JAVA_QRAT.THIODAH

Infection Channel: Dropped by other malware, Downloaded from the Internet

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

File Size: 522,931 bytes

File Type: JAR

Memory Resident: Yes

Initial Samples Received Date: 04 Sep 2018

Payload: Connects to URLs/IPs, Terminates processes, Deletes files

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

%User Profile%\{Random Foldername 2}\{Random Filename}.{Random File Extension}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista, 7, and 8.)

It drops the following files:

%User Temp%\hsperfdata_{username}\{Process ID} (4 Files)
%ProgramData%\Oracle\Java\.oracle_jre_usage\{Random Numbers 1}.timestamp (2 Files)
%System%\test.txt
%User Profile%\{Random Foldername 1}\ID.txt
%User Profile%\{Random Foldername 2}\ID.txt
%User Temp%\{Random Filename}.reg

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista, 7, and 8.)

It drops and executes the following files:

%User Temp%\_0.{Random Numbers}.class (2 Files)
%User Temp%\Retrive{Random Numbers}.vbs (8 Files)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

It adds the following processes:

icacls.exe %All Users Profile%\Oracle\Java\.oracle_jre_usage\{Random Strings}.timestamp /grant "everyone":(OI)(CI)M
cmd.exe /C cscript.exe %User Temp%\Retrive{Random Numbers}.vbs (8 Files)
xcopy "%Program Files%\Java\jre1.8.0_111" "%Application Data%\Oracle\" /e
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v {Random Text} /t REG_EXPAND_SZ /d "\"%Application Data%\Oracle\bin\javaw.exe\" -jar \"%User Profile%\{Random Foldername 2}\{Random Filename}.{Random File Extension}\"" /f
attrib +h "%User Profile%\{Random Foldername 2}\*.*"
attrib +h "%User Profile%\{Random Foldername 2}"

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000, XP, and Server 2003, or C:\ProgramData on Windows Vista, 7, and 8. . %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista, 7, and 8.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random Name} = "%Application Data%\Oracle\bin\javaw.exe" -jar "%User Profile%\{Random Foldername 2}\{Random Filename}"

Other System Modifications

This Trojan deletes the following files:

%User Temp%\hsperfdata_{username}\{Process ID} (1 File)
%User Temp%\Retrive{Random Numbers}.vbs (8 Files)

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

Other Details

This Trojan connects to the following possibly malicious URL:

{BLOCKED}.{BLOCKED}.189.150

It does the following:

It terminates the following processes using the command:
- taskkill /IM {Process Name} /T /F
It disables executing the following applications by adding the following registry entries:
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application Name}
  - debugger = svchost.exe

Minimum Scan Engine: 9.850

FIRST VSAPI PATTERN FILE: 14.484.06

FIRST VSAPI PATTERN DATE: 04 Sep 2018

VSAPI OPR PATTERN File: 14.485.00

VSAPI OPR PATTERN Date: 05 Sep 2018

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {Random Name} = "%Application Data%\Oracle\bin\javaw.exe" -jar "%User Profile%\{Random Foldername 2}\{Random Filename}"
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application Name}
- debugger = svchost.exe

acs.exe
AdAwareDesktop.exe
AdAwareService.exe
AdAwareTray.exe
AgentSvc.exe
AVK.exe
AVKProxy.exe
AVKService.exe
AVKTray.exe
AVKWCtlx64.exe
avpmapp.exe
av_task.exe
Bav.exe
bavhm.exe
BavSvc.exe
BavTray.exe
BavUpdater.exe
BavWebClient.exe
BDSSVC.EXE
BgScan.exe
BullGuard.exe
BullGuardBhvScanner.exe
BullGuardUpdate.exe
BullGuarScanner.exe
capinfos.exe
cavwp.exe
CertReg.exe
cis.exe
CisTray.exe
clamscan.exe
ClamTray.exe
ClamWin.exe
cmdagent.exe
ConfigSecurityPolicy.exe
CONSCTLX.EXE
coreFrameworkHost.exe
coreServiceShell.exe
dragon_updater.exe
dumpcap.exe
econceal.exe
econser.exe
editcap.exe
EMLPROXY.EXE
escanmon.exe
escanpro.exe
fcappdb.exe
FCDBlog.exe
FCHelper64.exe
FilMsg.exe
FilUp.exe
filwscc.exe
fmon.exe
FortiClient.exe
FortiClient_Diagnostic_Tool.exe
FortiESNAC.exe
FortiFW.exe
FortiProxy.exe
FortiSSLVPNdaemon.exe
FortiTray.exe
FPAVServer.exe
FProtTray.exe
FPWin.exe
freshclam.exe
freshclamwrap.exe
fsgk32.exe
FSHDLL64.exe
fshoster32.exe
FSM32.EXE
FSMA32.EXE
fsorsp.exe
fssm32.exe
GdBgInx64.exe
GDKBFltExe32.exe
GDSC.exe
GDScan.exe
guardxkickoff_x64.exe
guardxservice.exe
iptray.exe
K7AVScan.exe
K7CrvSvc.exe
K7EmlPxy.EXE
K7FWSrvc.exe
K7PSSrvc.exe
K7RTScan.exe
K7SysMon.Exe
K7TSecurity.exe
K7TSMain.exe
K7TSMngr.exe
LittleHook.exe
mbam.exe
mbamscheduler.exe
mbamservice.exe
MCS-Uninstall.exe
MCShieldCCC.exe
MCShieldDS.exe
MCShieldRTM.exe
mergecap.exe
MpCmdRun.exe
MpUXSrv.exe
MSASCui.exe
MsMpEng.exe
MWAGENT.EXE
MWASER.EXE
nanoav.exe
nanosvc.exe
nbrowser.exe
nfservice.exe
NisSrv.exe
njeeves2.exe
nnf.exe
nprosec.exe
NS.exe
nseupdatesvc.exe
nvcod.exe
nvcsvc.exe
nvoy.exe
nwscmon.exe
ONLINENT.EXE
OPSSVC.EXE
op_mon.exe
procexp.exe
PSANHost.exe
PSUAMain.exe
PSUAService.exe
psview.exe
PtSessionAgent.exe
PtSvcHost.exe
PtWatchDog.exe
quamgr.exe
QUHLPSVC.EXE
rawshark.exe
SAPISSVC.EXE
SASCore64.exe
SASTask.exe
SBAMSvc.exe
SBAMTray.exe
SBPIMSvc.exe
SCANNER.EXE
SCANWSCS.EXE
schmgr.exe
scproxysrv.exe
ScSecSvc.exe
SDFSSvc.exe
SDScan.exe
SDTray.exe
SDWelcome.exe
SSUpdate64.exe
SUPERAntiSpyware.exe
SUPERDelete.exe
text2pcap.exe
TRAYICOS.EXE
TRAYSSER.EXE
trigger.exe
tshark.exe
twsscan.exe
twssrv.exe
uiSeAgnt.exe
uiUpdateTray.exe
uiWatchDog.exe
uiWinMgr.exe
UnThreat.exe
UserReg.exe
utsvc.exe
V3Main.exe
V3Medic.exe
V3Proxy.exe
V3SP.exe
V3Svc.exe
V3Up.exe
VIEWTCP.EXE
VIPREUI.exe
virusutilities.exe
WebCompanion.exe
wireshark.exe
Zanda.exe
Zlh.exe
zlhh.exe

Step 5

Search and delete this file

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%User Temp%\hsperfdata_{username}\{Process ID} (4 Files)
%ProgramData%\Oracle\Java\.oracle_jre_usage\{Random Numbers 1}.timestamp (2 Files)
%System%\test.txt
%User Profile%\{Random Foldername 1}\ID.txt
%User Profile%\{Random Foldername 2}\ID.txt
%User Temp%\{Random Filename}.reg
%User Temp%\_0.{Random Numbers}.class (2 Files)
%User Temp%\Retrive{Random Numbers}.vbs (8 Files)

Step 6

Restart in normal mode and scan your computer with your Trend Micro product for files detected as JAVA_QRAT.THIODAH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters