マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.XPath.3

Added to the Dr.Web virus database: 2019-09-19

Virus description added:

Packer: absent

Compilation dates:

  • 17.11.2017 11:54:18 (x86 version)
  • 17.11.2017 11:54:15 (x64 version)

SHA1 hashes:

  • e4e365cc14eeeba5921d385b991e22dea48a1d75 (x86)
  • b07568ef80462faac7da92f4556d5b50591ca28d (x64)

Description

A trojan library written in C and designed to run on the 32-bit and 64-bit Microsoft Windows operating systems. It represents one of the components of the Trojan.XPath trojan family and is installed by the Trojan.XPath.1 onto the target system. The main function of this library is to inject the payload, saved in the registry, into the svhost.exe process.

Operating routine

Trojan.XPath.3 has the following system exports:

DllCanUnloadNow
  DllGetClassObject
  DllGetVersion
  DllInstall
  DllRegisterServer
  DllUnregisterServer

\The trojan receives all the necessary imports through the WinAPI LoadLibraryA/GetProcAddress, while the names of the required functions in its code are not encrypted.

If the trojan runs in the context of the explorer.exe, it checks for the version of the OS where it is launched.

For the operating systems below Windows Vista, Trojan.XPath.3 receives function exports from the themeui.dll:

DllCanUnloadNow
  DllGetClassObject
  DllInstall
  DllRegisterServer
  DllUnregisterServer

For the operating systems starting from Windows Vista and higher, it receives function exports from the:

DllCanUnloadNow
  DllGetClassObject
  DllGetVersion
  0x6E
  0x6F
  0x86

The trojan requires these function addresses in order to call the corresponding functions whenever a trojan library export of the same name is called.

Using the Global\\RunThreadOfWinDDK8O98 mutex, Trojan.XPath.3 verifies only one instance of it is running.

Using ZwQuerySystemInformation, the trojan counts the number of processes running in the system. It waits until their number exceeds 7, then starts the %WINDIR%\\system32\\svchost.exe process with the CREATE_SUSPENDED flag.

Trojan.XPath.3 reads the DirectShow parameter from the registry thread [HKLM\\SOFTWARE\\Microsoft\\LoginInfo] or [HKCU\\SOFTWARE\\Microsoft\\LoginInfo], where the payload is stored. It then unpacks the payload using the APLib library.

Next, the trojan allocates a memory block of 0xC80F0 bytes. At the beginning of the block it forms the following structure:

#pragma pack(push,1)	
struct mod
{
char char0[128];
_QWORD LdrLoadDll;
_QWORD LdrGetProcedureAddress;
_QWORD ZwProtectVirtualMemory;
_QWORD ZwCreateSection;
_QWORD ZwMapViewOfSection;
_QWORD qwordA8;
_QWORD NtTerminateThread;
_QWORD qwordB8;
_QWORD qwordc0;
_QWORD is_x64;
_QWORD payload_size;
_QWORD qwordd8;
_BYTE payload[payload_size];
};
#pragma pack(pop)

Herewith, in the analyzed sample the char0 value represents a asdsad11111222333 constant.

The trojan allocates a memory block of the size of 0xD80F0 bytes to the previously launched svchost.exe process and copies the entire region of 0xC80F0 bytes onto it.

Next, Trojan.XPath.3 searches for the 0x12345688 constant, which is located in the shellcode built into it and replaces it with the memory block address, previously allocated in the svchost.exe process. It then copies this shellcode onto the allocated block using the 0xC90F0 offset.

For systems below Windows 8, the trojan receives CONTEXT of the thread in the svchost.exe process and patches the RIP/EIP register with the shellcode, adding 8 bytes to it. For more recent OS versions, Trojan.XPath.3 launches the thread through NtCreateThreadEx.

Artifacts

Traces of the debug information inside the trojan library allow finding the name of the trojan’s source code file:

PayloadDll.c

Various debugging messages, which are stored in the library:

  os ver:%d,%d,%d
  payload_%04d-%02d-%02d_%02d-%02d-%02d.dmp
  get target api address false\n
  depack get packed size error:%d\n
  depack false\n
  Alloc Mem in target process false!!!\n
  writing info to target process false!!!,%d,%d,%x
  get magic false\n
  writing stub to same architecture process:%p\n
  writing payload to target process false!!!,%d
  GetProcessEntryPoint is:%x\n
  !OpenProcessToken,%d\n
  !DuplicateTokenEx,%d\n
  get TokenInformation,%d\n
  !SetTokenInformation,%d\n
  !pCreateEnvironmentBlock,%d\n
  !xOpenProcess \n
  loader path:%s\n
  Creaet Process All Failed ERROR=%d\n
  try gen info\n
  gen info ok\n
  WritePayloadToRemote false\n
  write info ok\n
  error thread
  GetThreadContext Error\n
  GetThreadContext eip:%p\n
  set thread context error\n
  SetThreadContext eip:%p\n
  create thread ok\n
  get func error in payload\n
  get lib error in payload\n
  try runthread in payload\n
  in payload\n
  

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android