Home / malwarePDF  

Trojan:Win32/Adylkuzz.B


First posted on 20 May 2017.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Adylkuzz.B.

Explanation :

Installation

This threat terminates the following processes upon execution:

  • hdmanager.exe
  • mmc.exe
  • msiexev.exe - coin-mining process


It terminates any existing instance of its coin-mining process. This behavior indicates that it can update an existing version of this threat in the infected machine.

While running, it can also terminate processes related to tools that can be used to view running processes like Task Manager and Process Explorer.

It also checks certain processes, most of which is related to different antivirus softwares:
  • 360sd.exe
  • avastsvc.exe
  • avgnsx.exe
  • avguard.exe
  • avp.exe
  • ccsvchst.exe
  • fsdfwd.exe
  • guardxservice.exe
  • kwatch.exe
  • mcshield.exe
  • msseces.exe
  • nod32krn.exe
  • qhlpsvc.exe
  • ravmon.exe
  • sfctlcom.exe
  • spidernt.exe
  • xcomsvr.exe



Adds files

This threat can add any of the following files:
  • C:\Windows\Prefetch\wuauser.exe - copy of the malware
  • C:\Windows\security\msiexev.exe - miner executable
  • C:\Windows\Prefetch\history.txt
  • C:\Windows\Prefetch\id.txt
  • C:\Windows\Fonts\wuauser.exe - copy of the malware
  • C:\Windows\Fonts\msiexev.exe - miner executable
  • C:\Windows\Fonts\history.txt
  • C:\Windows\Fonts\id.txt
  • C:\Windows\Temp\{random}._Miner_.log (example: C:\Windows\Temp\s244._Miner_.log)


Creates a service

This threat then creates a service so that it automatically runs upon system start-up.
Example of the service name that it uses:
  • Windows Event Log Management


Below is a screenshot of the service created:

Related registry entries

It creates the registry so that it runs each time you start your PC. For example:

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WELM Sets value: "Type"
With data: "dword:00000010" Sets value: "Start"
With data: "dword:00000002" Sets value: "ErrorControl"
With data: "dword:00000000" Sets value: "ImagePath"
With data: "hex(2):"C:\Windows\Fonts\wuauser.exe --server" Sets value: "DisplayName"
With data: "Windows Event Log Management" Sets value: "WOW64"
With data: "dword:00000001" Sets value: "ObjectName"
With data: "LocalSystem" Sets value: "FailureActions"
With data: "hex:10,0e,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,00,01,00,00,00,60,ea,00,00" Sets value: "Description"
With data: "Windows Provides Event Log to access management information"

Payload

Stops and deletes the following services

Before installing itself, it stops and deletes any the following services to terminate any instance or previous versions which may be running on your PC:
  • sc stop WELM
  • sc delete WELM
  • sc stop WHDMIDE
  • sc delete WHDMIDE


This behavior also indicates that it can update an existing version of the threat on the infected machine.

Blocks ports and allows certain files in the firewall

This threat can create an IPsec policy named netbc to block SMB (Server Message Blocks) connections to the infected machine.

To do so, this threat issues any of the following commands:

netsh ipsec static add policy name=netbc
netsh ipsec static add filterlist name=block
netsh ipsec static add filteraction name=block action=block
netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
netsh ipsec static set policy name=netbc assign=y

It can also add Firewall rules to allow connections done by certain files:

netsh advfirewall firewall add rule name="Chrome" dir=in program="C:\Program Files (x86)\Google\Chrome\Application\chrome.txt" action=allow
netsh advfirewall firewall add rule name="Windriver" dir=in program="C:\Program Files (x86)\Hardware Driver Management\windriver.exe" action=allow

Runs a coin miner executable

This trojan is a coin miner. It runs a clean coin miner executable with certain parameters to start the mining process.

See an example of the coin miner executable command below:



Connects to a remote host

We have seen this threat connect to any of the following remote hosts:
  • 08.super5566.com
  • am.super1024.com


It connects to a remote host to do any of the following:
  • Download additional component file, like coin miner executable and coin mining parameter
  • Download and execute a newer version


Analysis by: James Patrick Dee

Last update 20 May 2017

 

TOP

Malware :

Family: