Home / malware Trojan.Ratopak
First posted on 08 December 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Ratopak.
Explanation :
When this Trojan is executed, it creates the following files: %Application Data%\adobesystem.log%Application Data%\Microsoft\PNT\1.dat%Application Data%\Microsoft\PNT\Data%Application Data%\Microsoft\PNT\Data\ps.dat%Application Data%\Microsoft\PNT\Data\translit.dat%Application Data%\Microsoft\PNT\Data\triggers.dat%Application Data%\Microsoft\PNT\diary.dll%Application Data%\Microsoft\PNT\Images%Application Data%\Microsoft\PNT\Images\bg.png%Application Data%\Microsoft\PNT\Images\favicon.ico%Application Data%\Microsoft\PNT\Images\feature-ie.png%Application Data%\Microsoft\PNT\Images\feature.png%Application Data%\Microsoft\PNT\Images\flag.png%Application Data%\Microsoft\PNT\Images\icon-mail.png%Application Data%\Microsoft\PNT\Images\icon-services.png%Application Data%\Microsoft\PNT\Images\jabber.png%Application Data%\Microsoft\PNT\Images\keyboard-ie.png%Application Data%\Microsoft\PNT\Images\keyboard.png%Application Data%\Microsoft\PNT\Images\logo95x37.gif%Application Data%\Microsoft\PNT\Images\logo95x37.png%Application Data%\Microsoft\PNT\Images\notification.png%Application Data%\Microsoft\PNT\Images\online-small.png%Application Data%\Microsoft\PNT\Images\online.png%Application Data%\Microsoft\PNT\Images\smile.png%Application Data%\Microsoft\PNT\Images\start.png%Application Data%\Microsoft\PNT\Images\what.gif%Application Data%\Microsoft\PNT\Images\_punto-ie.css%Application Data%\Microsoft\PNT\Images\_punto.css%Application Data%\Microsoft\PNT\layouts.exe%Application Data%\Microsoft\PNT\lpk.dll%Application Data%\Microsoft\PNT\ps64ldr.exe%Application Data%\Microsoft\PNT\pshook.dll%Application Data%\Microsoft\PNT\pshook64.dll%Application Data%\Microsoft\PNT\punto.exe%Application Data%\Microsoft\PNT\Sounds\en.wav%Application Data%\Microsoft\PNT\Sounds\misprint.wav%Application Data%\Microsoft\PNT\Sounds\replace.wav%Application Data%\Microsoft\PNT\Sounds\reverse.wav%Application Data%\Microsoft\PNT\Sounds\ru.wav%Application Data%\Microsoft\PNT\Sounds\switch.wav%Application Data%\Microsoft\PNT\Sounds\type.wav%Application Data%\Microsoft\PNT\Sounds\typeeng.wav%Application Data%\Microsoft\PNT\Sounds\typerus.wav%Windir%\Microsoft.NET.Framework\aledensoftipcserver.dll%Windir%\Microsoft.NET.Framework\avicap32.dll%Windir%\Microsoft.NET.Framework\Config.xml%Windir%\Microsoft.NET.Framework\english.lg%Windir%\Microsoft.NET.Framework\msimg32.dll%Windir%\Microsoft.NET.Framework\romfusclient.exe%Windir%\Microsoft.NET.Framework\romserver.exe
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters\"Pwd" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters\"Options" = "[HEXADECIMAL VALUE]" HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters\"NoIPSettings" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ROMService\"ImagePath" = "%Windir%\Microsoft.NET.Framework\romserver.exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ROMService\"DisplayName" = "LiteManagerTeam LiteManager"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs\"ROMFUSClient.exe" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ROMwlnotify\"Startup" = "WLEventStartup"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ROMwlnotify\"Logon" = "WLEventLogon"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ROMwlnotify\"Logoff" = "WLEventLogoff"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ROMwlnotify\"Impersonate" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ROMwlnotify\"DllName" = "ROMwln.dll"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ROMwlnotify\"Asynchronous" = "0"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Adobe Update Manager" = "%Application Data%\Microsoft\LTM\ROMServer.exe\" /HIDETRAY""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Adobe Plugins Manager" = "%Application Data%\Microsoft\PNT\punto.exe\"HKEY_LOCAL_MACHINE\SOFTWARE\LiteManagerTeam\LiteManager\v3.4\Config\"ServerExe" = "%Windir%\Microsoft.NET.Framework\romserver.exe"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Welcome" = "1"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_9" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_8" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_7" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_6" = "%Temp%\Punto\Sounds\reverse.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_5" = "%Temp%\Punto\Sounds\en.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_4" = "%Temp%\Punto\Sounds\ru.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_3" = "%Temp%\Punto\Sounds\misprint.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_2" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_15" = "%Temp%\Punto\Sounds\replace.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_14" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_13" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_12" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_11" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_10" = "%Temp%\Punto\Sounds\switch.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_1" = "%Temp%\Punto\Sounds\typeeng.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"Sound_0" = "%Temp%\Punto\Sounds\typerus.wav"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_9" = "7d00003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_8" = "7d00003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_7" = "7d00003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_6" = "7d00003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_5" = "7d00003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_4" = "3e80003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_3" = "2bc0003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_2" = "9c40003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_15" = "1900003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_14" = "1f40003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_13" = "76c0003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_12" = "6a40003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_11" = "5dc0003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_10" = "7d00003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_1" = "7d00003"HKEY_CURRENT_USER\Software\Yandex\Punto Switcher\3.1\"SoundState_0" = "5dc0003"
Next, the Trojan performs the following actions on the compromised computer: Log keystrokesCollect clipboard dataDownload additional files
The Trojan then sends the gathered data to the following URLs: [http://]google997.com/info/menu[REMOVED][http://]microsoft775.com/info/menu[REMOVED][http://]autopiter.biz/info/menu[REMOVED]Last update 08 December 2015