Home / malwarePDF  

Trojan:Win32/ShadowPad


First posted on 07 October 2017.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/ShadowPad.

Explanation :

Installation
The malware is embedded in a signed DLL file named "nssock2.dll", which is part of a legitimate software package. When the software is installed and loaded, the DLL file also gets loaded, which in turn, executes the backdoor. The DLL file also contains the legitimate functionality required by the software to work. Hence, removing the DLL may impair the software's functionality.

Payload
Queries randomly-generated domain names to run malicious modules
When run, this threat generates a new domain each month. Then, it sends DNS queries to public DNS servers requesting information about pseudo-randomly generated domains. The response of such queries may contain configuration information for the backdoor, including some decryption keys that will allow the malware to decrypt and run additional malicious modules. The domain names generated for the whole years 2015, 2016 and 2017 are:

  • babkrglwhwf.com
  • bafyvoruzgjitwr.com
  • bktmpqpmxst.com
  • dghqjqzavqn.com
  • dqzsdadqlmb.com
  • foryzedensrcd.com
  • helolupazyjwpmh.com
  • hepglcvyrinev.com
  • huxerorebmzir.com
  • jkvmdmjyfcvkf.com
  • jujaxshudofyhep.com
  • jyhmhgvipodapyh.com
  • lenszqjmdilgdoz.com
  • lofutenctezchqp.com
  • lsbctwhebuv.com
  • nizkfqzyfkr.com
  • nylalobghyhirgh.com
  • pcrqbuzmhqhsr.com
  • psdghsbujex.com
  • ribotqtonut.com
  • rmxwpenqvkpyb.com
  • rstqnaxedqd.com
  • rwpynsrglgzuf.com
  • tcvibcfkzalat.com
  • tczafklirkl.com
  • tgpupqtylejgb.com
  • tmnkzqjapwvax.com
  • tqhejwrujqtudof.com
  • vgfmvujonglwrgr.com
  • vwnkxgfuxkbanex.com
  • vwrcbohspufip.com
  • xmlwjexobatcfwj.com
  • xmponmzmxkxkh.com
  • xwdyhobirwhyjyz.com
  • zgjevclifqpexor.com
  • zuvadsxstcx.com

The malware may create the following registry keys to store its configuration data and possibly other binary modules:
  • HKLM\Software\[DECIMAL DIGITS]
  • HKCU\Software\[DECIMAL DIGITS]
  • HKLM\Software\Microsoft\[RANDOM CHARACTERS]
  • HKCU\Software\Microsoft\[RANDOM CHARACTERS]


Analysis by Andrea Lelli

Last update 07 October 2017

 

TOP