". The latter is actually a "pdf" file that, when opened with the correct extension, will show the text "
" .
After downloading the file another command renames it with the name "C:\Users\[USER]\AppData\Local\Temp\SycComponent.v.497.exe" and then runs it.
The malware, once executed, tries to connect to a C&C server: "ricci[.]bikescout24[.]fr" with the following IP address: 109[.]230[.]199[.]169 to exchange encrypted information while, at the same time, it downloads the file "tmp6EE8.tmp" with the same MD5 as "ynaae379" from the domain "ricci[.]bikescout24[.]fr".
Thus, once the download is complete, "tmp6EE8.tmp" will try to replace the running file "SycComponent.v.497.exe". In our analysis fails in its purpose and is deleted with the command:
C:\Windows\system32\cmd.exe /c ping localhost -n 4 & del /F /Q "C:\Users\[user]\AppData\Local\Temp\tmp6EE8.tmp" > nul
|
in addition the Trojan.Win32.GootKit.BBA, through a second process of the executable "SycComponent.v.497.exe", creates in the same folder (%temp%), a file named "SycComponent.v.497.inf" containing the following instructions:
[Version]
signature = "$CHICAGO$"
AdvancedINF = 2.5, "You need a new version of advpack.dll"
[DefaultInstall]
RunPreSetupCommands = vwmrkfheojwprpnagrzhhqsqznlpdjshzqewbypn:2
[vwmrkfheojwprpnagrzhhqsqznlpdjshzqewbypn]
C:\Users\[user]\AppData\Local\Temp\SycComponent.v.497.exe |
and ensure persistence in automatic execution by creating the following registry key:
[HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs]
"Count"=dword:00000001
"Path1"="C:\Users\[user]
\AppData\Local\Temp\SycComponent.v.497.inf"
"Section1"="DefaultInstall"
Below is the summary graph of the malware execution:
The Trojan.Win32.GootKit is part of the Banker macrofamily. Its peculiarities are to steal access passwords to important sites such as home banking, e-mail, ftp etc.
IOC
MD5:
486000D09DBFDF86500A10EF4D3FAF49
A6B659799E66C72DA78FD0A426283859
3AF4C0D0EC8AFD6D6253A973882C8769
08748A1610DF0D6EBB34499A63A5E940
C43C3228923DC413FDE84820FF9736FE
URL:
109[.]230[.]199[.]169
109[.]230[.]199[.]30
185[.]61[.]152[.]71
xmpp[.]dolcesognar[.]it
ricci[.]bikescout24[.]fr
http[:]//nestafaband[.]com/putty
http[:]//snapdragonmicroscope[.]com/share-files[.]php?download-id=SvPWuTSB&task=15&
https[:]//media-cdn.tripadvisor[.]com/media/photo-s/03/b6/0d/7d/b-b-al-pesce-d-oro[.]jpg
How to identify a fake email
Experience and common sense are the first weapons to avoid these kinds of scams.
Careful reading of the email, in all its elements, is essential. Be wary of
ZIP-formatted attachments and, if possible, DO NOT enable automatic
macro execution. It is strongly discouraged to set up automatic execution of macros since simply opening
Word and
Excel files will see the immediate execution of macros without any prior alert.
In case you have been infected by a
Banker, the advice from TG Soft's C.R.A.M. is to take appropriate security precautions
even after the remediation of the system(s) involved such as changing the most commonly used passwords on the Web. In case the location involved was used for home-banking transactions, an assessment with your
credit institution is also recommended.
How to send suspicious emails for analysis as possible virus/malware/ransomware and/or Phishing attempts
Sending materials to the TG Soft's Anti-Malware Research Center for analysis, which is always free of charge, can be done safely in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to the TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
We give you these suggestions to help avoiding credential theft, viruses/malware or even worse next-generation Ransomware / Crypto-Malware.
Integrate your PC / SERVER protection with Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install, Vir.IT eXplorer Lite -FREE Edition-.to supplement the antivirus in use to increase the security of your computers, PC and SERVER indifferently,
Vir.IT eXplorer Lite has the following special features: |
|
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- Interoperable with any other AntiVirus, AntiSpyware, AntiMalware or Internet Security already present on PCs and SERVERs.We recommend to used it as a supplement to the AntiVirus already in use as it does not conflict or slow down the system but allows to significantly increase security in terms of identification and remediation of infected files;
- It identifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- Through the Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and proceed to send the reported files to TG Soft's C.R.A.M.
- Proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website
For Vir.IT eXplorer PRO users...
|
For Vir.IT eXplorer PRO owners, it is also possible to contact for free TG Soft's technical phone support.The details can be found on the support page CLIENTS.
|
C.R.A.M.
TG Soft's Anti-Malware Research Center