Home / malwarePDF  

Trojan:Win32/Cadlotcorg.A


First posted on 10 December 2016.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Cadlotcorg.A.

Explanation :

This threat drops the following files in your appdata\local folder:

  • C-Dlt-C-Trsh-T.tmp
  • C-Dlt-C-Org-T.vbs


The ".tmp" file contains the path where the malware resides.
The ".vbs" scripts contains the following, which deletes the malware and itself:

WScript.Sleep(10 * 1000)
On Error Resume Next
Set WshShell = CreateObject("Scripting.FileSystemObject")
While WshShell.FileExists("")
WshShell.DeleteFile ""
Wend
WScript.Sleep(10 * 1000)
WshShell.DeleteFile "%AppData%\Local\Temp\C-Dlt-C-Org-T.vbs"
Set WshShell = Nothing

The malware then identifies your default web browser, launches an instance of it and injects code into it. The code injected was decoded from the resource section of the malware and is what contains the wiping capabilities.

When this is done, the malware runs the following command to delete itself:
  • cmd /c WMIC Process Call Create C:\Windows\System32\Wscript.exe //NOLOGO %AppData%\Local\Temp\C-Dlt-C-Org-T.vbs


The wiping code is now executing in the web browser instance and overwrites the Master Boot Record
section of the hard drive with random data before shutting down your PC and rebooting in the intended unusable state.

This malware description was published using the analysis of file SHA1 0a4ffce8f301546100d7b00ba017f5e24d1b2d9b.



Analysis by: Mathieu Letourneau

Last update 10 December 2016

 

TOP