Home / malware

PDF

Backdoor:Win32/Simda.AT

First posted on 25 June 2019.
Source: Microsoft

Aliases :

Backdoor:Win32/Simda.AT is also known as Downloader/Win32.Andromeda, Backdoor.Win32.Simda.aedg, Trojan horse Simda.AAP, TR/Crypt.ZPACK.94160, Trojan.Rodricter.153, Win32/Simda.B trojan, W32/Kryptik.CQAY!tr.

Explanation :

Installation

We have seen this threat downloaded by exploits, such as the Fiesta exploit kit.

This threat installs itself in one of the following locations:

%APPDATA% .exe, for example %APPDATA%iQ3w793.exe %TEMP% .tmp, for example %TEMP%A002.tmp 

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
Sets value: .exe
With data: "%APPDATA%.exe" opt, for example "%APPDATA%iQ3w793.exe" opt

If the malware detects it is running in a sandbox or test environment it will either terminate or remain running in memory without doing anything. It avoids running in environments specific to:

Anubis CWSandbox JoeBox VMWare

It does this to avoid analysis and detection. 

It might not install if any of the following antivirus researcher-related processes are running:

Aircrack-ng Gui.exe apis32.exe avp.exe  CamRecorder.exe CamtasiaStudio.exe cv.exe DrvLoader.exe dumpcap.exe ERDNT.exe ERUNT.exe EtherD.exe HookExplorer.exe idag.exe irise.exe IrisSvc.exe observer.exe ollydbg.exe EBrowseDbg.exe proc_analyzer.exe Regshot.exe SandboxieDcomLaunch.exe SandboxieRpcSs.exe SbieCtrl.exe SbieSvc.exe sckTool.exe sniff_hit.exe Sniffer.exe SUPERAntiSpyware.exe SymRecv.exe sysAnalyzer.exe Syser.exe tcpdump.exe BoxService.exe VBoxTray.exe windbg.exe WinDump.exe wireshark.exe wspass.exe ZxSniffer.exe

It also checks for the following test environment-related registry entries:

AppEventsSchemesAppsBopup Observer SOFTWAREAPIS32 SOFTWAREB LabsBopup Observer SoftwareClasses*shellsandbox SoftwareClassesFoldershellsandbox SOFTWAREClassesPEBrowseDotNETProfiler.DotNETProfiler SOFTWAREClassesSUPERAntiSpywareContextMenuExt.SASCon.1 SoftwareCommView SOFTWARECygwin SoftwareeEye Digital Security SOFTWAREMicrosoftWindowsCurrentVersionApp Pathswireshark.exe SoftwareMicrosoftWindowsCurrentVersionExplorerMenuOrderStart Menu2ProgramsAPIS32 SoftwareMicrosoftWindowsCurrentVersionExplorerMenuOrderStart Menu2ProgramsDebugging Tools for Windows (x86) SOFTWAREMicrosoftWindowsCurrentVersionUninstallAPIS32 SOFTWAREMicrosoftWindowsCurrentVersionUninstallERUNT_is1 SOFTWAREMicrosoftWindowsCurrentVersionUninstallOracle VM VirtualBox Guest Additions SOFTWAREMicrosoftWindowsCurrentVersionUninstallSandboxie SOFTWAREMicrosoftWindowsCurrentVersionUninstallWin Sniffer_is1 SOFTWAREMicrosoftWindowsCurrentVersionUninstallWireshark SOFTWARESUPERAntiSpyware.com SoftwareSyser Soft SoftwareWin Sniffer SOFTWARExSniffer SYSTEMCurrentControlSetServicesIRIS5 SYSTEMCurrentControlSetServicesSbieDrv SYSTEMCurrentControlSetServicesSDbgMsg SYSTEMCurrentControlSetServicesVBoxGuest Payload

Redirects your search results

The malware adds entries to the hosts file to redirect popular search websites, such as Bing, Google and Facebook. When you use one of these legitimate websites to search, the malware will redirect to its own domain. We have seen this threat redirect searches to the following IP addresses:

85.17.81.55

107.181.187.40

146.0.75.27

If Mozilla Firefox is installed on your PC this threat can create its own MozSearch plugin. It then sets this plugin as the default Mozilla browser toolbar search. When the toolbar search box is used the modified hosts file will redirect it from a legitimate search engine to a malware domain. 

Downloads other malware   This threat can connect to a remote host to upload information about your PC.   It also receives configuration data, including URLs to connect to and download files, including other malware. The downloaded files are written to the %TEMP% folder.   We have seen this threat connect to the following domains:  79.142.66.239 5.149.248.152 Analysis by Jayronn Christian Bucu

Last update 25 June 2019

 

TOP