Home / malwarePDF  

Trojan:Win32/Gatak.DR


First posted on 15 April 2015.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Gatak.DR.

Explanation :

Threat behavior

We have seen this threat bundled alongside tools used to crack or generate software keys.

For example, we have seen this threat infect a PC in the following manner:

A user downloads and runs the file _keygen.exe, for example R_Studio_7_5_Build_156292_Network_Edition_keygen.exe. The file is a self-extracting archive that extracts the following two files into the %TEMP% folder and runs them:

  • .exe, for example 6597.exe - the actual key generator
  • .exe, for example 6118.exe - this threat, Trojan:Win32/Gatak.DR


Installation

This threat then injects code into a running process, usually explorer.exe, and then deletes itself by running the following command:

  • CMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL %TEMP%\6118.exe


Payload

Contacts remote host

The code injected in the explorer.exe process communicates with a remote host to report on the infection status and some information about the PC. We have seen it try to contact:

  • 62.149.166.33/report_N__


The can be any of these:

  • crc_ok
  • gdiplus_not_ok
  • gdiplus_ok
  • image_not_ok
  • image_ok
  • image_size_not_ok
  • image_size_ok
  • image_type_not_ok
  • image_type_ok
  • mark_not_setted
  • mark_setted
  • page_err
  • page_ok
  • payload_executed
  • payload_file_delete_ok
  • payload_file_name_ok
  • payload_file_run_ok
  • payload_file_wait_ok
  • payload_file_write_ok
  • payload_mem_not_ok
  • payload_mem_ok
  • payload_not_ok
  • payload_ok
  • payload_size_ok
  • payload_type_bad
  • payload_type_exe
  • payload_type_exe_wait_del
  • payload_type_shell
  • watch2_err_1


Downloads other files, including other malware

The injected code also contains hard-coded URLs to image-sharing websites. The threat downloads a .png file from which it extracts a payload. The following are the two most common URLs we have seen it try to use:

  • hostthenpost.org/uploads/
  • www.imagesup.net/?di=


Steganography techniques are used to hide the payload data in the image file, which, after decryption, gives other URLs for the malware to connect to, including:

  • 178.33.188.140:80/service/related?sector=009637
  • 5.135.233.16:80/file/photos?handle=6890077
  • 85.234.158.245:80/company/manufacturer?play=86557
  • 87.117.255.171/tutor/inst?promo=459087
  • bpp.bppharma.com/calibre/view?present=0987667
  • cam.jeremyjiao.org:80/company/manufacturer?play=36788
  • cod.chezsimone971.com:80/encourage/help?pointed=855444
  • deid.sharpfans.org/calibre/view?present=0987667
  • flake.snowflakeproductions.com:80/service/related?sector=008643
  • img.philippe-benoit.com/calibre/view?present=0987667
  • minitravel.strangled.net/tutor/inst?promo=459087
  • mone.neenakahlon.com/calibre/view?present=0987667
  • parent.entretienparent.ca:80/service/related?sector=009445
  • reader.lifeacademyinc.com:80/encourage/help?pointed=855444
  • valter.crabdance.com/tutor/inst?promo=459087
  • ww.westwoodelementarycowboys.com:80/company/manufacturer?play=67574




Analysis by Mathieu Letourneau

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:
    • _keygen.exe
    • %TEMP% \.exe

Last update 15 April 2015

 

TOP