Home / malwarePDF  

TrojanSpy:Win32/Bafi.A


First posted on 13 January 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Bafi.A is also known as PSW.Banker6.NDD (AVG), Trojan.PWS.Spy.13177 (Dr.Web), Win32/Spy.Banker.WZJ (ESET), Trojan-Spy.Win32.Agent.bwfy (Kaspersky), PWS-Banker!h2s (McAfee), Mal/Croff-A (Sophos), Trojan:Win32/Bafi.A (other).

Explanation :

TrojanSpy:Win32/Bafi.A is a trojan that captures keyboard and mouse activities when browsing certain sites using the web browser Firefox.


Top

TrojanSpy:Win32/Bafi.A is a trojan that captures keyboard and mouse activities when browsing certain sites using the web browser Firefox.



Installation

When run, the trojan drops the following files:

  • <path:>\chrome.manifest
  • <path:>\install.rdf
  • %windir%\AcroFF0<random alphanumeric character>0.dll
  • %windir%\AcroFF0<random alphanumeric character>5.dll
  • %windir%\AcroFF0<random alphanumeric character>6.dll
  • %windir%\AcroFF0<random alphanumeric character>7.dll
  • %windir%\AcroFF0<random alphanumeric character>8.dll


Where "<path:>" has been observed to be the root of the C: drive. The registry is modified to notify Mozilla Firefox to load extensions from the path specified, such as "c:" as in the following example:

In subkey: HKCU\Software\Mozilla\Firefox\extensions
Sets value: "{184AA5E6-741D-464a-820E-94B3ABC2F3B4}"
With data: "c:"

In subkey: HKLM\SOFTWARE\Mozilla\Firefox\extensions
Sets value: "{184AA5E6-741D-464a-820E-94B3ABC2F3B4}"
With data: "c:"



Payload

Steals credentials
TrojanSpy:Win32/Bafi.A runs when the web browser Mozilla Firefox is launched and waits for the user to visit a website containing one of the following substrings:

  • bank
  • deu
  • feducia.de


When a site matching the criteria is visited, the trojan attempts to capture user login details, keystrokes and mouse events to a data file (e.g. "__UAs001.dat") that could be accessed later by other malware and sent to a remote server.

Additional information

TrojanSpy:Win32/Bafi.A is digitally signed with a certificate issued to "KR, Samsung, Samsung, supp@samsung.com".



Analysis by Marianne Mallen

Last update 13 January 2012

 

TOP

Malware :

Family: