Home / malware Backdoor.Cadelspy
First posted on 10 September 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Cadelspy.
Explanation :
Once executed, the Trojan may create the following folders:
%System%\ntinfo32 %System%\ntsvc32 %System%\ntsvc32\update %System%\ntinfo32\completed\upl %System%\ntinfo32\completed\p[NUMBER] %System%\_tmp001\x86 %System%\_tmp001\x64
The Trojan creates the following files:
%System%\ntsvc32\2094012403.cfg %System%\ntsvc32\2094012403.rou %System%\ntsvc32\ntsvc32.dll %System%\ntsvc32\ntsvcst32.dll %System%\ntinfo32\completed\p[NUMBER]\2094012403-[YEAR-MONTH-DAY]-(12-46-51)-006.fjr_0001.ecm %System%\ntinfo32\completed\upl\2094012403-[YEAR-MONTH-DAY]-(12-54-51)-045.fjr_0006.ecm
Once the compromised computer is restarted, the Trojan injects the following file into the explorer.exe process:
%System%\ntsvc32\ntsvcst32.dll
The Trojan then creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"LoadAppInit_DLLs" = "1"
The Trojan also creates the following registry subkeys:
HKEY_CURRENT_USER\Software\ntsvc32 HKEY_CURRENT_USER\Software\ntsvc32\FLS HKEY_CURRENT_USER\Software\ntsvc32\HDD HKEY_CURRENT_USER\Software\ntsvc32\HST HKEY_CURRENT_USER\Software\ntsvc32\PAP HKEY_CURRENT_USER\Software\ntsvc32\ROU HKEY_CURRENT_USER\Software\ntsvc32\UPL
Next, the Trojan may delete the following files:
%Temp%\_tmp001\x64 %Temp%\_tmp001\x64\2094012403.cfg %Temp%\_tmp001\x64\2094012403.rou %Temp%\_tmp001\x64\ntsvc32.dll %Temp%\_tmp001\x64\ntsvcst32.dll %Temp%\_tmp001\x86 %Temp%\_tmp001\x86\2094012403.cfg %Temp%\_tmp001\x86\2094012403.rou %Temp%\_tmp001\x86\ntsvc32.dll %Temp%\_tmp001\x86\ntsvcst32.dll
The Trojan may connect to the following remote locations:
[http://]faceskinpros.com[REMOVED][http://]domaincloudfire.com[REMOVED]
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Log keystrokesCollect window titles of executed applications
The Trojan saves the stolen information to the following locations:
%System%\ntinfo32\completed\p[NUMBER]\2094012403-[YEAR-MONTH-DAY]-(12-46-51)-006.fjr_0001.ecm %System%\ntinfo32\completed\upl\2094012403-[YEAR-MONTH-DAY]-(12-54-51)-045.fjr_0006.ecm
The Trojan then sends the stolen information to the following remote location:
[http://]faceskinpros.com /scripts/upload[REMOVED]
The Trojan may connect to the following remote location to download configuration files and addition components:
[http://]faceskinpros.com/allusers/2094012403.rou[REMOVED]Last update 10 September 2015