Home / malwarePDF  

Worm:Win32/Spraxeth.A


First posted on 16 July 2016.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Spraxeth.A.

Explanation :

Installation

Worm:Win32/Spraxeth.A installs into the following folder on your PC:

  • %system%\dat\Dexon\Agent\


Note: The folder is marked with “Hidden” properties.

It will create files such as:
  • Agent.exe
  • AGENT_~1.EXE
  • AGENT_~2.EXE
  • cfg.dxn
  • Dexon_RC.exe
  • Dmi16.exe
  • HD_Agent.exe
  • HD_LAB~1.DXN
  • Invs
  • module01.dll
  • module02.dll
  • module04.dll
  • module05.dll
  • module09.dll


The Agent.exe file is registered as a service with display name DexonAgent.

The files with file extension .DXN control the installation configuration. The configuration file controls the C&C server that will be used. However this C&C server often maps the local IP address of a different enterprise who intended to use this software.

This threat also adds a collection of registry keys under the path:

HKLM\SOFTWARE\Dexon\DAT\

For example:

In subkey: HKLM\SOFTWARE\Dexon\DAT\
Sets value: “LIKDBDYCXGQBTQXXNBAFOCPILHZIBJUITWK”
With data: “i003gkbv0”

Spreads through...

Administrative share

Under certain conditions, the Agent.exe service will launch itself with command-line arguments “/Auto”. When this threat starts with this command-line argument passed in, it begins connecting to machines on the local network. It will use the local user access to try and copy itself to remote PCs by copying itself to the following administrative share path on the remote machine:
  • \\\$admin\


It will copy all the files to the remote machine from the local installation of the threat matching any of the following file extensions:
  • *.bmp
  • *.dll
  • *.dxn
  • *.exe
  • *.ico
  • *.jpg
  • *manifest


Afterwards, the Spraxeth service will be created and started on the remote machine.

Payload

Connects to a remote host

We have seen this threat connect to a remote host: Malware can connect to a remote host to do any of the following:
  • Chat with the PC user
  • Control your PC remotely
  • Create directories
  • Create, stop, or start services or drivers
  • Read or write to registry keys
  • Run a file
  • Send and receive files
  • Stop processes

Last update 16 July 2016

 

TOP