Home / malware Backdoor.Sockrat
First posted on 05 November 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Sockrat.
Explanation :
The Trojan is implemented as a Java application and may run on Linux, Mac OS X, and Windows computers.
When the Trojan is executed, it copies Java Runtime Environment to the following folder on Windows computers to allow itself to operate: %SystemDrive%\Documents and Settings\All Users\Application Data\Oracle\bin
The Trojan then creates the following file on Windows computers:
%UserProfile%\9eIIL67U9sQ\uShSr03Yik9.XSa6GP\[THREAT FILE NAME]
Next, the Trojan modifies the following registry entries on Windows computers: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"ConsentPromptBehaviorAdmin" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"ConsentPromptBehaviorUser" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"EnableLUA" ="0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "2"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableConfig" = "1HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableSR" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"BmCzm8ZiAP3" = "%SystemDrive%\Documents and Settings\All Users\Application Data\Roaming\Oracle\bin\javaw.exe -jar %UserProfile%\9eIIL67U9sQ\uShSr03Yik9.XSa6GP"
The Trojan then connects to the following remote location through TCP port 9898: officetartousi.no-ip.biz
Next, the Trojan attempts to stop the following applications: Process HackerMsConfigWindows DefenderProcess ExplorerWiresharkMalwareBytesAd-Aware AntivirusAhnlab V3 Internet Security 8.0Bull Guard AntivirusClamWin AntivirusCOMODO AntivirusEScan AntivirusF-Secure AntivirusF-PROT AntivirusG DATA AntivirusIKARUS AntivirusImmunet AntivirusK7 Ultimate AntivirusNANO AntivirusNorman AntivirusNorton Internet SecurityOutpost Security Suite ProPanda AntivirusQuick Heal AntivirusSUPER Anti-SpywareK7 Ultimate AntivirusTrend Micro Antivirus+VIPRE Security 2015Baidu Antivirus 2015MCShield Anti-Malware ToolSPYBOT AntiMalwareUnThreat AntivirusFortiClient
The Trojan may then perform the following actions: Edit its configuration file to change its command-and-control servers, installation locations, and registry entriesIdentify if the computer is a virtual machineExecute WScript, .jar files, and processesUpload and download filesTraverse file systemDisplay dialogue boxesOpen URL with default web browserGather IP address, host name, and memory sizeLast update 05 November 2015