Trojan.DownLoader30.28227

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] '{f65db027-aff3-4070-886a-0d87064aabb1}' = '"%PROGRAMDATA%\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x...
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] '{2af972c7-13b0-4978-92a8-fee26a4fb4e9}' = '"%PROGRAMDATA%\Package Cache\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\vcredist_x...
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] '{51adbf11-493f-431c-a862-967a0fae2944}' = '"%PROGRAMDATA%\Package Cache\{51adbf11-493f-431c-a862-967a0fae2944}\vcredist_x...
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] '{ce085a78-074e-4823-8dc1-8a721b94b76d}' = '"%PROGRAMDATA%\Package Cache\{ce085a78-074e-4823-8dc1-8a721b94b76d}\vcredist_x...

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\MCAgent] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\MCAgent] 'ImagePath' = '"%ProgramFiles(x86)%\SOTI\MobiControl\CommLoader.exe"'

Malicious functions

Executes the following

'%WINDIR%\syswow64\net.exe' stop MCAgent

Modifies file system

Creates the following files

<Current directory>\files.ini
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\logo.png
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\license.rtf
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\dd_vcredist_x86_20191017184033.log
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\wixstdba.dll
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\thm.xml
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\thm.wxl
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\logo.png
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\license.rtf
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\dd_vcredist_amd64_20191017184041.log
%TEMP%\dd_vcredist_amd64_20191017184041_0_vcruntimeadditional_x64.log
%TEMP%\dd_vcredist_amd64_20191017184041_1_vcruntimeminimum_x64.log
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\wixstdba.dll
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\thm.xml
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\thm.wxl
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\logo.png
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\license.rtf
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\dd_vcredist_x86_20191017184053.log
%TEMP%\dd_vcredist_x86_20191017184101.log
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\thm.wxl
%PROGRAMDATA%\soti\winagent.log
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\thm.xml
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe
<LS_APPDATA>\soti\mcagtinst.log
%ProgramFiles(x86)%\soti\mobicontrol\pdb.ini
%ProgramFiles(x86)%\soti\mobicontrol\readme.txt
%ProgramFiles(x86)%\soti\mobicontrol\commloader.exe
%ProgramFiles(x86)%\soti\mobicontrol\mchook.dll
%ProgramFiles(x86)%\soti\mobicontrol\mchook64.dll
%ProgramFiles(x86)%\soti\mobicontrol\mchookhelper.exe
%ProgramFiles(x86)%\soti\mobicontrol\winmckiosk.exe
%ProgramFiles(x86)%\soti\mobicontrol\mcresbrand.dll
%ProgramFiles(x86)%\soti\mobicontrol\mcres0409.dll
%ProgramFiles(x86)%\soti\mobicontrol\vcredist_x86.exe
%ProgramFiles(x86)%\soti\mobicontrol\install.bat
%ProgramFiles(x86)%\soti\mobicontrol\uninstall.bat
%ProgramFiles(x86)%\soti\mobicontrol\mckioskhook.dll
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.xml
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.wxl
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\dd_vcredist_x86_20191017184026.log
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\wixstdba.dll
%ProgramFiles(x86)%\soti\mobicontrol\<File name>.exe

Deletes the following files

%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.xml
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.wxl
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\wixstdba.dll
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\thm.xml
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\thm.wxl
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\logo.png
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\license.rtf
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll
%TEMP%\{ce085a78-074e-4823-8dc1-8a721b94b76d}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\thm.xml
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\thm.wxl
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\logo.png
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\license.rtf
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\wixstdba.dll
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\thm.xml
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\thm.wxl
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\logo.png
%TEMP%\{2af972c7-13b0-4978-92a8-fee26a4fb4e9}\.ba1\license.rtf
%TEMP%\{51adbf11-493f-431c-a862-967a0fae2944}\.ba1\wixstdba.dll
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe

Moves the following system files

from <SYSTEM32>\mfc120.dll to C:\config.msi\103b59.rbf
from <SYSTEM32>\vccorlib120.dll to C:\config.msi\103b6d.rbf
from <SYSTEM32>\msvcp120.dll to C:\config.msi\103b6c.rbf
from <SYSTEM32>\msvcr120.dll to C:\config.msi\103b6b.rbf
from <SYSTEM32>\mfc120rus.dll to C:\config.msi\103b66.rbf
from <SYSTEM32>\mfc120kor.dll to C:\config.msi\103b65.rbf
from <SYSTEM32>\mfc120jpn.dll to C:\config.msi\103b64.rbf
from <SYSTEM32>\mfc120ita.dll to C:\config.msi\103b63.rbf
from <SYSTEM32>\vcamp120.dll to C:\config.msi\103b6e.rbf
from <SYSTEM32>\mfc120fra.dll to C:\config.msi\103b62.rbf
from <SYSTEM32>\mfc120deu.dll to C:\config.msi\103b60.rbf
from <SYSTEM32>\mfc120enu.dll to C:\config.msi\103b5f.rbf
from <SYSTEM32>\mfc120chs.dll to C:\config.msi\103b5e.rbf
from <SYSTEM32>\mfc120cht.dll to C:\config.msi\103b5d.rbf
from <SYSTEM32>\mfcm120u.dll to C:\config.msi\103b5c.rbf
from <SYSTEM32>\mfcm120.dll to C:\config.msi\103b5b.rbf
from <SYSTEM32>\mfc120u.dll to C:\config.msi\103b5a.rbf
from <SYSTEM32>\mfc120esn.dll to C:\config.msi\103b61.rbf
from <SYSTEM32>\vcomp120.dll to C:\config.msi\103b6f.rbf

Moves the following files

from <Current directory>\files.ini to %ProgramFiles(x86)%\soti\mobicontrol\files.ini
from <LS_APPDATA>\soti\mcagtinst.log to %ProgramFiles(x86)%\soti\mobicontrol\mcagtinst.log

Substitutes the following files

%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.xml
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.wxl
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\bootstrapperapplicationdata.xml
%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe

Network activity

Connects to

'<LOCALNET>.254.115':5494

UDP

DNS ASK SO##.#com-ex.com

Miscellaneous

Searches for the following windows

ClassName: 'MMCMainFrame' WindowName: ''
ClassName: 'MC.Agent.Desktop.Window' WindowName: ''

Creates and executes the following

'%ProgramFiles(x86)%\soti\mobicontrol\vcredist_x86.exe' /q
'%ProgramFiles(x86)%\soti\mobicontrol\vcredist_x86.exe' /q -burn.unelevated BurnPipe.{40925672-B329-44C0-ADF2-64E58CAA62D8} {9CB81FFD-A55A-4744-B249-A9162B8C12AD} 2800
'%ProgramFiles(x86)%\soti\mobicontrol\vcredist_x86.exe' /q -burn.unelevated BurnPipe.{32DDA60C-D752-48B5-A6CC-EE35AE415CBA} {595BFF9D-CC2C-4012-A686-51DA041CA5F9} 2216
'%ProgramFiles(x86)%\soti\mobicontrol\commloader.exe' -silent -install
'%ProgramFiles(x86)%\soti\mobicontrol\commloader.exe'
'%ProgramFiles(x86)%\soti\mobicontrol\commloader.exe' -ui
'%ProgramFiles(x86)%\soti\mobicontrol\mchookhelper.exe'
'%WINDIR%\syswow64\net.exe' stop MCAgent' (with hidden window)
'%WINDIR%\syswow64\net.exe' start MCAgent' (with hidden window)

Executes the following

'%WINDIR%\syswow64\net1.exe' stop MCAgent
'%WINDIR%\syswow64\net.exe' start MCAgent
'%WINDIR%\syswow64\net1.exe' start MCAgent

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial