Trojan.MulDrop9.51814

Technical Information

To ensure autorun and distribution

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\DbsTps] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\DbsTps] 'ImagePath' = 'C:\Txnplus\Admin\dbstpssvc.exe'

Malicious functions

To bypass firewall, removes or modifies the following registry keys

[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Txnplus\Admin\DbsTpsSvc.exe' = 'C:\Txnplus\Admin\DbsTpsSvc.exe:...
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Txnplus\Admin\DbsEft.exe' = 'C:\Txnplus\Admin\DbsEft.exe:*:Enab...
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Txnplus\Admin\DbsKeys.exe' = 'C:\Txnplus\Admin\DbsKeys.exe:*:En...
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] 'C:\Txnplus\Admin\DbsUsers.exe' = 'C:\Txnplus\Admin\DbsUsers.exe:*:...

Executes the following

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=DBSTPS dir=in action=allow program=dbstpssvc.exe enable=yes
'<SYSTEM32>\netsh.exe' firewall add allowedprogram dbstpssvc.exe DBSTPS ENABLE
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=DBSEFT dir=in action=allow program=dbseft.exe enable=yes
'<SYSTEM32>\netsh.exe' firewall add allowedprogram dbseft.exe DBSEFT ENABLE
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=DBSKEYS dir=in action=allow program=dbskeys.exe enable=yes
'<SYSTEM32>\netsh.exe' firewall add allowedprogram dbskeys.exe DBSKEYS ENABLE
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=DBSUSERS dir=in action=allow program=dbsusers.exe enable=yes
'<SYSTEM32>\netsh.exe' firewall add allowedprogram dbsusers.exe DBSUSERS ENABLE
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=DBSBAT32 dir=in action=allow program=..\dbsbat32.exe enable=yes
'<SYSTEM32>\netsh.exe' firewall add allowedprogram ..\dbsbat32.exe DBSBAT32 ENABLE
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Open Port 5003" dir=in action=allow protocol=TCP localport=5003

Modifies file system

Creates the following files

C:\txnplus\admin\install\admin\sidebar.jpg
C:\txnplus\admin\dbstpssvc.exe
C:\txnplus\admin\dbswincrypt.dll
C:\txnplus\admin\dbsusers.xslt
C:\txnplus\admin\dbstpslib.dll
C:\txnplus\admin\dbskeys.exe
C:\txnplus\admin\dbseft.msg
C:\txnplus\admin\dbseft.exe
C:\txnplus\admin\dbstpsservicerecovery.cmd
C:\txnplus\admin\dbsdiags.cmd
C:\txnplus\admin\dbsaclsverbose.cmd
C:\txnplus\admin\dbsaclscheck.cmd
C:\txnplus\admin\dbsacls.cmd
C:\txnplus\admin\dbstps.ini
C:\txnplus\admin\defaults.ini
C:\txnplus\admin\dbsusers.exe
C:\txnplus\admin\channels.ini
C:\txnplus\admin\audittransactions.xslt
C:\txnplus\admin\auditlogsummary.xslt
C:\txnplus\admin\auditlogin.xslt
C:\txnplus\admin\auditlogfail.xslt
C:\txnplus\admin\auditlogcommon.xslt
C:\txnplus\admin\auditlog.xml
C:\txnplus\admin\auditlog.hta
C:\txnplus\admin\auditdbsusers.xslt
C:\txnplus\admin\auditalerts.xslt
C:\txnplus\admin\amexfileupload.exe
C:\txnplus\dbswincrypt.dll
C:\txnplus\dbsusers.exe
C:\txnplus\dbsbatch.ini
C:\txnplus\dbsbat32.exe
C:\txnplus\admin\crypt.status
C:\txnplus\admin\datawire\system32\msvcr71.dll
<SYSTEM32>\x.txt
C:\txnplus\admin\mainmenu03.wmf
C:\txnplus\admin\doc\readme.txt
C:\txnplus\admin\doc\user manual - v7.5 (1) changes.doc
C:\txnplus\admin\doc\user manual.docx
C:\txnplus\admin\doc\dbs transaction+ pci security best practices.doc
C:\txnplus\admin\dbsmirror\dbsmirrorinstaller.exe
C:\txnplus\admin\dbsmirror\dbsmirroruninstall.cmd
C:\txnplus\admin\dbsmirror\dbsmirrorinstall.cmd
C:\txnplus\admin\dbsmirror\dbsrebuild.exe
C:\txnplus\admin\dbsmirror\dbsmirror.ini
C:\txnplus\admin\dbsmirror\dbsmirlib.xxx
C:\txnplus\admin\dbsmirror\dbsmirsvc.xxx
<SYSTEM32>\copytosystem32.cmd
C:\txnplus\admin\datawire\system32\copytosystem32.cmd
C:\txnplus\admin\datawire\system32\msvcrt.dll
%ALLUSERSPROFILE%\application data\microsoft\crypto\rsa\machinekeys\efd85b917675a72e4c3358ed7499c406_5f9fe710-99e6-4c04-be62-a7f1b8b321d1
C:\txnplus\admin\datawire\system32\msvcp60.dll
<SYSTEM32>\ssleay32.dll
C:\txnplus\admin\datawire\system32\ssleay32.dll
<SYSTEM32>\libeay32.dll
C:\txnplus\admin\datawire\system32\libeay32.dll
C:\txnplus\admin\datawire\datawireerrors.msg
C:\txnplus\admin\datawire\vxnapi.dll
C:\txnplus\admin\rdcware.dll
C:\txnplus\admin\cw3215.dll
C:\txnplus\admin\transit.bat
C:\txnplus\admin\transactionplus.ico
C:\txnplus\admin\sidebar.jpg
C:\txnplus\admin\mainmenu06.wmf
C:\txnplus\admin\mainmenu05.wmf
C:\txnplus\admin\mainmenu04.wmf
C:\txnplus\admin\mainmenu01.wmf
C:\txnplus\admin\mainmenu02.wmf
%ALLUSERSPROFILE%\application data\microsoft\crypto\rsa\machinekeys\dd49909cbfe7d4771563b7ddb0fe16b3_5f9fe710-99e6-4c04-be62-a7f1b8b321d1
C:\txnplus\admin\install\admin\dbsmirror\dbsmirror.ini
C:\txnplus\admin\install\admin\doc\readme.txt
C:\txnplus\admin\manifest.txt
C:\txnplus\admin\install\admin\auditlog.hta
C:\txnplus\admin\install\admin\dbsusers.xslt
C:\txnplus\admin\install\admin\audittransactions.xslt
C:\txnplus\admin\install\admin\auditlogsummary.xslt
C:\txnplus\admin\install\admin\auditlogin.xslt
C:\txnplus\admin\install\admin\auditlogfail.xslt
C:\txnplus\admin\install\admin\auditlogcommon.xslt
C:\txnplus\admin\install\admin\auditdbsusers.xslt
C:\txnplus\admin\install\admin\auditalerts.xslt
C:\txnplus\admin\install\admin\auditlog.xml
C:\txnplus\admin\setupsp.cmd
C:\txnplus\admin\setups.cmd
C:\txnplus\admin\install\admin\channels.ini
C:\txnplus\admin\install\admin\dbstpsservicerecovery.cmd
C:\txnplus\admin\install\admin\dbsmirror\dbsmirrorinstall.cmd
C:\txnplus\admin\install\admin\dbsdiags.cmd
C:\txnplus\admin\install\admin\dbsaclsverbose.cmd
C:\txnplus\admin\install\admin\dbsaclscheck.cmd
C:\txnplus\admin\install\admin\dbsacls.cmd
C:\txnplus\admin\install\admin\datawire\system32\copytosystem32.cmd
C:\txnplus\admin\install\admin\transit.bat
C:\txnplus\admin\install\admin\mainmenu06.wmf
C:\txnplus\admin\install\admin\mainmenu05.wmf
C:\txnplus\admin\install\admin\mainmenu04.wmf
C:\txnplus\admin\install\admin\mainmenu03.wmf
C:\txnplus\admin\install\admin\mainmenu02.wmf
C:\txnplus\admin\install\admin\mainmenu01.wmf
C:\txnplus\admin\install\admin\transactionplus.ico
C:\txnplus\admin\install\admin\dbsmirror\dbsmirroruninstall.cmd
C:\txnplus\admin\install\admin\dbsmirror\dbsmirrorinstaller.exe
C:\txnplus\admin\install\admin\datawire\vxnapi.dll
C:\txnplus\admin\install\admin\dbstps.ini
C:\txnplus\admin\install\admin\datawire\system32\ssleay32.dll
C:\txnplus\admin\install\admin\rdcware.dll
C:\txnplus\admin\install\admin\datawire\system32\msvcrt.dll
C:\txnplus\admin\install\admin\datawire\system32\msvcr71.dll
C:\txnplus\admin\install\admin\datawire\system32\msvcp60.dll
C:\txnplus\admin\install\admin\datawire\system32\libeay32.dll
C:\txnplus\admin\install\dbswincrypt.dll
C:\txnplus\admin\install\admin\dbswincrypt.dll
C:\txnplus\admin\install\admin\dbstpslib.dll
C:\txnplus\admin\install\admin\cw3215.dll
C:\txnplus\admin\setup.exe
C:\txnplus\admin\install\dbsusers.exe
C:\txnplus\admin\install\admin\dbsusers.exe
C:\txnplus\admin\install\admin\dbstpssvc.exe
C:\txnplus\admin\setup.log
C:\txnplus\admin\install\admin\dbsmirror\dbsrebuild.exe
C:\txnplus\admin\install\admin\dbskeys.exe
C:\txnplus\admin\install\admin\dbseft.exe
C:\txnplus\admin\install\dbsbat32.exe
C:\txnplus\admin\install\admin\amexfileupload.exe
C:\txnplus\admin\install\admin\dbsmirror\dbsmirsvc.xxx
C:\txnplus\admin\install\admin\dbsmirror\dbsmirlib.xxx
C:\txnplus\admin\install\admin\crypt.status
C:\txnplus\admin\install\admin\dbseft.msg
C:\txnplus\admin\install\admin\datawire\datawireerrors.msg
C:\txnplus\admin\install\admin\cacls32bit.eee
C:\txnplus\admin\install\admin\doc\user manual.docx
C:\txnplus\admin\install\admin\doc\user manual - v7.5 (1) changes.doc
C:\txnplus\admin\install\admin\doc\dbs transaction+ pci security best practices.doc
C:\txnplus\admin\install\admin\defaults.ini
C:\txnplus\admin\install\dbsbatch.ini
C:\txnplus\admin\dbsacls.log

Deletes the following files

<SYSTEM32>\x.txt

Miscellaneous

Adds a root certificate

Searches for the following windows

ClassName: 'TDbsEftForm' WindowName: ''
ClassName: 'TDbsBatchForm' WindowName: ''
ClassName: 'TDbsBatCvtForm' WindowName: ''
ClassName: 'TDbsKeysetForm' WindowName: ''
ClassName: 'TDbsPwForm' WindowName: ''
ClassName: 'TDbsRebuildForm' WindowName: ''
ClassName: 'MS_WINHELP' WindowName: ''

Creates and executes the following

'C:\txnplus\admin\setup.exe' /gui 0
'C:\txnplus\admin\dbstpssvc.exe' /install /silent
'<SYSTEM32>\cmd.exe' dbsacls.cmd ..' (with hidden window)
'<SYSTEM32>\cmd.exe' cacls.exe "C:\TXNPLUS\ADMIN"' (with hidden window)
'<SYSTEM32>\cmd.exe' cacls.exe "C:\TXNPLUS\ADMIN\*.EXE"' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' dbsacls.cmd ..
'<SYSTEM32>\netsh.exe' firewall delete dbsusers.exe DBSUSERS
'<SYSTEM32>\netsh.exe' firewall delete dbsusers.exe
'<SYSTEM32>\netsh.exe' firewall delete DBSUSERS
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name=DBSBAT32
'<SYSTEM32>\netsh.exe' firewall delete ..\dbsbat32.exe DBSBAT32
'<SYSTEM32>\netsh.exe' firewall delete ..\dbsbat32.exe
'<SYSTEM32>\netsh.exe' firewall delete DBSKEYS
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name=DBSUSERS
'<SYSTEM32>\netsh.exe' firewall delete DBSBAT32
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="dbstpsbig"
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="dbstpstest"
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="Open Port 5003"
'<SYSTEM32>\ipconfig.exe'
'<SYSTEM32>\cmd.exe' cacls.exe "C:\TXNPLUS\ADMIN"
'<SYSTEM32>\cacls.exe' "C:\TXNPLUS\ADMIN"
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="TransAction+ Engine Test Host"
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="DBS TransAction+ Configuration Program"
'<SYSTEM32>\netsh.exe' firewall delete dbskeys.exe
'<SYSTEM32>\netsh.exe' firewall delete dbskeys.exe DBSKEYS
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name=DBSKEYS
'<SYSTEM32>\cacls.exe' .. /c /g administrators:F system:F users:F
'<SYSTEM32>\cacls.exe' ..
'<SYSTEM32>\cacls.exe' ..\DBS*.* /c /g administrators:F system:F users:F
'<SYSTEM32>\cacls.exe' ..\DBS*.*
'<SYSTEM32>\cacls.exe' . /t /c /g administrators:F system:F
'<SYSTEM32>\cacls.exe' .
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys" /c /g administrators:F system:F users:R everyone:R
'<SYSTEM32>\cmd.exe' /S /D /c" echo Y"
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys"
'<SYSTEM32>\netsh.exe' firewall delete dbstpssvc.exe DBSTPS
'<SYSTEM32>\netsh.exe' firewall delete dbstpssvc.exe
'<SYSTEM32>\netsh.exe' firewall delete DBSTPS
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name=DBSEFT
'<SYSTEM32>\netsh.exe' firewall delete dbseft.exe DBSEFT
'<SYSTEM32>\netsh.exe' firewall delete dbseft.exe
'<SYSTEM32>\netsh.exe' firewall delete DBSEFT
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name=DBSTPS
'<SYSTEM32>\cmd.exe' cacls.exe "C:\TXNPLUS\ADMIN\*.EXE"
'<SYSTEM32>\cacls.exe' "C:\TXNPLUS\ADMIN\*.EXE"

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial