Home / malware Trojan:Win32/Lecpetex.A
First posted on 15 July 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Lecpetex.A.
Explanation :
Threat behavior
Installation
We have seen Trojan:Win32/Lecpetex.A downloaded or injected into clean system processes by the following threats:
- TrojanDownloader:Java/Carastavona.F
- TrojanDownloader:Java/Lecpetex.A
- TrojanDownloader:VBS/Lecpetex.A
- TrojanDropper:Win32/Lecpetex.A
Trojan:Win32/Lecpetex.A creates a copy of itself as an alternate data stream in %TEMP%\rnd.dat.
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: svchost = "regsvr32 /s"
With data: "%TEMP%\.dat."
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "svchost"
With data: "regsvr32 /s %TEMP%\random>.dat"
Payload
Connects to a command and control center
Once installed, Trojan:Win32/Lecpetex.A connects to a website or email account to receive instructions from a command and control center. We have seen it log in to email accounts on the following mail servers:
- mailcatch.com/en/temporary-inbox
- mailnesia.com/mailbox
- spamavert.com/mail/
- tempinbox.com/cgi-bin/checkmail.pl
- www.dispostable.com/inbox/
- www.koszmail.pl/koszmail/mailBox.php?mailBox=
It uses different signatures to get the encrypted bot command to execute. If it belongs to a bot owner it requires the string as an initial identifier check.
We have seen it receive the commands to:
- Update itself
- Download files, including other malware
- Inject components into other processes
- Download a component that sends messages with malicious links on Facebook
Injects code into Windows Explorer
The trojan runs explorer.exe and injects component files into it so that it runs in stealth mode.
Collects system information
We have seen this threat collect the following system information:
- Disk volume serial number
- File system name and type
- OS version
- PC name
The collected information is sent to the following IP address:
- 85.25.19.211
Trojan:Win32/Lecpetex.A performs the payloads listed above every 15 minutes. It stops performing these behaviors after 20,000 times.
Installs bitcoin miner and password stealer
We have seen this trojan install a bitcoin miner and password stealer.
Additional information
The name Lecpetex is based on the mutex name the threat creates. The following string format used to generate the mutex was found in the code:
- %sPe
- %sle
Trojan:Win32/Lecpetex.A checks to test if the system it is running in is being monitored for security analysis or being debugged.
It also checks if it is running in a sandbox environment by checking the user name logged into the system. It does this by comparing the logged-in user with any of the following:
- ANUBIS
- MALWR
- SANDBOX
- VIRUS
It also inspects the filename and path used when it runs to check if it matches any of the following:
- ANUBIS
- MALWR
- SANDBOX
- \SAMPLE
- \VIRUS
The trojan checks for the following security analysis systems and tools:
- Sandbox files:
sbiedll.dll
%system%\drivers\VBoxMouse.sys
%system%\drivers\vmmouse.sys
%system%\drivers\vmhgfs.sys
- Export name wine_get_unix_file_name in kernel32.dll
- Value of registry entry HKCU\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id\Identifier if it is:
VBOX
VMWARE
QEMU
- Value of registry entry HKCU\HARDWARE\Description\System\SystemBiosVersion if it is:
VBOX
QEMU- Registry keys:
HKCU\SOFTWARE\Oracle\VirtualBox Guest Additions
HKCU\SOFTWARE\VMware, Inc.\VMware Tools
Analysis by Zarestel Ferrer
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
%TEMP%\rnd.dat
- You see these entries or keys in your registry:
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: svchost = "regsvr32 /s"
With data: "%TEMP%\.dat."
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "svchost"
With data: "regsvr32 /s %TEMP%\random>.dat"
Last update 15 July 2014
