Win32/Equdrug [Threat Name] go to Threat

Win32/Equdrug.I [Threat Variant Name]

Category	trojan
Size	573440 B
Detection created	Jan 30, 2017
Detection database version	14853
Aliases	Trojan.Grayphish (Symantec)
	Troj/Eqdrug-H (Sophos)
	TrojanDropper:Win32/Fetrog.A (Microsoft)

Short description

Win32/Equdrug.I is a trojan that steals sensitive information. The trojan can send the information to a remote machine. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.

The trojan creates the following files:

%systemroot%\system32\drivers\hrilib.sys
%systemroot%\system32\drivers\msndsrv.sys
%systemroot%\system32\drivers\ntevt.sys
%temp%\INSTV4.BAT
%systemroot%\temp\~yh56816.tmp
%systemroot%\fonts\VGAFIXA1.FON
C:\Windows\Temp\~yh56816.tmp

Installs the following system drivers (path, name):

%systemroot%\system32\drivers\hrilib.sys, hrilib
%systemroot%\system32\drivers\msndsrv.sys, msndsrv
%systemroot%\system32\drivers\ntevt.sys, ntevt

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hrilib]
- "DisplayName" = "hrilib"
- "ErrorControl" = 1
- "ImagePath" = "system32\Drivers\hrilib"
- "Start" = 2
- "Type" = 1
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msndsrv]
- "Config2" = %variable1%
- "DisplayName" = "msndsrv"
- "ErrorControl" = 1
- "Start" = 2
- "Type" = 1
- "ImagePath" = "system32\Drivers\msndsrv"
- "Group" = "SCSI Class"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ntevt]
- "DisplayName" = "ntevt"
- "ErrorControl" = 1
- "Start" = 0
- "Type" = 1
- "ImagePath" = "system32\Drivers\ntevt"

A string with variable content is used instead of %variable1% .

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\MemSubSys]
- "{42E14DD3-F07A-78F1-7659-26AE141569AC-E0B3EE89}" = %malwareconfigurationdata1%
- "{A0CCDC61-7623-A425-7002-DB81F353945F-5A8ECFAD}" = %malwareconfigurationdata2%
- "{08DAB849-0E1E-A1F0-DCF1-457081E091DB-117DB663}" = %malwareconfigurationdata3%
- "1" = %malwareconfigurationdata4%
- "D" = %malwareconfigurationdata5%
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hrilib\Parameters]
- "Data" = %encryptedmalwarefileoritscomponent1%
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable2%\Parameters]
- "%variable3%" = %encryptedmalwarefileoritscomponent2%
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable4%\Parameters]
- "%variable5%" = %encryptedmalwarefileoritscomponent3%
[HKEY_LOCAL_MACHINE\SYSTEM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\%variable6%]
- "%variable7%" = %encryptedmalwarefileoritscomponent4%

A string with variable content is used instead of %variable2-7% .

The following Registry entries are set:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1A03" = %value1%
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
- "ProxyServer" = %value2%
- "ProxyEnable" = %value3%
- "ProxyOveride" = %value4%
- "AutoConfigURL" = %value5%
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\%variable8%\Linkage]
- "UpperBind" = %value6%
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\%variable9%\Linkage]
- "Route" = %value7%
- "Bind" = %value8%
- "Export" = %value9%

A string with variable content is used instead of %variable8-9% .

A variable numerical value or a string with variable content is used instead of %value1-9% .

The following file is dropped into the %temp% folder:

INSTV4.BAT

The file is then executed.

To gain administrator access rights it attempts to exploit one of the following vulnerabilities:

* Windows Kernel Pointer Validation Vulnerability- CVE-2009-1124

* Windows Driver Class Registration Vulnerability - CVE-2009-1125

By exploiting this vulnerability, an attacker may be able to execute remote arbitrary code on a vulnerable system.

The trojan creates and runs a new thread with its own program code within the following processes:

services.exe

The trojan executes the following files:

%system%\cmd.exe
%windir%\command.com

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Equdrug.I is a trojan that steals sensitive information.

The trojan collects the following information:

login user names for certain applications/services
login passwords for certain applications/services
list of running processes
network adapter information
operating system version
computer name
user name
language settings
list of disk devices and their type
memory status

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (5) URLs. The HTTP, TCP protocol is used in the communication.

It can execute the following operations:

download files from a remote computer and/or the Internet
run executable files
execute shell commands
monitor network traffic
create Registry entries
delete Registry entries
various filesystem operations
terminate running processes
send gathered information

The trojan hooks the following Windows APIs:

NdisMRegisterMiniport (ndis.sys)
NdisMSendComplete (ndis.sys)
EthFilterDprIndicateReceive (ndis.sys)
socket (ws2_32.dll)
closesocket (ws2_32.dll)
bind (ws2_32.dll)
connect (ws2_32.dll)
send (ws2_32.dll)
recv (ws2_32.dll)
listen (ws2_32.dll)
accept (ws2_32.dll)
setsockopt (ws2_32.dll)
getsockopt (ws2_32.dll)
getsockname (ws2_32.dll)
gethostbyaddr (ws2_32.dll)
gethostbyname (ws2_32.dll)
gethostname (ws2_32.dll)
getaddrinfo (ws2_32.dll)
getnameinfo (ws2_32.dll)
getpeername (ws2_32.dll)
shutdown (ws2_32.dll)
ioctlsocket (ws2_32.dll)
select (ws2_32.dll)
sendto (ws2_32.dll)
recvfrom (ws2_32.dll)
WSADuplicateSocketA (ws2_32.dll)
WSASocketA (ws2_32.dll)

The trojan might attempt to hide its presence in the system.

It uses techniques common for rootkits.