Home / malwarePDF  

Infostealer.Bankeiya.B


First posted on 29 May 2014.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Bankeiya.B.

Explanation :

The Trojan arrives after being downloaded by other malware.

When the Trojan is executed, it creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"v3configure"="rundll32.exe [MALWARE FILE NAME],A"

The Trojan creates the following files:
%UserProfile%\Local Settings\Temp\ieversion.dat
%UserProfile%\Local Settings\Temp\gameenabled.jpg
%UserProfile%\Local Settings\Temp\winurl.dat
%UserProfile%\Local Settings\Temp\version.dat
C:\a.dat

The Trojan opens a back door on the compromised computer, and connects to the following location:
[http://]www.uravidata.com/eng/log/test[REMOVED]

The Trojan downloads and executes a DLL file from the following location:
[http://]www.nanki-pg.co.jp/bbs/images/admin[REMOVED]

The Trojan saves the file as the following:
%UserProfile%\Local Settings\Temp\ahnMse64.dll (For 64-bit systems)%UserProfile%\Local Settings\Temp\ahnMse32.dll (For 32-bit systems)
The Trojan filters traffic from the following library files:
nspr4.dllchrome.dll
The Trojan may then use the chrome.dll to perform the following actions:

Read HTTP requestsRead unencrypted HTML pages
The Trojan filters traffic from the following APIs to steal information:
HTTPSendRequestW (For Internet Explorer)
PR_WRITE (For Firefox)

The Trojan looks for the string sets related to online banking (listed at the bottom of this writeup) and if found steals the following information:
UsernamePassword
The Trojan uploads the stolen information to the following locations:
[http://]www.tvnews.or.kr/xe/bbs/boar[REMOVED][http://]www.eshining.co.kr/bbs5/zboar[REMOVED] The Trojan writes the stolen data to the following location:
%UserProfile%\Local Settings\Temp\d3d8d4.ini

Note: The string sets mentioned above are:

Set 1:
_PAGEID=_SENDTS=KEIYAKU_NO=PASSWORD=
Set 2:
_PAGEID=_SENDTS=KAKUNIN_NO=
Set 3:
domainSumitomo=USRID=USRID1=USRID2=PASSWORD=
Set 4:
TrxID=V_OTPW_PASSWORD=PASSWD2_1=PASSWD2_2=
Set 5:
event=okyakusamaBangou1=okyakusamaBangou2=okyakusamaBangou3=pm_fp=
Set 6:
event=aikotoba=pm_fp=
Set 7:
event=loginPassword=pm_fp=
Set 8:
event=shouninAnshouBangou=
Set 9:
KeiyakuNo=Next=pm_fp=
Set 10:
NLS=Anshu1No=jsAware=
Set 11:
NLS=Anshu2=Anshu2_2=Anshu2_3=Anshu2_4=pm_fp=
Set 12:
NLS=InknKzBox=InknKzNo=InputThrKn=pm_fp=
Set 13:
jsAware=NLS=rskAns=

Last update 29 May 2014

 

TOP

Malware :

Family: