Backdoor.Win32.DEVILSHADOW.THEAABO

它以其他恶意软件释放的文件或用户访问恶意网站时不知不觉下载的文件的形式到达系统。

它执行远程恶意用户的命令，有效地攻击受感染的系统。 它连接到网站，发送和接收信息。

新病毒详细信息

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

安装

它植入下列文件：

• %User Temp%\pyclient.cmd → Detected as Backdoor.BAT.DEVILSHADOW.THEAABO
• %User Temp%\cmd_shell.exe → Detected as Trojan.Win32.DEVILSHADOW.THEAABO
• %User Profile%\boot-startup.vbs → Detected as Trojan.BAT.DEVILSHADOW.THEAABO
• %User Profile%\new_script.txt → Detected as Trojan.JS.DEVILSHADOW.THEAABO
• %User Profile%\shell.bat → Detected as Trojan.BAT.DEVILSHADOW.THEAABO
• %User Temp%\zoom.exe → Legitimate Zoom Installer
• %User Profile%\node.exe → Legitimate node.exe
• %System Root%\botnet\client_id_file → contains generated_id
• %System Root%\botnet\bot_id_{Generated ID} {Hostname} {IP Address} {Client} → Client Identifier
• %System Root%\botnet\botnet_start.vbs
• %System Root%\botnet\wget.js
• %System Root%\botnet\pyclient.cmd → Copy of the one in %User Temp%
• %System Root%\botnet\scexec-win32.exe
• %System Root%\botnet\scexec-win64.exe
• %System Root%\botnet\Rar.exe
• %System Root%\botnet\K7firewall.exe
• %System Root%\botnet\unzip.exe
• %System Root%\botnet\webcam.exe
• %System Root%\botnet\execute.vbs
• %User Temp%\av → contains result of Anti-Virus Query

它添加下列进程：

• %System%\cmd.exe /c %User Temp%\pyclient.cmd
• %System%\cmd.exe /c %User Temp%\cmd_shell.exe
• %System%\cmd.exe /c %User Temp%\zoom.exe
• %System%\cmd.exe /c cd %userprofile% & attrib +s +h +a *.vbs & attrib +s +h +a *.bat & reg add Hkey_CURRENT_USER\software\microsoft\windows\currentversion\run /v bootstartup /t reg_sz /d %userprofile%\boot-startup.vbs /f & shell.bat
• %System%\cmd.exe /c "Tasklist /FI WINDOWTITLE eq D3ViL ShaDow"
• %System%\cmd.exe /c "Tasklist /FI WINDOWTITLE eq Administrator: D3ViL ShaDow"
• %System%\cmd.exe attrib +s +h +a %System Root%\botnet
• %System%\cmd.exe copy /y %User Temp%\pyclient.cmd %System Root%\botnet\pyclient.cmd
• %System%\cmd.exe reg add hkcu\software\microsoft\windows\currentversion\run /v botnet /t reg_sz /d C:\botnet\botnet_start.vbs /f
• %System%\cmd.exe ping www.google.com -n 1
• %System&\cmd.exe unzip.exe -ox python_client.zip
• %System%\cmd.exe %System%\WScript.exe %System Root%\botnet\botnet_start.vbs
• %System%\cmd.exe copy /y %System%\cmd.exe %Public%\explorer.exe
• %System%\cmd.exe %User Profile%\node.exe new_script.txt
• %Public%\explorer.exe
• %System&\cmd.exe wmic /namespace:\root\securitycemter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe

它创建下列文件夹：

• %System Root%\botnet

(注意： %System Root% 是根文件夹，通常位于 C:\。它也是操作系统所在的位置。)

自启动技术

它添加下列注册表项，在系统每次启动时自行执行：

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
bootstartup = %User Profile%\boot-startup.vbs

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
botnet = %System Root%\botnet\botnet_start.vbs

后门例程

它执行远程恶意用户的下列命令：

• Update/Reset/Terminate Client (Self)
• Load Client Modules (Self)
• Log Keystrokes
• Take Screenshots
• Record Desktop
• Operate Webcam
• Operate CMD
• Install Programming Languages
• Download/Upload/Execute Files
• Install and Operate Ngrok
• Install and Operate WinVNC
• List and Modify AutoStart Registries
• List, Add and Start Scheduled Tasks
• Check and Elevate User Privileges
• Execute Shellcode and Scripts
• Harvest the Following Information:
  • Process List
  • Drive List
  • Directories and Files List
  • System Info
  • Startup Items
  • AntiVirus Info
  • Locally Stored Credentials

它连接到下列网站，发送和接收信息：

• https://hosting303.{BLOCKED}hostapp.com
• madleets.{BLOCKED}s.net:4444

下载例程

它访问下列网站下载文件：

• https://raw.{BLOCKED}usercontent.com/DevilBot000/Tools/master/unzip.exe → %System Root%\botnet\unzip.exe
• https://raw.{BLOCKED}usercontent.com/DevilBot000/Tools/master/python_client.zip → %System Root%\botnet\python_client.zip