Win32/Equdrug [Threat Name] go to Threat

Win32/Equdrug.I [Threat Variant Name]

Category trojan
Size 573440 B
Detection created Jan 30, 2017
Detection database version 14853
Aliases Trojan.Grayphish (Symantec)
  Troj/Eqdrug-H (Sophos)
  TrojanDropper:Win32/Fetrog.A (Microsoft)
Short description

Win32/Equdrug.I is a trojan that steals sensitive information. The trojan can send the information to a remote machine. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan creates the following files:

  • %systemroot%\­system32\­drivers\­hrilib.sys
  • %systemroot%\­system32\­drivers\­msndsrv.sys
  • %systemroot%\­system32\­drivers\­ntevt.sys
  • %temp%\­INSTV4.BAT
  • %systemroot%\­temp\­~yh56816.tmp
  • %systemroot%\­fonts\­VGAFIXA1.FON
  • C:\­Windows\­Temp\­~yh56816.tmp

Installs the following system drivers (path, name):

  • %systemroot%\­system32\­drivers\­hrilib.sys, hrilib
  • %systemroot%\­system32\­drivers\­msndsrv.sys, msndsrv
  • %systemroot%\­system32\­drivers\­ntevt.sys, ntevt

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­hrilib]
    • "DisplayName" = "hrilib"
    • "ErrorControl" = 1
    • "ImagePath" = "system32\­Drivers\­hrilib"
    • "Start" = 2
    • "Type" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­msndsrv]
    • "Config2" = %variable1%
    • "DisplayName" = "msndsrv"
    • "ErrorControl" = 1
    • "Start" = 2
    • "Type" = 1
    • "ImagePath" = "system32\­Drivers\­msndsrv"
    • "Group" = "SCSI Class"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­ntevt]
    • "DisplayName" = "ntevt"
    • "ErrorControl" = 1
    • "Start" = 0
    • "Type" = 1
    • "ImagePath" = "system32\­Drivers\­ntevt"

A string with variable content is used instead of %variable1% .


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager\­MemSubSys]
    • "{42E14DD3-F07A-78F1-7659-26AE141569AC-E0B3EE89}" = %malwareconfigurationdata1%
    • "{A0CCDC61-7623-A425-7002-DB81F353945F-5A8ECFAD}" = %malwareconfigurationdata2%
    • "{08DAB849-0E1E-A1F0-DCF1-457081E091DB-117DB663}" = %malwareconfigurationdata3%
    • "1" = %malwareconfigurationdata4%
    • "D" = %malwareconfigurationdata5%
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­hrilib\­Parameters]
    • "Data" = %encryptedmalwarefileoritscomponent1%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable2%\­Parameters]
    • "%variable3%" = %encryptedmalwarefileoritscomponent2%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable4%\­Parameters]
    • "%variable5%" = %encryptedmalwarefileoritscomponent3%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­%variable6%]
    • "%variable7%" = %encryptedmalwarefileoritscomponent4%

A string with variable content is used instead of %variable2-7% .


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1A03" = %value1%
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "ProxyServer" = %value2%
    • "ProxyEnable" = %value3%
    • "ProxyOveride" = %value4%
    • "AutoConfigURL" = %value5%
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­Class\­{4D36E972-E325-11CE-BFC1-08002BE10318}\­%variable8%\­Linkage]
    • "UpperBind" = %value6%
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%variable9%\­Linkage]
    • "Route" = %value7%
    • "Bind" = %value8%
    • "Export" = %value9%

A string with variable content is used instead of %variable8-9% .


A variable numerical value or a string with variable content is used instead of %value1-9% .


The following file is dropped into the %temp% folder:

  • INSTV4.BAT

The file is then executed.


To gain administrator access rights it attempts to exploit one of the following vulnerabilities:


* Windows Kernel Pointer Validation Vulnerability- CVE-2009-1124


* Windows Driver Class Registration Vulnerability - CVE-2009-1125


By exploiting this vulnerability, an attacker may be able to execute remote arbitrary code on a vulnerable system.


The trojan creates and runs a new thread with its own program code within the following processes:

  • services.exe

The trojan executes the following files:

  • %system%\­cmd.exe
  • %windir%\­command.com

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Equdrug.I is a trojan that steals sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • list of running processes
  • network adapter information
  • operating system version
  • computer name
  • user name
  • language settings
  • list of disk devices and their type
  • memory status

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (5) URLs. The HTTP, TCP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • monitor network traffic
  • create Registry entries
  • delete Registry entries
  • various filesystem operations
  • terminate running processes
  • send gathered information

The trojan hooks the following Windows APIs:

  • NdisMRegisterMiniport (ndis.sys)
  • NdisMSendComplete (ndis.sys)
  • EthFilterDprIndicateReceive (ndis.sys)
  • socket (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • bind (ws2_32.dll)
  • connect (ws2_32.dll)
  • send (ws2_32.dll)
  • recv (ws2_32.dll)
  • listen (ws2_32.dll)
  • accept (ws2_32.dll)
  • setsockopt (ws2_32.dll)
  • getsockopt (ws2_32.dll)
  • getsockname (ws2_32.dll)
  • gethostbyaddr (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • gethostname (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)
  • getnameinfo (ws2_32.dll)
  • getpeername (ws2_32.dll)
  • shutdown (ws2_32.dll)
  • ioctlsocket (ws2_32.dll)
  • select (ws2_32.dll)
  • sendto (ws2_32.dll)
  • recvfrom (ws2_32.dll)
  • WSADuplicateSocketA (ws2_32.dll)
  • WSASocketA (ws2_32.dll)

The trojan might attempt to hide its presence in the system.


It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.