Home / malwarePDF  

Backdoor:Win32/Truvasys.C!dha


First posted on 15 December 2016.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Truvasys.C!dha.

Explanation :

When launched, this backdoor's initial dropper displays a message that appears to be selected at random. Here is one of the messages:

The version of Microsoft Office installed on this system is not updated.

The dropper then creates a hidden folder rspDB inside the %TEMP% folder and places several files inside that folder:

  • %TEMP%/rspDB/resdllx.dll - a clean DLL file containing functions for secure communications
  • %TEMP%/rspDB/winxsys.exe - the main backdoor component
  • %TEMP%/rspDB/parameters.txt - a configuration file


The configuration file stores backdoor settings, including its command and control (C&C) addresses, communication port, and registry keys and values. An attacker may change these settings to keep the backdoor and its activities from being noticed.

To stay persistent, this backdoor creates the following autorun registry entry:

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: TaskMgr
Data: C:\Users\Pedro\AppData\Local\Temp\rspDB\winxsys.exe



Analysis by Mathieu Letourneau

Last update 15 December 2016

 

TOP