arrow_back
search
close

TROJ_BAYROB.SM1

December 29, 2015
 Analysis by: Anthony Joe Melgarejo
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

355,840 bytes

File Type:

EXE

Initial Samples Received Date:

28 Dec 2015

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %System Root%\{random folder name}\{random file name 1}.exe
  • %System Root%\{random folder name}\{random file name 2}.exe
  • %System Root%\{random folder name}\{random file name 3}.exe

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

  • %System Root%\{random folder name}
  • %Windows%\{random folder name}

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{value name} = "%System Root%\{random folder name}\{random file name 1}.exe"

Dropping Routine

This Trojan drops the following files:

  • %System Root%\{random folder name}\{random file name 4}
  • %System Root%\{random folder name}\{random file name 5}
  • %System Root%\{random folder name}\{random file name 6}
  • %Windows%\{random folder name}\{random file name 2}

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}bicycle.net/index.php
  • http://{BLOCKED}board.net/index.php
  • http://{BLOCKED}bridge.net/index.php
  • http://{BLOCKED}character.net/index.php
  • http://{BLOCKED}enter.net/index.php
  • http://{BLOCKED}except.net/index.php
  • http://{BLOCKED}ladder.net/index.php
  • http://{BLOCKED}whose.net/index.php
  • http://{BLOCKED}ngbicycle.net/index.php
  • http://{BLOCKED}ngbridge.net/index.php
  • http://{BLOCKED}ngexcept.net/index.php
  • http://{BLOCKED}ngwhose.net/index.php
  • http://{BLOCKED}bicycle.net/index.php
  • http://{BLOCKED}board.net/index.php
  • http://{BLOCKED}bridge.net/index.php
  • http://{BLOCKED}character.net/index.php
  • http://{BLOCKED}enter.net/index.php
  • http://{BLOCKED}except.net/index.php
  • http://{BLOCKED}ladder.net/index.php
  • http://{BLOCKED}whose.net/index.php
  • http://{BLOCKED}bicycle.net/index.php
  • http://{BLOCKED}board.net/index.php
  • http://{BLOCKED}bridge.net/index.php
  • http://{BLOCKED}enter.net/index.php
  • http://{BLOCKED}except.net/index.php
  • http://{BLOCKED}whose.net/index.php
  • http://{BLOCKED}bicycle.net/index.php
  • http://{BLOCKED}board.net/index.php
  • http://{BLOCKED}bridge.net/index.php
  • http://{BLOCKED}character.net/index.php
  • http://{BLOCKED}enter.net/index.php
  • http://{BLOCKED}except.net/index.php
  • http://{BLOCKED}ladder.net/index.php
  • http://{BLOCKED}whose.net/index.php
  • http://{BLOCKED}gbicycle.net/index.php
  • http://{BLOCKED}gbridge.net/index.php
  • http://{BLOCKED}gexcept.net/index.php
  • http://{BLOCKED}gwhose.net/index.php
  • http://{BLOCKED}bicycle.net/index.php
  • http://{BLOCKED}board.net/index.php
  • http://{BLOCKED}bridge.net/index.php
  • http://{BLOCKED}character.net/index.php
  • http://{BLOCKED}enter.net/index.php
  • http://{BLOCKED}except.net/index.php
  • http://{BLOCKED}ladder.net/index.php
  • http://{BLOCKED}whose.net/index.php
  • http://{BLOCKED}icycle.net/index.php
  • http://{BLOCKED}ridge.net/index.php
  • http://{BLOCKED}xcept.net/index.php
  • http://{BLOCKED}hose.net/index.php
  • http://{BLOCKED}ntbicycle.net/index.php
  • http://{BLOCKED}ntbridge.net/index.php
  • http://{BLOCKED}ntexcept.net/index.php
  • http://{BLOCKED}ntwagon.net/index.php
  • http://{BLOCKED}ntwhose.net/index.php
  • http://{BLOCKED}ebicycle.net/index.php
  • http://{BLOCKED}ebridge.net/index.php
  • http://{BLOCKED}eexcept.net/index.php
  • http://{BLOCKED}ewagon.net/index.php
  • http://{BLOCKED}ewagon.net/index.php
  • http://{BLOCKED}ewhose.net/index.php
  • http://{BLOCKED}ebicycle.net/index.php
  • http://{BLOCKED}eboard.net/index.php
  • http://{BLOCKED}ebridge.net/index.php
  • http://{BLOCKED}echaracter.net/index.php
  • http://{BLOCKED}eenter.net/index.php
  • http://{BLOCKED}eexcept.net/index.php
  • http://{BLOCKED}eladder.net/index.php
  • http://{BLOCKED}ewhose.net/index.php
  • http://{BLOCKED}bicycle.net/index.php
  • http://{BLOCKED}board.net/index.php
  • http://{BLOCKED}bridge.net/index.php
  • http://{BLOCKED}enter.net/index.php
  • http://{BLOCKED}except.net/index.php
  • http://{BLOCKED}ladder.net/index.php
  • http://{BLOCKED}whose.net/index.php
  • http://{BLOCKED}bicycle.net/index.php
  • http://{BLOCKED}board.net/index.php
  • http://{BLOCKED}bridge.net/index.php
  • http://{BLOCKED}character.net/index.php
  • http://{BLOCKED}enter.net/index.php
  • http://{BLOCKED}except.net/index.php
  • http://{BLOCKED}ladder.net/index.php
  • http://{BLOCKED}whose.net/index.php
  • http://{BLOCKED}icycle.net/index.php
  • http://{BLOCKED}oard.net/index.php
  • http://{BLOCKED}ridge.net/index.php
  • http://{BLOCKED}haracter.net/index.php
  • http://{BLOCKED}nter.net/index.php
  • http://{BLOCKED}xcept.net/index.php
  • http://{BLOCKED}adder.net/index.php
  • http://{BLOCKED}hose.net/index.php
  • http://{BLOCKED}icycle.net/index.php
  • http://{BLOCKED}ridge.net/index.php
  • http://{BLOCKED}xcept.net/index.php
  • http://{BLOCKED}hose.net/index.php
  • http://{BLOCKED}thbicycle.net/index.php
  • http://{BLOCKED}thboard.net/index.php
  • http://{BLOCKED}thbridge.net/index.php
  • http://{BLOCKED}thcharacter.net/index.php
  • http://{BLOCKED}thenter.net/index.php
  • http://{BLOCKED}thexcept.net/index.php
  • http://{BLOCKED}thladder.net/index.php
  • http://{BLOCKED}thwhose.net/index.php

NOTES:

The variable {value name} may be any of the following:

  • Cache Level Desktop Encrypting SPP
  • Debugger Connectivity Multimedia RPC Coordinator
  • Desktop AutoConnect Installer Link
  • Drive Auto Visual TPM Process
  • Networking Time Provider
  • Port Color Workstation Keying
  • Problem Health UserMode Key Redirector
  • Provider Mapper Management Application
  • Receiver Base Cryptographic ActiveX Task
  • Reporting Modules Driver Protocol
  • SNMP Control Device Intelligent DHCP
  • Solutions Firewall PC Adapter Scheduler
  • Tablet Server Logs Link Procedure