Home / malwarePDF  

Trojan:Win32/Ramdo.A


First posted on 07 November 2019.
Source: Microsoft

Aliases :

Trojan:Win32/Ramdo.A is also known as BackDoor.Finder.11, Win32/Kryptik.BSNW trojan, Redyms-FDJR!851716E07456.

Explanation :

Installation

It drops itself into your PC as the file %APPDATA%verison.dll. It renames itself as HpM3Util.exe so that it starts every time Windows starts.

It creates these registry values to store its configuration data:

In subkey: HKCUSOFTWAREAdobeAdobe ARM1.0ARM
Sets value: "tLast_ReadedSpec"
With data: ""

In subkey: HKCUSOFTWAREAdobeAdobe ARM1.0ARM
Sets value: "tLastCollab_doc"
With data: ""

Payload

Disables features of security software

This threat injecets itself into all 32-bit processes and then tries to unload these DLL files:

UMEngx86.dll wl_hook.dll

These files are used by certain security software, so if this threat is successful in unloading these files, your security software won't run properly.

Connects to a server

This threat tries to collect the following information about your PC:

What operating system version you're running If it's running in a virtual environment What version of Adobe Flash is installed in your PC How many processors you have in your PC Your PC's GUID

It then tries to send the information to a server with a name generated using a specific algorithm.

Depending on commands from the server, it might also do the following on your PC:

Update itself Update its configuration Load modules

Does click-fraud

It does click-fraud by generating fake clicks to ads in the server in 95.211.193.11 (the referrer is starmina.net).

It also hooks these APIs to hide its click-fraud activities:

CoCreateInstance DialogBoxIndirectParamAorW GetCursorPos waveOutOpen waveOutSetVolume

Depending on how many processors you have in your PC, this threat might start one or multiple instances of these files, into which it injects itself to do its click-fraud activities:

%SystemRoot% wunk_32.exe %SystemRoot% winhlp32.exe

It also creates these registry values to hide the browser while it does click-fraud:

In subkey: HKCUSOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_BROWSER_EMULATION
Sets value: "twunk_32.exe"
With data: "9000"
Sets value: "winhlp32.exe"
With data: "9000"

Analysis by Shawn Wang

Last update 07 November 2019

 

TOP