Home / malware Trojan:Win32/Adylkuzz.B
First posted on 20 May 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Adylkuzz.B.
Explanation :
Installation
This threat terminates the following processes upon execution:
- hdmanager.exe
- mmc.exe
- msiexev.exe - coin-mining process
It terminates any existing instance of its coin-mining process. This behavior indicates that it can update an existing version of this threat in the infected machine.
While running, it can also terminate processes related to tools that can be used to view running processes like Task Manager and Process Explorer.
It also checks certain processes, most of which is related to different antivirus softwares:
- 360sd.exe
- avastsvc.exe
- avgnsx.exe
- avguard.exe
- avp.exe
- ccsvchst.exe
- fsdfwd.exe
- guardxservice.exe
- kwatch.exe
- mcshield.exe
- msseces.exe
- nod32krn.exe
- qhlpsvc.exe
- ravmon.exe
- sfctlcom.exe
- spidernt.exe
- xcomsvr.exe
Adds files
This threat can add any of the following files:
- C:\Windows\Prefetch\wuauser.exe - copy of the malware
- C:\Windows\security\msiexev.exe - miner executable
- C:\Windows\Prefetch\history.txt
- C:\Windows\Prefetch\id.txt
- C:\Windows\Fonts\wuauser.exe - copy of the malware
- C:\Windows\Fonts\msiexev.exe - miner executable
- C:\Windows\Fonts\history.txt
- C:\Windows\Fonts\id.txt
- C:\Windows\Temp\{random}._Miner_.log (example: C:\Windows\Temp\s244._Miner_.log)
Creates a service
This threat then creates a service so that it automatically runs upon system start-up.
Example of the service name that it uses:
- Windows Event Log Management
Below is a screenshot of the service created:
Related registry entries
It creates the registry so that it runs each time you start your PC. For example:
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WELM Sets value: "Type"
With data: "dword:00000010" Sets value: "Start"
With data: "dword:00000002" Sets value: "ErrorControl"
With data: "dword:00000000" Sets value: "ImagePath"
With data: "hex(2):"C:\Windows\Fonts\wuauser.exe --server" Sets value: "DisplayName"
With data: "Windows Event Log Management" Sets value: "WOW64"
With data: "dword:00000001" Sets value: "ObjectName"
With data: "LocalSystem" Sets value: "FailureActions"
With data: "hex:10,0e,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,00,01,00,00,00,60,ea,00,00" Sets value: "Description"
With data: "Windows Provides Event Log to access management information"
Payload
Stops and deletes the following services
Before installing itself, it stops and deletes any the following services to terminate any instance or previous versions which may be running on your PC:
- sc stop WELM
- sc delete WELM
- sc stop WHDMIDE
- sc delete WHDMIDE
This behavior also indicates that it can update an existing version of the threat on the infected machine.
Blocks ports and allows certain files in the firewall
This threat can create an IPsec policy named netbc to block SMB (Server Message Blocks) connections to the infected machine.
To do so, this threat issues any of the following commands:
netsh ipsec static add policy name=netbc
netsh ipsec static add filterlist name=block
netsh ipsec static add filteraction name=block action=block
netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
netsh ipsec static set policy name=netbc assign=y
It can also add Firewall rules to allow connections done by certain files:
netsh advfirewall firewall add rule name="Chrome" dir=in program="C:\Program Files (x86)\Google\Chrome\Application\chrome.txt" action=allow
netsh advfirewall firewall add rule name="Windriver" dir=in program="C:\Program Files (x86)\Hardware Driver Management\windriver.exe" action=allow
Runs a coin miner executable
This trojan is a coin miner. It runs a clean coin miner executable with certain parameters to start the mining process.
See an example of the coin miner executable command below:
Connects to a remote host
We have seen this threat connect to any of the following remote hosts:
- 08.super5566.com
- am.super1024.com
It connects to a remote host to do any of the following:
- Download additional component file, like coin miner executable and coin mining parameter
- Download and execute a newer version
Analysis by: James Patrick DeeLast update 20 May 2017