spreadsheets/00000385/96409e35-01/edit#gid={value}
  • http://{BLOCKED}ame.com/spreadsheets/00000385/96409e35-00/edit#gid={value}
  • http://{BLOCKED}ame.com/spreadsheets/00000385/96409e35-01/edit#gid={value}
  • http://{BLOCKED}eal.ru/spreadsheets/00000385/96409e35-00/edit#gid={value}
  • http://{BLOCKED}eal.ru/spreadsheets/00000385/96409e35-01/edit#gid={value}
  • http://{BLOCKED}nug.su/spreadsheets/00000385/96409e35-00/edit#gid={value}
  • http://{BLOCKED}snug.su/spreadsheets/00000385/96409e35-01/edit#gid={value}