Home / malware Backdoor.Darpapox
First posted on 23 April 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Darpapox.
Explanation :
Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\Microsoft\[THREAT NAME].exe%System%\msutil32.dll
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"RunUpdate" = "%UserProfile%\Application Data\Microsoft\[THREAT NAME].exe"
The Trojan also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6f54533a-0be7-4ed2-8379-b73553f6fbdb}\"ComponentID" = "DirectShow"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6f54533a-0be7-4ed2-8379-b73553f6fbdb}\"Version" = "1,125,2406,1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6f54533a-0be7-4ed2-8379-b73553f6fbdb}\"StubPath" = "%UserProfile%\Application Data\Microsoft\[THREAT NAME].exe" /s /n /i:U shell32.dll""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"RunUpdate" = "%UserProfile%\Application Data\Microsoft\[THREAT NAME].exe"
The Trojan connects to the following remote location in order to check for a connection to the internet:
update.microsoft.com
Next, the Trojan opens a back door on the compromised computer and connects to one or more of the following command-and-control (C&C) servers:
goodshop.minidns.nettelli.chickenkiller.comms-update.bbsindex.com
The Trojan may then perform the following actions on the compromised computer:
List processesExecute filesUpload filesDownload filesDelete filesInject DLL filesTake screenshotsExecute commandsUninstall itself
The Trojan may also gather the following information and send it to the attacker:
Host nameFree disk spaceNetwork adapter informationList of installed softwareList of directoriesLast update 23 April 2015