Home / malware TrojanDownloader:Win32/Gratem.A
First posted on 27 August 2015.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Gratem.A.
Explanation :
Threat behavior
Installation
When run, the malware searches its current folder for the file tpe64.dll. If the file is found, the malware reads its contents, decrypts the data, and runs the decrypted code in memory.
If tpe64.dll isn't found, the malware tries to download the following file every five seconds:
- adnetwork33.redirectme.net/
/ /booswrap/layers.png
If successful, the downloaded blob is decrypted and run in memory.
The decrypted code creates the following shortcut link :
\WindowManager.lnk - detected as TrojanDownloader:Win32/Gratem.A!lnk
This shortcut points to the malware file: %ProgramData%\WindowMan\dwm22.exe
The malware creates copies of itself in the following files:
- %ProgramData % \WindowMan\dwm22.exe - the original malware file
- %ProgramData% \WindowMan\tpe64.dll - the encrypted blob
- %ProgramData% \WindowMan\x22.dd
Payload
Connects to a remote host
We have seen this threat connect to the following remote hosts to check for an Internet connection:
- 74.125.
.112 - 74.125.
.113 - 74.125.
.114 - 74.125.
.115 - 74.125.
.116 - 129.42.
.1 - 198.133.
.25 - 207.46.
.32 - 207.46.
.182
Downloads files
We have seen the malware download the following file:
- adnetwork33.redirectme.net/
/ /booswrap/main.php
It saves the file to %TEMP%\setupGZ.tmp and runs it.
As of writing, the above URL is not accessible.
Additional information
Creates a mutex
We have seen this malware create the following mutexes:
- GGM-KRTYUA1-B1NHHTYU
- B2B27EA7-6F32-4465-8C7C-D2A6E4BAEFA3
These mutexes can be an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Allan Sepillo
SymptomsThe following can indicate that you have this threat on your PC:
- You have these files:
- %ProgramData%\WindowMan\dwm22.exe
- %ProgramData%\WindowMan\tpe64.dll
- %ProgramData%\WindowMan\x22.dd
Last update 27 August 2015
