Trojan.DownLoader33.32228

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\Currentversion\Run] 'windowscom3autostart' = '%APPDATA%/com3inst\com3updater32.exe'

Modifies file system

Creates the following files

%TEMP%\_mei29082\crypto\cipher\_arc4.cp37-win_amd64.pyd
%TEMP%\_mei29082\pyexpat.pyd
%TEMP%\_mei29082\numpy\random\sfc64.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\random\philox.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\random\pcg64.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\random\mtrand.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\random\mt19937.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\random\generator.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\random\bit_generator.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\linalg\lapack_lite.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\linalg\_umath_linalg.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\fft\pocketfft_internal.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\core\_multiarray_umath.cp37-win_amd64.pyd
%TEMP%\_mei29082\numpy\core\_multiarray_tests.cp37-win_amd64.pyd
%TEMP%\_mei29082\mfc140u.dll
%TEMP%\_mei29082\libssl-1_1-x64.dll
%TEMP%\_mei29082\libopenblas.txa6yqsd3gcqqc22geq54j2udcxdxhwn.gfortran-win_amd64.dll
%TEMP%\_mei29082\libcrypto-1_1-x64.dll
%TEMP%\_mei29082\implant.exe.manifest
%TEMP%\_mei29082\_win32sysloader.pyd
%TEMP%\_mei29082\python37.dll
%TEMP%\_mei29082\pythoncom37.dll
%TEMP%\_mei29082\pywintypes37.dll
%TEMP%\_mei29082\select.pyd
%TEMP%\ee3bxt5n
%TEMP%\_mei29082\lib2to3\tests\data\readme
%TEMP%\_mei29082\lib2to3\patterngrammar3.7.3.final.0.pickle
%TEMP%\_mei29082\lib2to3\patterngrammar.txt
%TEMP%\_mei29082\lib2to3\grammar3.7.3.final.0.pickle
%TEMP%\_mei29082\lib2to3\grammar.txt
%TEMP%\_mei29082\certifi\cacert.pem
%TEMP%\_mei29082\base_library.zip
%TEMP%\_mei29082\include\pyconfig.h
%TEMP%\_mei29082\win32ui.pyd
%TEMP%\_mei29082\win32wnet.pyd
%TEMP%\_mei29082\win32trace.pyd
%TEMP%\_mei29082\win32pdh.pyd
%TEMP%\_mei29082\win32crypt.pyd
%TEMP%\_mei29082\win32cred.pyd
%TEMP%\_mei29082\win32com\shell\shell.pyd
%TEMP%\_mei29082\win32api.pyd
%TEMP%\_mei29082\unicodedata.pyd
%TEMP%\_mei29082\sqlite3.dll
%TEMP%\_mei29082\simplejson\_speedups.cp37-win_amd64.pyd
%APPDATA%\tmp_a794da\fa0c14.crt
%TEMP%\_mei29082\_ssl.pyd
%TEMP%\_mei29082\_sqlite3.pyd
%TEMP%\_mei29082\_socket.pyd
%TEMP%\_mei29082\crypto\hash\_md4.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_md2.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_blake2s.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_blake2b.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_ofb.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_ocb.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_ecb.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_des3.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_des.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_ctr.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_cfb.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_cbc.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_cast.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_blowfish.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_arc2.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_aesni.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_raw_aes.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_chacha20.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\cipher\_salsa20.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_md5.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_ripemd160.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_sha1.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_sha224.cp37-win_amd64.pyd
%TEMP%\_mei29082\_multiprocessing.pyd
%TEMP%\_mei29082\_lzma.pyd
%TEMP%\_mei29082\_hashlib.pyd
%TEMP%\_mei29082\_decimal.pyd
%TEMP%\_mei29082\_ctypes.pyd
%TEMP%\_mei29082\_cffi_backend.cp37-win_amd64.pyd
%TEMP%\_mei29082\_bz2.pyd
%TEMP%\_mei29082\vcruntime140.dll
%TEMP%\_mei29082\crypto\util\_strxor.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\publickey\_ec_ws.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\util\_cpuid_c.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\protocol\_scrypt.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\math\_modexp.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_poly1305.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_keccak.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_ghash_portable.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_ghash_clmul.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_sha512.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_sha384.cp37-win_amd64.pyd
%TEMP%\_mei29082\crypto\hash\_sha256.cp37-win_amd64.pyd
%TEMP%\_mei29082\_queue.pyd
%APPDATA%\com3inst\com3updater32.exe

Sets the 'hidden' attribute to the following files

%APPDATA%\com3inst\com3updater32.exe

Deletes the following files

%TEMP%\ee3bxt5n

Network activity

TCP

'ap#.##opboxapi.com':443
'co#####.dropboxapi.com':443

UDP

DNS ASK ap#.##opboxapi.com
DNS ASK dr##box.com
DNS ASK re#####r1.opendns.com
DNS ASK 22#.###.67.208.in-addr.arpa
DNS ASK my##.#pendns.com
DNS ASK co#####.dropboxapi.com

Miscellaneous

Creates and executes the following

'<SYSTEM32>\wbem\wmic.exe' baseboard get serialnumber' (with hidden window)
'<SYSTEM32>\wbem\wmic.exe' diskdrive get serialnumber' (with hidden window)
'<SYSTEM32>\wbem\wmic.exe' cpu get ProcessorId' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "attrib +h %APPDATA%/com3inst\com3updater32.exe"' (with hidden window)
'<SYSTEM32>\wbem\wmic.exe' os get Caption' (with hidden window)
'<SYSTEM32>\wbem\wmic.exe' os get Version' (with hidden window)
'<SYSTEM32>\wbem\wmic.exe' os get OSArchitecture' (with hidden window)
'<SYSTEM32>\wbem\wmic.exe' os get BuildNumber' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "whoami"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "nslookup myip.opendns.com resolver1.opendns.com"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName"' (with hidden window)

Executes the following

'<SYSTEM32>\wbem\wmic.exe' baseboard get serialnumber
'<SYSTEM32>\nslookup.exe' myip.opendns.com resolver1.opendns.com
'<SYSTEM32>\cmd.exe' /c "nslookup myip.opendns.com resolver1.opendns.com"
'<SYSTEM32>\whoami.exe'
'<SYSTEM32>\cmd.exe' /c "whoami"
'<SYSTEM32>\wbem\wmic.exe' os get BuildNumber
'<SYSTEM32>\wbem\wmic.exe' os get OSArchitecture
'<SYSTEM32>\cmd.exe' /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName"
'<SYSTEM32>\wbem\wmic.exe' os get Version
'<SYSTEM32>\attrib.exe' +h %APPDATA%/com3inst\com3updater32.exe
'<SYSTEM32>\cmd.exe' /c "attrib +h %APPDATA%/com3inst\com3updater32.exe"
'<SYSTEM32>\tasklist.exe'
'<SYSTEM32>\cmd.exe' /c "tasklist"
'<SYSTEM32>\wbem\wmic.exe' cpu get ProcessorId
'<SYSTEM32>\wbem\wmic.exe' diskdrive get serialnumber
'<SYSTEM32>\wbem\wmic.exe' os get Caption
'<SYSTEM32>\wbem\wmic.exe' /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial