SHA1
- da06b4f308f54a654b0b30b9f04801597c208914 (dropper)
- f3a6b7d78d0e1b86aaf355d3bda5d82892e58650 (xservice.exe)
- a6964dcb26580cd70f2db82c48e485f573675ef9 (xps.exe)
- d8d38cd908d5ba645db0fb3ca13add02774bdccb (mimikatz 32-bit)
- 60d4529dc6296a854766661760a20a0b8a0edb4e (mimikatz 64-bit)
A multicomponent Trojan for Windows. Distributed as a file called “Billing from LLC Globalniye Sistemy April 6 2017.JPG.zip” in emails with the subject header “Made the payment” and the following contents:
Good day!
We made the payment on April, 6, but for some reason we haven’t received an answer from you.
We hereby request to process the payment as soon as possible and provide the services because time is an issue for us.
The copy of the billing statement and other documents are in the attached archive.
Please, check the details of the billing statement. Perhaps there has been a mistake that caused the failure in delivery of our payment. It could be the reason for the delay.
Yours faithfully,
LLC Globalniye Sistemy
There is an application inside the archive with the extension:
Billing from LLC Globalniye Sistemy April 6 2017.JPG .exe
The executable file is an encrypted container that was created using the capabilities of the Autoit language and packed with PECOMPACT. When launched, the following modules are saved:
- 32.cab and 64.cab—CAB archives containing cryptbase.dll library for 32- and 64-bit Windows respectively. Used to bypass UAC (User Account Control);
- xps.bin—binary file encrypted with the RC4 algorithm that belongs to the remote administration tool Program.RemoteAdmin.753 packed with PECOMPACT;
- xservice.bin—component of a malicious program encrypted with the RC4 algorithm;
- settings.dat—configuration file that contains settings for Program.RemoteAdmin.753.
Once launched, the script checks if it runs as the sole copy, otherwise it shuts down. In Microsoft Windows 8.1, if a current account doesn't have administrator privileges, the Trojan uses wusa.exe tool to unpack cryptbase.dll library from the archive 32.cab or 64.cab (depending on the operating system capacity) to the folder %windir%\system32\migwiz\ and launches migwiz.exe by sending path to the executable file of the Trojan as an incoming parameter.
In other Windows versions it bypasses UAC using eventvwr.exe.
Executable files are installed to the following folder: %PROGRAMFILES%\XPS Rasterization Service Component. The Trojan launches automatically—for Windows XP, by adding system registry in the key
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
of the parameter “XPS Rasterization Service Component”. In later versions of Windows, autorun is performed using Task Manager:
schtasks /Create /SC ONLOGON /TN "XPS Rasterization Service Component" /TR "" "%PROGRAMFILES%\XPS Rasterization Service Component\xservice.exe" /RL HIGHEST
The Trojan launches applications xps.exe and xservice.exe and after that tries to extract and save Google Chrome and Mozilla Firefox passwords in a text file.
xps.exe
Remote administration tool that Dr.Web detects as Program.RemoteAdmin.753.
xservice.exe
An encrypted container which is created using the capabilities of the Autoit language and packed with PECOMPACT. Once launched, it extracts and saves file 32_en.exe or 64_en.exe (depending on the operating system capacity). These programs are 32-bit and 64-bit versions of Mimikatz tool, which is designed for interception of passwords of open Windows sessions. xservice.bin can be launched with different keys. They influence the actions this file performs on infected computers.
| key | Description |
|---|---|
| -help | display possible keys (support information is displayed in unknown encoding) |
| -screen | takes a screenshot, saves it as a file called Screen(<HOURS>_<MINUTES>).jpg (<HOURS>_<MINUTES> stands for the current time) and sets file attributes to “hidden” and “system” |
| -wallpaper <path> | changes wallpaper to the one indicated in the parameter <path> |
| -opencd | opens CD drive |
| -closecd | closes CD drive |
| -offdesktop | prints to the console the following text: “Not working =(” |
| -ondesktop | prints to the console the following text: “Not working =(” |
| -rdp | RDP launch (look below) |
| -getip | receives IP address of the infected computer using the following website: http://ident.me/ |
| -msg <type> <title> <msg> | creates a dialog of the given type (err, notice, qst, inf) with a specified header and text |
| -banurl <url> | adds to the file %windir%\System32\drivers\etc\hosts the following string: “127.0.0.1 <url>”, where <url> is a command argument |
After the launch, it also tries running Program.RemoteAdmin.753 from the file %PROGRAMFILES%\XPS Rasterization Service Component\xps.exe. Activates a keylogger that records to the file any information about the keys pressed by a user. It also takes a screenshot at the moment of launch.
The Trojan gives criminals access to the infected device via RDP (Remote Desktop Protocol). Checks if the tool for connection is present, checks the registry key value [HKEY_CURRENT_USER\Software\AcronisDisk] “Status”. If it equals 1, tool reinstallation is not preformed.
Does not try to install a tool for organization of the connection via RDP, if the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest] "UseLogonCredentials” is installed on 0.
For this purpose, it downloads a program called Rdpwrap from the Github server and installs it with parameters that allow it to run in the hidden mode. Installs a program by launching the file “RDPWInst.exe -i -o” using flag SW_HIDE to hide the application window. After the installation, launches the RDPWInst.exe tool with a key –w and executes the following commands:
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "AllowRemoteRPC", "REG_DWORD", 1 )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "AllowTSConnections", "REG_DWORD", 1 )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "TSUserEnabled", "REG_DWORD", 1 )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "fDenyTSConnections", "REG_DWORD", )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server", "fSingleSessionPerUser", "REG_DWORD", )
REGWRITE("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "Shadow", "REG_DWORD", 2 )
REGWRITE("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa", "LimitBlankPasswordUse", "REG_DWORD", )Tries to get the password of the current user account with the help of Mimikatz tool of the corresponding system bitness that has been saved on the disk earlier. This password is saved in the system registry. The obtained password is encrypted with the base64 algorithm and saved in the “Pwd” parameter of the key of the system registry [HKEY_CURRENT_USER\Software\AcronisDisk]. As an indicator of the successful installation, it saves value “1” in the parameter “Status” of the key of the registry [HKEY_CURRENT_USER\Software\AcronisDisk]. In Microsoft Windows 8.1 and Windows 10, it considers the attempt to obtain the password for the user account to be failed, launches a new instance of the command interpreter cmd and executes the following command: net users <current_user> *.
