BKDR_VAWTRAK.YUYAMY
Backdoor:Win32/Vawtrak.A (Microsoft), Backdoor.Win32.Papras.zhm (Kaspersky)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.
TECHNICAL DETAILS
344,064 bytes
DLL
Yes
21 Jun 2017
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This Backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = "regsvr32.exe "%Program Data%\{random}\{random}.{3 random character}"
Other System Modifications
This Backdoor adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = 0
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = 1
HKEY_CURRENT_USER\Software\{CLSID}
{random value} = "{hex values}"
Backdoor Routine
This Backdoor executes the following command(s) from a remote malicious user:
- Log keystrokes
- Capture Screenshots
- Open a process
- Install Updates
- List Process
- Inject code to process
- Download and execute files
- Download configuration
- Perform remote shell
- Start VNC
NOTES:
This backdoor has the capability to setup a virtual network computing (VNC) server to take control of the compromised computer.
It injects code to the all running processes except the following:
- csrss.exe
- Dbgview.exe
- lsass.exe
- lsm.exe
- services.exe
- smss.exe
- svchost.exe
- taskhost.exe
- wininit.exe
- winlogon.exe
This backdoor only performs its intended routine once it is injected in the following processes:
- chrome.exe
- explorer.exe
- firefox.exe
- iexplore.exe