Home / malwarePDF  

Downloader.Sesafer


First posted on 06 August 2014.
Source: Symantec

Aliases :

There are no other names known for Downloader.Sesafer.

Explanation :

Once executed, the Trojan may drop the following files:
%ProgramFiles%\pcreg\install32.xml %ProgramFiles%\pcreg\install64.xml %ProgramFiles%\pcreg\installXP.xml %ProgramFiles%\pcreg\install_service.xml %ProgramFiles%\pcreg\msvcr100.dll %ProgramFiles%\pcreg\pcreg.exe %ProgramFiles%\pcreg\service.exe %Temp%\file_[RANDOM DIGITS].exe
Next, the Trojan checks for the presence of the following file:
%ProgramFiles%\pcreg\service.exe

If the file is not present, the Trojan will download it from one of the following remote locations:
[http://]www.chatzum.com/report/downlo[REMOVED]
[http://]d2sci4fopfy9a2.cloudfront.net/SERVICE/servi[REMOVED]

The Trojan then creates a service with the following properties:
Display Name: pcregservice Service Image Path: %ProgramFiles%\pcreg\pcreg.exe Startup Type: Automatic
It then creates the following registry subkey to register the above service:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pcregservice

Next, the Trojan may connect to the following remote locations:
[http://]www.shieldsoft.com/rep[REMOVED] [http://]www.shieldsoft.com/report/getpack[REMOVED]
The Trojan may be sent a URL from the above remote locations.

The Trojan may then download and execute the following files from the received URL:
%Temp%\file_[RANDOM DIGITS].exe %Temp%\file_to_run55[RANDOM DIGITS].exe
The Trojan then creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\0000\Control\"NewlyCreated" = "0" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\0000\Control\"ActiveService" = "pcregservice" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\0000\"Service" = "pcregservice" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\0000\"Legacy" = "1" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\0000\"ConfigFlags" = "0" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\0000\"Class" = "LegacyDriver" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\0000\"DeviceDesc" = "pcregservice Service" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCREGSERVICE\"NextInstance" = "1"
It also modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"ConsentPromptBehaviorAdmin" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"ConsentPromptBehaviorUser" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\"LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.log;" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\"SaveZoneInformation" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\"HideZoneInfoOnProperties" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"HideSCAHealth" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"HideSCAHealth" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\"LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.log;" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\"SaveZoneInformation" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\"HideZoneInfoOnProperties" = "1"

Last update 06 August 2014

 

TOP

Malware :

Family: