Home / malwarePDF  

TrojanDownloader:Win32/Bradop.A


First posted on 25 May 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Bradop.A is also known as Gen:Variant.Barys.2297 (BitDefender), Win32/TrojanDownloader.Banload.QYV trojan (ESET), Trojan.Win32.Jorik.Banker.avo (Kaspersky).

Explanation :



TrojanDownloader:Win32/Bradop.A is the downloader component of the Win32/Bradop family of trojans that steal online banking credentials credentials for customers of Brazilian banks, as well as email credentials. It is distributed via spam email messages that contain links to its download.

Distribution

TrojanDownloader:Win32/Bradop.A is distributed via spammed email messages. The following are some examples of the spammed email messages that it arrives in:











Installation

TrojanDownloader:Win32/Bradop.A drops the following file, which is also detected as TrojanDownloader:Win32/Bradop.A and is the downloading component of this family:

%Temp%\strFileDestVar1.cpl

Note that in most TrojanDownloader:Win32/Bradop.A samples, the downloader uses this file name. However, some samples may also use random file names for the downloader, for example, "ouxz1357bdfgiln.cpl".

TrojanDownloader:Win32/Bradop.A checks if User Access Control (UAC) is enabled. If it is, TrojanDownloader:Win32/Bradop.A disables UAC and modifies the following registry entry so that its dropped file automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random text>"
With data: "%windir%\SysTem32\rundll32.exe Shell32.dll,Control_RunDLL "%temp%\strFileDestVar1.cpl""

If UAC is disabled, or if the operating system does not support UAC (for example, Windows 2000), TrojanDownloader:Win32/Bradop.A executes the following command to run its downloader file:

run %windir%\System32\rundll32.exe Shell32.dll,Control_RunDLL "%temp%\strFileDestVar1.cpl"

Note that in some samples, TrojanDownloader:Win32/Bradop.A restarts computers in which it has disabled UAC to ensure that the changes take effect.

Some variants of TrojanDownloader:Win32/Bradop.A open a webpage with Internet Explorer in an attempt to trick you into thinking that no malicious activity is taking place. Most of the time, the webpage is an article featuring Brazilian news or multimedia resources, for example:

  • www.youtube.com/watch?v=afK5iFvYPfE
  • acritica.uol.com.br/buzz/Manaus-Amazonas-Amazonia-Advogado-Dieckmann-objetivo-indenizacao-dificultar_0_698330219.html
  • www.belasmensagens.com.br/amizade/do-pouco-que-eu-queria-2427.html
  • www.belasmensagens.com.br/amizade/amizade-para-o-infinito-2394.html
  • tvg.globo.com/bbb/bbb12/noticias/noticia/2012/03/bate-papo-gente-so-se-encontra-com-camera-rafa-ao-encontrar-renata.html
  • natelinha.uol.com.br/bbb12/2012/02/29/bbb-12-monique-se-irrita-com-comentario-de-fabiana-152250.php


Payload

Downloads data-stealing malware

BHO component

TrojanDownloader:Win32/Bradop.A downloads a Browser Helper Object (BHO) component from a certain URL and saves it using the following format:

%windir%\<folder>\<file name>

where <folder> is a randomly-chosen name of an existing folder in your computer, and <file name> is a randomly-chosen name of an existing file in your computer, which is not in <folder>, for example:

C:\WINDOWS\Help\sfc.dll , where the existing sfc.dll is in <system folder>

TrojanDownloader:Win32/Bradop.A then registers the downloaded BHO; the BHO is detected as variants of TrojanSpy:Win32/Bradop.

TrojanDownloader:Win32/Bradop.A also opens a new instance of Internet Explorer to ensure that its BHO payload is run.

Data file

As part of its infection routine, TrojanDownloader:Win32/Bradop.A also creates a data file with either of the following names:

  • <system folder>\inf\machinez.inf
  • <system folder>\inf\machine1.inf
  • <system folder>\inf\machineusa.inf
  • <system folder>\inf\<computer name>.inf


This file contains information used by the BHO to locate a configuration file, a log file, and other data.

Configuration file

TrojanDownloader:Win32/Bradop.A comes bundled with a configuration file, which it drops as the following file:

%windir%\<folder>\<file name>

where <folder> is a randomly-chosen name of an existing folder in your computer, and <file name> is a randomly-chosen name of an existing file in your computer, which is not in <folder>, for example:

C:\WINDOWS\Help\d3d9.dll , where the existing d3d9.dll is in <system folder>

This file contains an alternate download location for the BHO, as well as the IP address and credentials of an attacker-controlled MySQL server in which to store the stolen information.



Analysis by Marian Radu

Last update 25 May 2012

 

TOP

Malware :

Family: