Home / malwarePDF  

Backdoor:Win32/Gadwats.A


First posted on 17 September 2018.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Gadwats.A.

Explanation :

Installation
This threat gets dropped by a .doc file with embedded executable file ef4c76a0cfc7dbae22a4dcbdd1e652cf0cf026eb88ddda8f36319c19916da594. It is a banking trojan which searches for your default browser and tries to harvest system information through process injection.

Payload

Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC without your consent. It can then perform a number of different actions, such as:

  • Downloading malware to your PC
  • Stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Connecting to a remote host


Connects to remote host

We have observed this threat attempting to connect to the following unique IPs in Brazil:
  • IP: 191.96.6.48:53
  • IP: 191.96.6.48:139
  • IP: 191.96.6.48:443
  • IP: 191.96.6.48:445
  • IP: 191.96.6.48:1053




This threat connects to C2 server through a third party browser's proxy connection offered for faster browsing within its android mobile browser. It detects slow speed such as 2G and switches to proxy servers with built-in data compression. It can speed up loading times for text-based websites. This service is offered in select countries including Indonesia, Brazil and India.

This threat tries to send system information and waits for response from the C2 server to perform further malicious activities. For example, it consists of many encrypted strings which are then decrypted to create the following commands which the attacker might execute when the C2 server connection is established:

agent diff_md5 id name token INSTALL_STARTUP REPLACE_SHORTCUT args domain is_diff os type INSTALL_SHORTCUT DOWNLOAD attr extra_b is_local_admin"last part uac UNINSTALL DOWNLOAD_URL bin_path extra_i log result user INSTALL_REGISTRY UPLOAD cmd extra_s logon_server short_ver uuid FIND_SHORTCUTS RUN_ASYNC cmd_id filename long_ver sid version INSTALL_SHORTCUT SET_PROP computer groups m_id status work_path UNINSTALL RUN_NOSHELL data guid max_size time_get INSTALL_REGISTRY FIND_SHORTCUTS TEST_CHANNEL



Additional information

This malware description was published using automated analysis of file Sha256: 7455c2e61b3ec81e24c727fba073b298d4385b6faf05aa4887940f83399b7738.

Last update 17 September 2018

 

TOP