sha1:
- 9f5d1dbb2cd31b2af97e14b8781ea035a4869194 (tmp6FC15.dll)
Description
A malicious program written in C++ and a component of the Trojan.Scavenger family. It represents a dynamic library whose main purpose is to download the next infection stages, Trojan.Scavenger.3 and Trojan.Scavenger.4, and prepare them for launch. For this, Trojan.Scavenger.2 puts them into the directories of apps susceptible to DLL Search Order Hijacking vulnerabilities. These stages run automatically when the corresponding programs are launched.
Operating routine
LaunchingDepending on the attack vector scenario, Trojan.Scavenger.2 can be either the next infection stage downloaded by the Trojan.Scavenger.1 malicious app or its starting point. In the former case, Trojan.Scavenger.1 downloads this malware as the file %TEMP%\tmp6FC15.dll and then launches it. In the latter case, the trojan is distributed under the guise of ASI files for installing PC game modes. When a victim follows the attackers’ instructions and copies the trojan file into the game directory, it automatically runs when the game is launched.
Checking the running environmentWhen launched, Trojan.Scavenger.2 preliminarily performs an environment check, which is standard for the entire family. If it detects signs that it is being launched in a virtual environment or debug mode, it stops working.
Downloading the payloadLike most components of the family, before directly proceeding to download the payload from the C2 sever, Trojan.Scavenger.2 checks the encryption key for secure data exchange. To do so, it uses the algorithm discussed in the description for the corresponding trojan family. After successfully verifying the encryption key on the server, the malicious app downloads the next infection stages. For this, requests with the following routes are made:
-
/pl — receiving the target files list;
-
/pdl — receiving the payload body;
-
/pdp — these are paths for searching the target directories to place the downloaded files into them.
This request has the following parameters:
-
Parameters that are standard for the Trojan.Scavenger family;
-
The parameter _ = -.
In response to this request, the C2 server sends a list of payloads, parameters for determining which target directory these files will be copied to, and the files’ final names. This response is encrypted with the XXTEA algorithm; after decryption, it looks like this:
[{"enabled": true, "identifier": "shiny", "drop_name": "version.dll", "next_to_match": "notification_helper.exe", "next_to_extra_nav": "\\..\\..\\", "next_to_extra_nav_confirmation": "anifest.xml"}, {"enabled": true, "identifier": "exodus", "drop_name": "profapi.dll", "next_to_match": "\\Exodus.exe", "next_to_extra_nav": "\\..", "next_to_extra_nav_confirmation": "v8_context_snapshot.bin"}], где
-
enable — to create requests /pdl and /pdp for downloading the payload;
-
identifyre — the parameter for the request /pdl;
-
drop_name — the name under which the target file will be saved after being downloaded;
-
next_to_match — the match during the directory parsing;
-
next_to_extra_nav — the parameters for searching which target directory to save the downloaded file to (for example, for the path C:\Program Files (x86)\Microsoft\Edge\Application\136.0.3240.64\notification_helper.exe" - \..\.. the resulting path will be C:\Program Files (x86)\Microsoft\Edge\Application);
-
next_to_extra_nav_confirmation — part of the file’s name to confirm that this file is located in the correct directory.
This request has the following parameters:
-
Parameters that are standard for the Trojan.Scavenger family;
-
p — the type of downloaded component.
Trojan.Scavenger.2 downloads two additional stages to further infect the computer:
-
p = shiny — Trojan.Scavenger.3;
-
p = exodus — Trojan.Scavenger.4.
After decoding base64, the payload is encrypted with an XOR operation containing the string F**kOff (we deliberately hid some of the symbols).
The request containing the route /pdpThis request has the following parameters:
-
Parameters that are standard for the Trojan.Scavenger family;
-
_ = -.
In response to this request, the C2 server sends an array of directory names to be parsed. This response is encrypted with the XXTEA algorithm; after decryption it looks like this:
["C:\\Program Files", "C:\\Program Files (x86)", "%LOCALAPPDATA%", "%APPDATA%"]After receiving the response corresponding to the request containing the route /pdp, the trojan starts crawling target directories to locate the ones the downloaded payload will be copied to. The search is performed according to rules sent by the C2 server in response to the request containing the route /pl.
First, Trojan.Scavenger.2 searches for the file with the name sent in the parameter next_to_match. Next, it forms a path to the target directory, using the rules next_to_extra_nav. After that, it verifies the directory in accordance with the parameters from the field next_to_extra_nav_confirmation. For this, it searches for a file by its full name (for instance, v8_context_snapshot.bin) or a portion of it (for example, the substring anifest.xml which is present in the names of Manifest files of different browsers).
More about Trojan.Scavenger.1
More about Trojan.Scavenger.3
More about Trojan.Scavenger.4
News about the trojan
Indicators of compromise
