SHA1 6b5f94b5a1d28441253b19f36322c87f12420836
An installer of adware and other malicious programs. It is distributed through various file-sharing resources controlled by cybercriminals. The distribution scheme looks as follows: if the user attempts to download some file, they are redirected to a website from which Trojan.LoadMoney.336 is downloaded to the computer. Once launched, the Trojan connects to a remote server and receives a configuration file. The file contains links to different affiliate applications that the Trojan downloads and runs on the infected computer.
After the Trojan is launched, it runs a search for the %EXENAME%:tmp and %EXENAME%.tmp files (however, it should be noted that Trojan.LoadMoney.336 can operate even without these files). If any problems occur during this search, the malicious program uses two following debugging strings: “installer not found” and “error opening file installer file #”. Then the program removes the alternative Zone.Identifier thread to make its own launch easier and, using ShutdownBlockReasonCreate, prevents Windows from being shut down. If the user attempts to turn off the computer, the Trojan displays the following error message: “The updates are being downloaded and installed”. Once initialization is complete, Trojan.LoadMoney.336 waits while the mouse pointer becomes still, launches two own copies, and deletes the original file.
The Trojan gathers the following information regarding the infected computer and forwards it to cybercriminals:
- OS version
- Data on installed anti-virus software
- Data on installed firewalls
- Data on installed spyware
- Video card model
- RAM amount
- Hard disks and partitions
- OEM
- Motherboard model
- Screen resolution
- BIOS version
- Data on whether the current Windows user account has administrator privileges
- Data on availability of applications that support files with the .torrent extension
- Data on availability of applications that can open magnet links
Then Trojan.LoadMoney.336 sends a GET request to the command and control server and, in return, receives a decrypted package containing links to files.
Affiliate applications are downloaded via a separate thread. First, the Trojan extracts a URL from the configuration file and sends a corresponding HEAD request to that URL. If the request returns 405 (Method Not Allowed) or 501 (Not Implemented), the Trojan repeats the GET request. If the link to the target file is valid, the malicious program extracts the data on the file name and length from the reply and initiates the download of the application.
The reply from the server can contain various configuration data, including information on the dialog window that is displayed before applications get installed on the system:
{
"checks":[
{"b":[{
"l":"http://sputnikmailru.cdnmail.ru/mailruhomesearchvbm.exe?rfr=profitraf1|http://****.ru/homesearch.exe?etag=1c6cdcee2ae02ba7fabce71834b7e90b|http://****.ru/homesearch.exe?etag=1c6cdcee2ae02ba7fabce71834b7e90b",
"a":"--silent --without-updater --rfr=profitraf1 --partner_homepage=http://****.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&ovr=$__OVR&browser=$__BROWSER&file_id=69643849&ext_partner_id=&did=2199397647&start=1&label=profitraf1 --mpcln=9516 --partner_dse=http://****.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&ovr=$__OVR&browser=$__BROWSER&file_id=69643849&did=2199397647&search=1&ext_partner_id=&label=profitraf1 /partner_vbm=http://***.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&ovr=$__OVR&browser=$__BROWSER&file_id=69643849&did=2199397647&visualbookmarks=1&ext_partner_id=&label=profitraf1 --partner_toolbar=http://****.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&ovr=$__OVR&browser=$__BROWSER&file_id=69643849&did=2199397647&toolbar=1&ext_partner_id=&label=profitraf1",
"r":"HKEY_CURRENT_USER\\Software\\Mail.Ru\\homesearch\\nb_lifetime|1438100243"
}],
"y":201,
"x":60
},
{"b":[{
"l":"http://****.ru/AmigoDistrib.exe?rfr=blackbear1|http://****.ru/amigo.exe?etag=1c6cdcee2ae02ba7fabce71834b7e90b|http://****.ru/amigo.exe?etag=1c6cdcee2ae02ba7fabce71834b7e90b",
"a":"--silent --rfr=blackbear1 --ua_rfr=CHANNEL_blackbear1 --make-default=1 --partner_new_url=http:// ******.ru/software_install?hetag=1c6cdcee2ae02ba7fabce71834b7e90b&guid=$__GUID&sig=$__SIG&hash=HASH&hsig=$__HWSIG&ovr=$__OVR&file_id=69643849&ext_partner_id=&did=2199397647&amigo=1&label=blackbear1",
"r":"HKEY_CURRENT_USER\\Software\\Microsoft\\Amigo\\nb_lifetime|1438100243"
}],
"y":216,
"x":60}
],
"download":{"t":"BUTTON"},
"expand":{
"normal":[{"s":268436482,"x":60,"y":231,"w":13},{"s":402654210,"x":60,"y":231,"w":13},{"t":"STATIC","s":402653184,"c":"Стандартные параметры","x":75,"y":230},{"c":"Установить стартовую страницу и поиск @mail.ru","t":"STATIC","s":402653184,"x":75,"y":200},{"x":60,"y":201,"s":402654211,"w":13},{"c":"Установить браузер Амиго и сделать его основным","t":"STATIC","s":402653184,"x":75,"y":215},{"x":60,"y":216,"s":402654211,"w":13}],
"expand":[{"t":"STATIC","s":268435472,"w":419,"h":2,"x":0,"y":169},{"t":"SysLink","c":"Установить стартовую страницу и поиск @mail.ru","y":200,"x":75},{"t":"SysLink","c":"Установить браузер Амиго и сделать его основным","y":215,"x":75}],
"h":256
},
"h":256,
"open":{
"t":""
}
}
Apart from gathering data on the infected system, the Trojan can check whether other malicious programs (such as Trojan.BPlug.116 and Trojan.Triosir) are installed on the compromised computer.