Home / malwarePDF  

TrojanDownloader:Win32/Dofoil.T


First posted on 02 December 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Dofoil.T.

Explanation :

Threat behavior

Installation

This threat can be installed from a .zip file attached to a spam email or by exploit kits, such as FlashPack. We have also seen it installed by other malware, such as Win32/Zemot.

It installs a copy of itself using a random file and folder name to %APPDATA%, for example %APPDATA%\jhwdwcib\rttavjuv.exe.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "", for example "Microsoft", or "WinRar"
With data: "%APPDATA%\\
This threat checks for an Internet connection by connecting to www.msn.com.

The malware tries to avoid analysis by checking if it is running in a sandbox environment. If it detects that it is running in a sandbox it can hibernate indefinitely. It checks for a sandbox environment by:

  • Checking if its file name is €œsample.exe€
  • Calling GetVolumeInformationA() to check if its running in sandbox environment specific to the following malware analysis systems:
    • Malwr
    • ThreatExpert
  • Checking if the following dynamic-link library files are loaded:
    • sbiedll €“ Sandboxie DLL
    • dbghelp €“ Windows Debug Help Library
  • Reading the following registry to get the serial ID of the hard disk: €œ
    • HKLM\System\CurrentControlSet\Services\Disk\Enum\0
  • Checking if your hard disk serial ID contains one of the following strings:
    • qemu €“ Qemu emulator
    • virtual - Virtual Box, Hyper-V
    • vmware - VMware
    • xen €“ Open source hypervisor


Payload

Downloads other malware

This threat can download and run other malware onto your PC. We have seen it download malware from the following families:

  • Trojan:Win32/Ropest
  • TrojanDownloader:Win32/Recslurp
  • TrojanDownloader:Win32/Cutwail


Contacts a malicious hacker

This threat collects information such as your PC:

  • Name
  • Volume serial ID


It sends this information, including a seller id as part of its URL, to its command and control (C&C) server and tries to hide its server address from analysis. To do this it enumerates the registry entries under the following key:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall


It then gathers URLs from data within the following registry values:

  • HelpLink
  • URLInfoAbout


It sends HTTP POST requests with the stolen information to the URLs that it finds, at the same time as its C&C server. The network communication is usually encrypted with a custom algorithm.

The remote C&C responds with encrypted data that includes commands and other payload binaries or plugins.

We have seen this threat contact the following C&C servers:

  • bulbushkinho.org/b
  • zoneserveryu.com


Additional information

The malware can create a mutex using your PC name and volume serial number. This can be an infection marker to prevent more than one copy of the threat running on your PC.



Analysis by Rex Plantado

Symptoms

Alerts from your security software might be the only symptom.

Last update 02 December 2014

 

TOP

Malware :

Family: