Trojan.DownLoader25.42130

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\MSO_SpUsb_Service] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\MSO_SpUsb_Service] 'ImagePath' = '%WINDIR%\SysWOW64\Serv_SpUsb.exe'
[<HKLM>\System\CurrentControlSet\Services\MORPHO_RD_Service] 'ImagePath' = 'C:\MorphoRdServiceL0Soft\MorphoInteractiveRDService.exe'
[<HKLM>\System\CurrentControlSet\Services\MORPHO_RD_Service] 'Start' = '00000002'

Creates the following services

'MSO_SpUsb_Service' %WINDIR%\SysWOW64\Serv_SpUsb.exe
'MORPHO_RD_Service' C:\MorphoRdServiceL0Soft\MorphoInteractiveRDService.exe

Malicious functions

Executes the following

'%WINDIR%\syswow64\net.exe' stop MORPHO_RD_Service
'%WINDIR%\syswow64\taskkill.exe' /F /IM MorphoRdServiceL0Soft.exe

Modifies file system

Creates the following files

%TEMP%\is-ti4f8.tmp\<File name>.tmp
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\morphordservicel0soft.exe.lnk
C:\morphordservicel0soft\is-bgfd7.tmp
C:\morphordservicel0soft\is-uosla.tmp
C:\morphordservicel0soft\is-0nn5p.tmp
C:\morphordservicel0soft\is-ie26t.tmp
C:\morphordservicel0soft\is-l3bkp.tmp
C:\morphordservicel0soft\is-be6vd.tmp
C:\morphordservicel0soft\is-ebb33.tmp
C:\morphordservicel0soft\is-b59h6.tmp
C:\morphordservicel0soft\is-ag364.tmp
C:\morphordservicel0soft\is-mgjrg.tmp
C:\morphordservicel0soft\is-nh9t0.tmp
C:\morphordservicel0soft\is-f5qmc.tmp
C:\morphordservicel0soft\is-39bng.tmp
C:\morphordservicel0soft\is-dbiqo.tmp
C:\morphordservicel0soft\is-aippf.tmp
C:\morphordservicel0soft\is-vmbmj.tmp
C:\morphordservicel0soft\is-fbk9f.tmp
%TEMP%\dll_{c2cca71a-e107-46ba-8365-26e6192ebc34}.ini
%WINDIR%\installer\{c2cca71a-e107-46ba-8365-26e6192ebc34}\newshortcut1_4e48c72751e4495f846cb4ae2d571c0d.exe
%APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\secmod.db
<SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
%TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\set930e.tmp
%TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\set92a0.tmp
%TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\set9176.tmp
%TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\set90d9.tmp
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\morpho\morphosmart usb driver\morphosmart usb driver release notes.lnk
C:\morpho\morphosmart usb driver\usbbiodriver.cat
C:\morpho\morphosmart usb driver\msocoinstaller_x64.dll
%WINDIR%\installer\{c2cca71a-e107-46ba-8365-26e6192ebc34}\microsoftcertifica_2b27b042485a4997a3cbbc64931c7510.exe
%WINDIR%\installer\{c2cca71a-e107-46ba-8365-26e6192ebc34}\arpproducticon.exe
%WINDIR%\syswow64\serv_spusb.exe
C:\morpho\morphosmart usb driver\morphosmartusbdriver.chm
C:\morpho\morphosmart usb driver\logoverificationreport.pdf
C:\morpho\morphosmart usb driver\usbbiodriver_x64.sys
C:\morpho\morphosmart usb driver\usbbiodriver.inf
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\morpho\morphosmart usb driver\microsoft certificate attestation.lnk
C:\morphordservicel0soft\is-2et2f.tmp
C:\morphordservicel0soft\is-hqfqq.tmp
C:\morphordservicel0soft\is-ab874.tmp
C:\morphordservicel0soft\is-8h6fj.tmp
C:\morphordservicel0soft\is-lvc59.tmp
C:\morphordservicel0soft\is-qu4os.tmp
C:\morphordservicel0soft\morphosmart usb driver x64\is-npj68.tmp
C:\morphordservicel0soft\morphosmart usb driver x64\is-umjq5.tmp
C:\morphordservicel0soft\is-2i180.tmp
C:\morphordservicel0soft\is-8dk6d.tmp
%TEMP%\is-rkf7k.tmp\_isetup\_shfoldr.dll
%TEMP%\is-5hua0.tmp\morphordservicel0softsetup.tmp
C:\morphordservicel0soft\unins000.dat
%TEMP%\is-4ed92.tmp\is-ujt1e.tmp
%TEMP%\is-4ed92.tmp\is-21p3g.tmp
C:\morphordservicel0soft\is-7bufo.tmp
%TEMP%\is-4ed92.tmp\_isetup\_shfoldr.dll
%TEMP%\is-4ed92.tmp\_isetup\_setup64.tmp
%TEMP%\is-rkf7k.tmp\_isetup\_setup64.tmp
C:\morphordservicel0soft\is-amgvt.tmp
C:\morphordservicel0soft\is-3ot0b.tmp
C:\morphordservicel0soft\is-5cl7l.tmp
C:\morphordservicel0soft\is-i2978.tmp
C:\morphordservicel0soft\is-7uo62.tmp
C:\morphordservicel0soft\is-bfvbt.tmp
C:\morphordservicel0soft\is-lvpp9.tmp
C:\morphordservicel0soft\is-niaqk.tmp
C:\morphordservicel0soft\is-p2264.tmp
C:\morphordservicel0soft\is-88449.tmp
C:\morphordservicel0soft\is-f6uh5.tmp
C:\morphordservicel0soft\is-qjf36.tmp
C:\morphordservicel0soft\is-4vtcs.tmp
C:\morphordservicel0soft\is-nrnnl.tmp
C:\morphordservicel0soft\is-bg02m.tmp
C:\morphordservicel0soft\is-5m0k3.tmp
C:\morphordservicel0soft\is-0m5h7.tmp
C:\morphordservicel0soft\is-ineqt.tmp
C:\morphordservicel0soft\is-vuti3.tmp
C:\morphordservicel0soft\is-uatkj.tmp
C:\morphordservicel0soft\is-vqelu.tmp
C:\morphordlog\servicelog.txt
C:\morphordlog\rdlogs.txt

Sets the 'hidden' attribute to the following files

<SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat

Deletes the following files

%TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\msocoinstaller_x64.dll
%TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\usbbiodriver.cat
%TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\usbbiodriver.inf
%TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\usbbiodriver_x64.sys
%TEMP%\dll_{c2cca71a-e107-46ba-8365-26e6192ebc34}.ini
%TEMP%\is-rkf7k.tmp\_isetup\_setup64.tmp
%TEMP%\is-rkf7k.tmp\_isetup\_shfoldr.dll
%TEMP%\is-5hua0.tmp\morphordservicel0softsetup.tmp
%TEMP%\is-4ed92.tmp\morphordservicel0softsetup.exe
%TEMP%\is-4ed92.tmp\uninstall.bat
%TEMP%\is-4ed92.tmp\_isetup\_setup64.tmp
%TEMP%\is-4ed92.tmp\_isetup\_shfoldr.dll
%TEMP%\is-ti4f8.tmp\<File name>.tmp

Moves the following files

from C:\morphordservicel0soft\is-7bufo.tmp to C:\morphordservicel0soft\unins000.exe
from C:\morphordservicel0soft\is-i2978.tmp to C:\morphordservicel0soft\ssleay32.dll
from C:\morphordservicel0soft\is-ab874.tmp to C:\morphordservicel0soft\morphointeractiverdservice.exe
from C:\morphordservicel0soft\is-hqfqq.tmp to C:\morphordservicel0soft\morphordservicel0soft.exe
from C:\morphordservicel0soft\is-2et2f.tmp to C:\morphordservicel0soft\server.key
from C:\morphordservicel0soft\is-ebb33.tmp to C:\morphordservicel0soft\server.crt
from C:\morphordservicel0soft\is-fbk9f.tmp to C:\morphordservicel0soft\safran.crt
from C:\morphordservicel0soft\is-aippf.tmp to C:\morphordservicel0soft\morpho.crt
from C:\morphordservicel0soft\is-dbiqo.tmp to C:\morphordservicel0soft\reg.bat
from C:\morphordservicel0soft\is-39bng.tmp to C:\morphordservicel0soft\dereg.bat
from C:\morphordservicel0soft\is-f5qmc.tmp to C:\morphordservicel0soft\certmgr.exe
from C:\morphordservicel0soft\is-nh9t0.tmp to C:\morphordservicel0soft\certutil.exe
from C:\morphordservicel0soft\is-ag364.tmp to C:\morphordservicel0soft\nss3.dll
from %TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\set92a0.tmp to %TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\msocoinstaller_x64.dll
from C:\morphordservicel0soft\is-vmbmj.tmp to C:\morphordservicel0soft\plc4.dll
from C:\morphordservicel0soft\is-b59h6.tmp to C:\morphordservicel0soft\smime3.dll
from C:\morphordservicel0soft\is-be6vd.tmp to C:\morphordservicel0soft\softokn3.dll
from C:\morphordservicel0soft\is-l3bkp.tmp to C:\morphordservicel0soft\plds4.dll
from C:\morphordservicel0soft\is-ie26t.tmp to C:\morphordservicel0soft\certdata
from C:\morphordservicel0soft\is-0nn5p.tmp to C:\morphordservicel0soft\libxml2.dll
from C:\morphordservicel0soft\is-uosla.tmp to C:\morphordservicel0soft\iconv.dll
from C:\morphordservicel0soft\is-bgfd7.tmp to C:\morphordservicel0soft\zlib1.dll
from C:\morphordservicel0soft\is-2i180.tmp to C:\morphordservicel0soft\unins000.exe
from %TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\set90d9.tmp to %TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\usbbiodriver.cat
from %TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\set9176.tmp to %TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\usbbiodriver.inf
from C:\morphordservicel0soft\is-bfvbt.tmp to C:\morphordservicel0soft\libeay32.dll
from C:\morphordservicel0soft\is-mgjrg.tmp to C:\morphordservicel0soft\nspr4.dll
from C:\morphordservicel0soft\is-lvpp9.tmp to C:\morphordservicel0soft\msvcr71.dll
from C:\morphordservicel0soft\is-nrnnl.tmp to C:\morphordservicel0soft\msosecu.dll
from %TEMP%\is-4ed92.tmp\is-21p3g.tmp to %TEMP%\is-4ed92.tmp\morphordservicel0softsetup.exe
from %TEMP%\is-4ed92.tmp\is-ujt1e.tmp to %TEMP%\is-4ed92.tmp\uninstall.bat
from C:\morphordservicel0soft\morphosmart usb driver x64\is-umjq5.tmp to C:\morphordservicel0soft\morphosmart usb driver x64\data1.cab
from C:\morphordservicel0soft\morphosmart usb driver x64\is-npj68.tmp to C:\morphordservicel0soft\morphosmart usb driver x64\morphosmart usb 64 bits driver.msi
from C:\morphordservicel0soft\is-qu4os.tmp to C:\morphordservicel0soft\morpho_api.dll
from C:\morphordservicel0soft\is-lvc59.tmp to C:\morphordservicel0soft\imagecompress.dll
from C:\morphordservicel0soft\is-8h6fj.tmp to C:\morphordservicel0soft\morpho_sdk.dll
from C:\morphordservicel0soft\is-3ot0b.tmp to C:\morphordservicel0soft\morphoglog.dll
from C:\morphordservicel0soft\is-8dk6d.tmp to C:\morphordservicel0soft\mso_spusb.dll
from C:\morphordservicel0soft\is-amgvt.tmp to C:\morphordservicel0soft\mso100.dll
from C:\morphordservicel0soft\is-5cl7l.tmp to C:\morphordservicel0soft\mso_sprs232.dll
from C:\morphordservicel0soft\is-vqelu.tmp to C:\morphordservicel0soft\configsettings.ini
from C:\morphordservicel0soft\is-p2264.tmp to C:\morphordservicel0soft\msvcp90d.dll
from C:\morphordservicel0soft\is-uatkj.tmp to C:\morphordservicel0soft\msvcr90.dll
from C:\morphordservicel0soft\is-vuti3.tmp to C:\morphordservicel0soft\msvcp90.dll
from C:\morphordservicel0soft\is-ineqt.tmp to C:\morphordservicel0soft\msvcp100.dll
from C:\morphordservicel0soft\is-0m5h7.tmp to C:\morphordservicel0soft\msvcp100d.dll
from C:\morphordservicel0soft\is-5m0k3.tmp to C:\morphordservicel0soft\msvcr100.dll
from C:\morphordservicel0soft\is-bg02m.tmp to C:\morphordservicel0soft\msvcrt.dll
from C:\morphordservicel0soft\is-4vtcs.tmp to C:\morphordservicel0soft\msvcr120.dll
from C:\morphordservicel0soft\is-7uo62.tmp to C:\morphordservicel0soft\msvcr80.dll
from C:\morphordservicel0soft\is-qjf36.tmp to C:\morphordservicel0soft\msvcr90d.dll
from C:\morphordservicel0soft\is-f6uh5.tmp to C:\morphordservicel0soft\msvcr100d.dll
from C:\morphordservicel0soft\is-88449.tmp to C:\morphordservicel0soft\msvcrtd.dll
from C:\morphordservicel0soft\is-niaqk.tmp to C:\morphordservicel0soft\msvcp120.dll
from %TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\set930e.tmp to %TEMP%\{07b391c0-a898-7d22-98c3-ab122811195a}\usbbiodriver_x64.sys

Modifies the following files

%APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\cert8.db
%APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\key3.db

Network activity

Connects to

'oc##.thawte.com':80

TCP

HTTP GET requests

http://oc##.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D

UDP

DNS ASK oc##.thawte.com
DNS ASK st####.rapidssl.com

Miscellaneous

Adds a root certificate

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%TEMP%\is-ti4f8.tmp\<File name>.tmp' /SL5="$14023C,8052238,56832,<Full path to file>"
'%TEMP%\is-4ed92.tmp\morphordservicel0softsetup.exe' /qn /verysilent /SUPPRESSMSGBOXES /norestart
'%TEMP%\is-5hua0.tmp\morphordservicel0softsetup.tmp' /SL5="$2026E,7778902,56832,%TEMP%\is-4ED92.tmp\MorphoRdServiceL0SoftSetup.exe" /qn /verysilent /SUPPRESSMSGBOXES /norestart
'%WINDIR%\installer\msi8220.tmp' desinstall USB\VID_225D&PID_0001* USB\VID_225D&PID_0002&MI_00* USB\VID_225D&PID_0003&MI_00* USB\VID_079B&PID_0023* USB\VID_079B&PID_0024* USB\VID_079B&PID_0026&MI_00* USB\VID_079B&PID_0047* USB...
'%WINDIR%\installer\msi855c.tmp' remove USB\VID_225D&PID_0002&MI_01* USB\VID_225D&PID_0002* USB\VID_225D&PID_0003&MI_01* USB\VID_225D&PID_0003* USB\VID_079B&PID_0026&MI_01* USB\VID_079B&PID_0026* USB\VID_079B&PID_0052&MI_01* U...
'%WINDIR%\syswow64\serv_spusb.exe'
'%WINDIR%\installer\msia1e3.tmp' rescan
'C:\morphordservicel0soft\certmgr.exe' -add "C:\MorphoRdServiceL0Soft\safran.crt" -all -v -s -r localMachine root
'C:\morphordservicel0soft\certmgr.exe' -add "C:\MorphoRdServiceL0Soft\morpho.crt" -all -v -s -r localMachine CA
'C:\morphordservicel0soft\certutil.exe' -A -n abc@idemia.com -t "C,T,C" -i "C:\MorphoRdServiceL0Soft\morpho.crt" -d %APPDATA%\mozilla\firefox\Profiles/gn7ryp3k.default
'C:\morphordservicel0soft\morphointeractiverdservice.exe' -install start=auto
'C:\morphordservicel0soft\morphointeractiverdservice.exe'
'C:\morphordservicel0soft\morphordservicel0soft.exe'

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C ""%TEMP%\is-4ED92.tmp\uninstall.bat" /qn /verysilent /SUPPRESSMSGBOXES /NORESTART"
'%WINDIR%\syswow64\net1.exe' stop MORPHO_RD_Service
'%WINDIR%\syswow64\sc.exe' delete MORPHO_RD_Service
'%WINDIR%\syswow64\msiexec.exe' /i "C:\MorphoRdServiceL0Soft\MorphoSmart USB Driver x64\MorphoSmart USB 64 bits Driver.msi" /qn /norestart
'%WINDIR%\syswow64\cmd.exe' /C ""C:\MorphoRdServiceL0Soft\Reg.bat" /Q"
'%WINDIR%\syswow64\cmd.exe' /c find /i "path=" "%APPDATA%\mozilla\firefox\profiles.ini"
'%WINDIR%\syswow64\find.exe' /i "path=" "%APPDATA%\mozilla\firefox\profiles.ini"
'%WINDIR%\syswow64\net.exe' start MORPHO_RD_Service
'%WINDIR%\syswow64\net1.exe' start MORPHO_RD_Service
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-Service -Name MORPHO_RD_Service -StartupType Automatic

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней