Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Trojan.MulDrop7.24844

Added to the Dr.Web virus database: 2017-04-12

Virus description added:

SHA1

  • da06b4f308f54a654b0b30b9f04801597c208914 (dropper)
  • f3a6b7d78d0e1b86aaf355d3bda5d82892e58650 (xservice.exe)
  • a6964dcb26580cd70f2db82c48e485f573675ef9 (xps.exe)
  • d8d38cd908d5ba645db0fb3ca13add02774bdccb (mimikatz 32-bit)
  • 60d4529dc6296a854766661760a20a0b8a0edb4e (mimikatz 64-bit)

A multicomponent Trojan for Windows. Distributed as a file called “Billing from LLC Globalniye Sistemy April 6 2017.JPG.zip” in emails with the subject header “Made the payment” and the following contents:

Good day!
We made the payment on April, 6, but for some reason we haven’t received an answer from you.
We hereby request to process the payment as soon as possible and provide the services because time is an issue for us.
The copy of the billing statement and other documents are in the attached archive. 
Please, check the details of the billing statement. Perhaps there has been a mistake that caused the failure in delivery of our payment. It could be the reason for the delay.
Yours faithfully,
LLC Globalniye Sistemy

There is an application inside the archive with the extension:

Billing from LLC Globalniye Sistemy April 6 2017.JPG                                                                  .exe

The executable file is an encrypted container that was created using the capabilities of the Autoit language and packed with PECOMPACT. When launched, the following modules are saved:

  • 32.cab and 64.cab—CAB archives containing cryptbase.dll library for 32- and 64-bit Windows respectively. Used to bypass UAC (User Account Control);
  • xps.bin—binary file encrypted with the RC4 algorithm that belongs to the remote administration tool Program.RemoteAdmin.753 packed with PECOMPACT;
  • xservice.bin—component of a malicious program encrypted with the RC4 algorithm;
  • settings.dat—configuration file that contains settings for Program.RemoteAdmin.753.

Once launched, the script checks if it runs as the sole copy, otherwise it shuts down. In Microsoft Windows 8.1, if a current account doesn't have administrator privileges, the Trojan uses wusa.exe tool to unpack cryptbase.dll library from the archive 32.cab or 64.cab (depending on the operating system capacity) to the folder %windir%\system32\migwiz\ and launches migwiz.exe by sending path to the executable file of the Trojan as an incoming parameter.

In other Windows versions it bypasses UAC using eventvwr.exe.

Executable files are installed to the following folder: %PROGRAMFILES%\XPS Rasterization Service Component. The Trojan launches automatically—for Windows XP, by adding system registry in the key

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 

of the parameter “XPS Rasterization Service Component”. In later versions of Windows, autorun is performed using Task Manager:

schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "" "%PROGRAMFILES%\XPS Rasterization Service Component\xservice.exe" /RL HIGHEST

The Trojan launches applications xps.exe and xservice.exe and after that tries to extract and save Google Chrome and Mozilla Firefox passwords in a text file.

xps.exe

Remote administration tool that Dr.Web detects as Program.RemoteAdmin.753.

xservice.exe

An encrypted container which is created using the capabilities of the Autoit language and packed with PECOMPACT. Once launched, it extracts and saves file 32_en.exe or 64_en.exe (depending on the operating system capacity). These programs are 32-bit and 64-bit versions of Mimikatz tool, which is designed for interception of passwords of open Windows sessions. xservice.bin can be launched with different keys. They influence the actions this file performs on infected computers.

keyDescription
-helpdisplay possible keys (support information is displayed in unknown encoding)
-screentakes a screenshot, saves it as a file called Screen(<HOURS>_<MINUTES>).jpg (<HOURS>_<MINUTES> stands for the current time) and sets file attributes to “hidden” and “system”
-wallpaper <path>changes wallpaper to the one indicated in the parameter <path>
-opencdopens CD drive
-closecdcloses CD drive
-offdesktopprints to the console the following text: “Not working =(”
-ondesktopprints to the console the following text: “Not working =(”
-rdpRDP launch (look below)
-getipreceives IP address of the infected computer using the following website: http://ident.me/
-msg <type> <title> <msg>creates a dialog of the given type (err, notice, qst, inf) with a specified header and text
-banurl <url>adds to the file %windir%\System32\drivers\etc\hosts the following string: “127.0.0.1 <url>”, where <url> is a command argument

After the launch, it also tries running Program.RemoteAdmin.753 from the file %PROGRAMFILES%\XPS Rasterization Service Component\xps.exe. Activates a keylogger that records to the file any information about the keys pressed by a user. It also takes a screenshot at the moment of launch.

The Trojan gives criminals access to the infected device via RDP (Remote Desktop Protocol). Checks if the tool for connection is present, checks the registry key value [HKEY_CURRENT_USER\Software\AcronisDisk] “Status”. If it equals 1, tool reinstallation is not preformed.

Does not try to install a tool for organization of the connection via RDP, if the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest] "UseLogonCredentials” is installed on 0.

For this purpose, it downloads a program called Rdpwrap from the Github server and installs it with parameters that allow it to run in the hidden mode. Installs a program by launching the file “RDPWInst.exe -i -o” using flag SW_HIDE to hide the application window. After the installation, launches the RDPWInst.exe tool with a key –w and executes the following commands:

REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "AllowRemoteRPC", "REG_DWORD", 1 )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "AllowTSConnections", "REG_DWORD", 1 )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "TSUserEnabled", "REG_DWORD", 1 )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "fDenyTSConnections", "REG_DWORD",  )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "fSingleSessionPerUser", "REG_DWORD",  )
REGWRITE("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "Shadow", "REG_DWORD", 2 )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa", "LimitBlankPasswordUse", "REG_DWORD",  )

Tries to get the password of the current user account with the help of Mimikatz tool of the corresponding system bitness that has been saved on the disk earlier. This password is saved in the system registry. The obtained password is encrypted with the base64 algorithm and saved in the “Pwd” parameter of the key of the system registry [HKEY_CURRENT_USER\Software\AcronisDisk]. As an indicator of the successful installation, it saves value “1” in the parameter “Status” of the key of the registry [HKEY_CURRENT_USER\Software\AcronisDisk]. In Microsoft Windows 8.1 and Windows 10, it considers the attempt to obtain the password for the user account to be failed, launches a new instance of the command interpreter cmd and executes the following command: net users <current_user> *.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android