Home / malwarePDF  

Win32/Bedep


First posted on 07 January 2015.
Source: Microsoft

Aliases :

There are no other names known for Win32/Bedep.

Explanation :

Threat behavior

Installation

This malware family is made up of DLLs that are known to be loaded by the Angler Exploit Kit (detected as Exploit:JS/Axpergle).

They can sometimes be installed without creating any files by being loaded directly in memory by the exploit shellcode. They can also be written to disk as a 32-bit DLL (Backdoor:Win32/Bedep.A) or 64-bit DLL (Backdoor:Win64/Bedep.A). The DLL type depends on your version of Windows.

We have seen Bedep variants installed as:

  • %ProgramData% \<{CLSID}>\.dll, for example %ProgramData%\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\acledit.dll


They can also create the following registry entries:

In subkey: HKCR\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

Sets value: "ThreadingModel"
With data: "Apartment"

Sets value: "(Default)"
With data: "%ProgramData%\<{CLSID}>\.dll", for example "%ProgramData%\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\acledit.dll"

Variants can use these registry entries to launch explorer.exe and inject malicious code into it.

Payload

Connects to a remote server

Bedep variants can connect to a command and control server using HTTP POST on port 443. Once connected they can be instructed to:

  • Download other malware
  • Collect information about your PC
  • Update themselves


We have seen these threats connect to the following domains:

  • aohevoloaozrkak10.com
  • avuoujqzkfqimp.com
  • blrndbpidwnxbgj.com
  • dkatcqflcaqlumcxhd.com
  • dsricnohtnwbium.com
  • dsricnohtnwbium.com
  • emxgyboesbodszr6t.com
  • emxgyboesbodszr6t.com
  • ewhvktipgdwdhcxfv.com
  • ewhvktipgdwdhcxfv.com
  • exrhmkumgbuhq2g.com
  • favtcihswsqly.com
  • ggtjcszgresakw.com
  • hgfmdwdqutcwqlc.com
  • hnrmdcvwza0m.com
  • hppzynkovgjpth.com
  • hppzynkovgjpth.com
  • iqeuldlijtnnff.com
  • iwgqqmayowal.com
  • iwgqqmayowal.com
  • iyoxkwiwdvt6a.com
  • ndkcrwdfocxogjfxod.com
  • npbwstpnlqnrejm.com
  • npbwstpnlqnrejm.com
  • oyrqilsgusdcdvc4.com
  • oyrqilsgusdcdvc4.com
  • plwqwnzyigp7h.com
  • plwqwnzyigp7h.com
  • qibbfusbruoixkk.com
  • qysbxunmocpablwqmc.com
  • ynecbggcxu4x.com
  • ynecbggcxu4x.com
  • yrmbqqncmsevoxnoh.com


Downloads other malware

We have seen Bedep variants download other malware, including variants from the following malware families:

  • Dofoil
  • Ursnif
  • Zemot


The downloaded files can be installed and run as:

  • \Windows Genuine Advantage\\msiexec.exe, for example \Windows Genuine Advantage\{928C853C-BDFF-4BC7-99C1-E7E71BF13117}\msiexec.exe
  • %windir% \Installer\\msiexec.exe, for example %windir%\Installer\{65AD4B7E-2946-48AF-B4AC-551395548435}\msiexec.exe




Analysis by Jonathan San Jose

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKEY_CLASSES_ROOT\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32
    Sets value: ""Apartment"
    With data: "%ProgramData%\<{CLSID}>\.dll", for example "%ProgramData%\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\acledit.dll"

    In subkey: HKEY_CLASSES_ROOT\Drive\ShellEx\FolderExtensions\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}
    Sets value: ""DriveMask"
    With data: "dword:ffffffff"

Last update 07 January 2015

 

TOP

Malware :