arrow_back
search
close

TROJ_SAKUREL.B

February 13, 2015
 Modified by: David John Agni
 ALIASES:

Trojan:Win32/Sakurel.A (Microsoft), Trojan.Win32.Sakurel (Ikarus)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size:

141,104 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

15 Feb 2014

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %User Temp%\MicroMedia\MediaCenter.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following component file(s):

  • %User Temp%\MicroMedia\MicroSoftSecurityLogin.ocx

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

  • %User Temp%\MicroMedia

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MicroMedia = "%User Temp%\MicroMedia\MediaCenter.exe"

HOSTS File Modification

This Trojan adds the following strings to the Windows HOSTS file:

  • csg.secure.snecma.fr 217.108.170.94
  • ctx.secure.snecma.fr 217.108.170.81
  • fdm.secure.snecma.fr 217.108.170.23
  • qa.fdm.secure.snecma.fr 217.108.170.27
  • qa.indigo.secure.snecma.fr 217.108.170.98
  • pi.secure.snecma.fr 217.108.170.96
  • qa.secure.snecma.fr 217.108.170.88
  • qasd.secure.snecma.fr 217.108.170.87
  • sd.secure.snecma.fr 217.108.170.199
  • int.tcua.secure.snecma.fr 217.108.170.18
  • qa.tcua.secure.snecma.fr 217.108.170.13
  • secure.snecma.fr 217.108.170.196

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://oa.{BLOCKED}sen.com/photo/qlvgtjvakctkec-197632229.jpg?resid=3685281
  • http://oa.{BLOCKED}sen.com/script.asp?imageid=qlvgtjvakctkec-197632229&type=0&resid=3685125&nmsg=up

It deletes the initially executed copy of itself