Home / malwarePDF  

Trojan:Win32/Bunhi.A


First posted on 13 June 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Bunhi.A.

Explanation :



Installation

At the time of analysis, we are unable to determine how the trojan might be downloaded onto your computer, installed, or run.



Payload

Steals computer information

The trojan runs certain commands which steal the following information about your computer:

  • information about your network adapters, using the command<system folder>\liveupdate.exe /c ipconfig /all>>%ProgramFiles%\HIBUN-AE\bin\sfcsrv.dat
  • information about network connections on your computer, using the command<system folder>\liveupdate.exe /c netstat -ano>>%ProgramFiles%\HIBUN-AE\bin\sfcsrv.dat
  • a list of running processes, using the command<system folder>\liveupdate.exe /c tasklist>>%ProgramFiles%\HIBUN-AE\bin\sfcsrv.dat
  • a list of active network shares, using the command<system folder>\liveupdate.exe /c net use>>%ProgramFiles%\HIBUN-AE\bin\sfcsrv.dat


Note: The file liveupdate.exe may be a renamed copy of the system file cmd.exe. The file may have been renamed by other malware that may be installed alongside Trojan:Win32/Bunhi.A.

The trojan stores this stolen information in the file %ProgramFiles%\HIBUN-AE\bin\sfcsrv.dat.

The trojan also runs the following command, which may take a screenshot of your computer and save it as %ProgramFiles%\HIBUN-AE\bin\sxdmksel<month><day><hour><minute>.dat:

  • %ProgramFiles% \HIBUN-AE\bin\sfcscrn.exe savescreenshot %ProgramFiles%\HIBUN-AE\bin\sxdmksel<month><day><hour><minute>.dat


Scans ports

The trojan may conduct a series of "port scans". It may be doing this in an attempt to find an open port or connection on a network, possibly to exploit a vulnerability.

This trojan looks up the IP addresses for the host aknsopfs1, and starts a port scan on ports 139 and 445. It stores the results of these port scans in the file %ProgramFiles%\HIBUN-AE\bin\sfcsrv.dat.

It also looks up the IP addresses for the host nd3afsv and performs a port scan on those and the following IP addresses, on ports 21, 22, 23, 80, 139, 443, 445, 3389, and 13500:

  • 10.16.247.143
  • 10.32.1.195
  • 130.152.13.43
  • 130.152.14.118
  • 130.152.17.200
  • 130.152.9.149
  • 130.194.34.1
  • 192.168.0.10
  • 192.168.116.2


It also stores the results of these port scans in the file %ProgramFiles%\HIBUN-AE\bin\sfcsrv.dat.



Analysis by Stefan Sellmer

Last update 13 June 2013

 

TOP