Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Trojan.Fruity.1

Added to the Dr.Web virus database: 2023-05-12

Virus description added:

Packer: absent

SHA1 hash:

  • 8c54df8f11f9cca98fd91fc8bf35c8763274e59e (python39.dll)

Description

Trojan.Fruity.1 is a multi-component trojan downloader that installs other malware onto computers running Microsoft Windows. It is a modified copy of a legitimate python39.dll library from the Python programming language package. Attackers embed malicious code into this copy. It can reach target devices in various ways. For example, it can be distributed as part of malicious installers of harmless software, which contain all the trojan’s components and copy them into the system during installation.

Operating routine

When all the necessary components are copied onto a target computer, Trojan.Fruity.1 infects the system in several stages.

Stage 1

A trojanized version of the python39.dll library is launched by the legitimate app python.exe. It then searches the functions of the ntdll.dll and kernel32.dll libraries it needs, using the CRC32 hashes of these functions’ names. Next, it decrypts the contents of the idea.mp3 file, using XOR algorithm and a key located within the first 200 bytes of the file. Resulting is a compressed data massive and a shellcode for the next stage.

This library also reads the contents of the idea.cfg file. At the beginning of this file is the string fruit.png, containing information about the payload location for the second stage. This string can be a web link for downloading the target file from the Internet, or a path to a local file.

After these steps, the control is passed to the shellcode.

Stage 2

The shellcode decompresses the data massive, using the RtlDecompressBuffer function. Resulting is a .dll library. Next, shellcode launches a cmd.exe Windows command-line tool in a suspended state, for which the CREATE_SUSPENDED flag is used. It then writes the following information into the memory section of the created process:

  • the fruit.png string;
  • the shellcode for the Stage 3;
  • a memory region with the data for this shellcode (a context for its operation).

Next, in the image of the decompressed .dll library, a patch is made that points to the context address in the process. To do so, a B8CBCBCBCB value is replaced with a B8<the address of the context beginning> value. After that, this library is injected into the cmd.exe process, whose operation is resumed. In the end, the control is passed to this library.

Stage 3

The .dll library injected into the cmd.exe verifies which string was received in the previous stage. If this string starts with the http abbreviature, it tries downloading a target file from the Internet, using the corresponding link. It uses the BITS service first; if that fails, it uses a WinINet API interface. If the beginning of this string has no http abbreviature, it is considered a path to a local file. In this particular case, the target is the local fruit.png file. This file is moved to the %TEMP%\\<rnd>.png, where <rnd.png> is a random 8-symbol hexadecimal number.

Next, the library runs Stage 3 shellcode at the 0x7610 address, transferring the path to a .png file as an argument to it. This shellcode decrypts the image, in which several malicious objects are hidden using steganography. These objects are two .dll libraries and the shellcode for executing Stage 4. The decrypted contents are written into the operating memory.

Stage 4

The shellcode from the fruit.png image verifies the active processes and searches among them for anti-virus software processes by their hash sums. It then tries to bypass their detection and also tries to prevent a possible debugging process.

Next, an injection attempt is executed for the msbuild.exe process. In case of failure, the attempt is repeated for the cmd.exe and notepad.exe processes. The Process Hollowing method is used to inject one of the two .dll libraries decoded earlier from the fruit.png image. The shellcode to initialize Sage 5 is also injected.

After that, a .dll file with a random name is created in the %TEMP% temporary directory. The contents of the second .dll library decoded from the fruit.png image are then copied into this file. Then this file is injected into the target process, but this time using the Process Doppelgänging method. This file is the Remcos RAT (Trojan.Inject4.57973) spyware trojan.

Stage 5

The shellcode injected at the previous stage into the target process puts a legitimate python.exe program into the Windows Autostart and additionally creates a task to launch it in the system scheduler. This program is also added to the scanning exclusions of the Windows Defender built-in Windows anti-virus.

Then, random data is written into the end of the python39.dll trojan file, which changes its hash sum. Moreover, its creation date and time are also modified.

More details on Trojan.Inject4.57973

News about the trojan

Indicators of compromise

Recommandations pour le traitement

  1. Si le système d'exploitation peut être démarré (en mode normal ou en mode sans échec), téléchargez Dr.Web Security Space et lancez un scan complet de votre ordinateur et de tous les supports amovibles que vous utilisez. En savoir plus sur Dr.Web Security Space.
  2. Si le démarrage du système d'exploitation est impossible, veuillez modifier les paramètres du BIOS de votre ordinateur pour démarrer votre ordinateur via CD/DVD ou clé USB. Téléchargez l'image du disque de secours de restauration du système Dr.Web® LiveDisk ou l'utilitaire pour enregistrer Dr.Web® LiveDisk sur une clé USB, puis préparez la clé USB appropriée. Démarrez l'ordinateur à l'aide de cette clé et lancez le scan complet et le traitement des menaces détectées.

Veuillez lancer le scan complet du système à l'aide de Dr.Web Antivirus pour Mac OS.

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile Dr.Web pour Android. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur la violation grave de la loi ou la demande d'une rançon est affiché sur l'écran de l'appareil mobile), procédez comme suit:
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil mobile Dr.Web pour Android et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android