Trojan.Win64.DOWNLOADER.NLJ

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not have any information-stealing capability.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

• %User Profile%\Pictures\{24 Random Alphanumeric Characters}.exe {Arguments} → executes the downloaded files.

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It stays resident in memory by creating the following process(es):

• %Windows%\{Microsoft .NET Directory}\AddInProcess32.exe
• %Windows%\{Microsoft .NET Directory}\CasPol.exe
• %Windows%\{Microsoft .NET Directory}\jsc.exe
• %Windows%\{Microsoft .NET Directory}\MSBuild.exe
• %Windows%\{Microsoft .NET Directory}\RegAsm.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Autostart Technique

This Trojan drops the following files:

• %User Startup%\{24 Random Alphanumeric Characters}.bat → drops multiple times based on the number of downloaded files.
  • which contains the following code:
    • start "" "%AppDataLocal%\{24 Random Alphanumeric Characters}.exe {Arguments}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Propagation

This Trojan does not have any propagation routine.

Backdoor Routine

This Trojan does not have any backdoor routine.

Rootkit Capabilities

This Trojan does not have rootkit capabilities.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}p.su/RNWPd.exe → as of this writing, the site is already inaccessible.
• https://{BLOCKED}bin.com/raw/E0rY26ni
  • which contains the following URLs used to download other malicious files:
    • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.59/ISetup5.exe → detected as TrojanSpy.Win32.STEALC.E
    • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.175/server/ww12/AppGate2103v01.exe
    • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.17/files/001MX.exe
    • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.17/files/setup.exe
    • http://{BLOCKED}.{BLOCKED}.{BLOCKED}.17/files/InstallCharityEngine_7.14.2_S16-01.exe
    • http://{BLOCKED}era.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767__456
    • https://{BLOCKED}epai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
    • https://{BLOCKED}irls.org/baf14778c246e15550645e30ba78ce1c.exe → as of this writing, the site is already inaccessible.

It saves the files it downloads using the following names:

• %AppDataLocal%\{24 Random Alphanumeric Characters}.exe
• %User Profile%\Pictures\{24 Random Alphanumeric Characters}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Information Theft

This Trojan does not have any information-stealing capability.

Other Details

This Trojan connects to the following website to send and receive information:

• https://{BLOCKED}ger.com/1lyxz