Packer: absent
Compilation date: 08.03.2023 20:24:35
SHA1 hash:
- 32c7b6629fabe6254431a558b57d30cd2f2d43d7 (iscsicli.exe)
Description
A dropper trojan written in C++ and targeting 64-bit Microsoft Windows operating systems. It is designed to launch Trojan.Inject4.57873 and Trojan.Clipper.231 malicious apps on targeted computers.
Operating routine
Upon launch, Trojan.MulDrop22.7578 mounts a system EFI partition to the M:\ drive, using the /S parameter:
%WINDIR%\\System32\\cmd.exe /C mountvol M: /S
Next, it copies the following files from the C:\ drive onto the M:\ drive, mounted earlier:
%WINDIR%\\System32\\cmd.exe /C copy %WINDIR%\\Installer\\recovery.exe M:\\EFI\\Microsoft\\Boot\\recovery.exe
%WINDIR%\\System32\\cmd.exe /C copy %WINDIR%\\Installer\\kd_08_5e78.dll M:\\EFI\\Microsoft\\Boot\\kd_08_5e78.dl
where:
- recovery.exe — Trojan.Inject4.57873
- kd_08_5e78.dll — Trojan.Clipper.231
After that, the dropper deletes the recovery.exe and kd_08_5e78.dll files from the C:\ drive:
%WINDIR%\\System32\\cmd.exe /C del /f %WINDIR%\\Installer\\recovery.exe
%WINDIR%\\System32\\cmd.exe /C del /f %WINDIR%\\Installer\\kd_08_5e78.dll
It then executes the recovery.exe file:
%WINDIR%\\System32\\cmd.exe /C M:\\EFI\\Microsoft\\Boot\\recovery.exe
Next, Trojan.MulDrop22.7578 unmounts the system EFI partition, using the /D parameter:
%WINDIR%\\System32\\cmd.exe /C mountvol M: /D
Artifacts
The sample contains the path to the PDB file: C:\\Users\\DDD\\source\\repos\\BUFF_loader_WinApp\\x64\\Release\\BUFF_loader_WinApp.pdb.
More details on Trojan.Inject4.57873
More details on Trojan.Clipper.231