Win32/Shyape [Threat Name] go to Threat

Win32/Shyape.T [Threat Variant Name]

Category trojan
Size 887096 B
Detection created Jul 14, 2017
Detection database version 15744
Aliases Backdoor.Win32.FFRat.z (Kaspersky)
  BackDoor.FFRat.1 (Dr.Web)
  Trojan.Feratuser (Symantec)
Short description

Win32/Shyape.T is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan may create the following files:

  • %windir%\­Temp\­S%variable1%.dat (570680 B)
  • %temp%\­RSUAC_DF_%variable2%.tmp (178002 B)
  • %temp%\­RSUAC_DL_%variable2%.tmp (36864 B, Win32/Shyape.T)
  • %temp%\­ISUAC_DF_%variable3%.tmp (178002 B)
  • %temp%\­ISUAC_DL_%variable3%.tmp (36864 B, Win32/Shyape.T)
  • %windir%\­Media\­WindowsMainSound.wav (4096 B)
  • %system%\­RCoResX64.dat (71992 B, Win32/Shyape.T)
  • %temp%\­ISUAC_MC_%variable4%.msu (36941 B)

The malware configuration is passed as command line parameters or read from the file when the malware executable is launched.


A string with variable content is used instead of %variable1-4% .


The trojan registers itself as a system service using one of the following file names:

  • Irmon
  • Nwsapagent
  • NWCWorkstation
  • Iprip

This causes the trojan to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%servicename%]
    • "ImagePath" = "%windir%\­System32\­svchost.exe -k netsvcs"
    • "ObjectName" = "LocalSystem"
    • "DisplayName" = "Internet Router Service"
    • "Description" = "Internet Router Service"
    • "Type" = 120
    • "Start" = 2
    • "ErrorControl" = 0
    • "IsDriverWrite" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%servicename%\­Parameters]
    • "ServiceDll" = "%system%\­RCoResX64.dat"
    • "ServiceMain" = "DllRegisterServer"
    • "ServiceDllUnloadOnStop" = 1

The %servicename% is one of the following strings:

  • Irmon
  • Nwsapagent
  • NWCWorkstation
  • Iprip

The trojan executes the following commands:

  • cmd.exe /c del /q %malwarefilepath%
  • %system%\­wusa.exe %temp%\­ISUAC_MC_%variable4%.msu /extract:%system%
  • %system%\­wusa.exe %temp%\­ISUAC_MC_%variable4%.msu /extract:%system%\­sysprep
  • %system%\­wusa.exe %temp%\­ISUAC_MC_%variable4%.msu /extract:%system%\­migwiz
  • cacls.exe %system%\­ntwdblib.dll /G SYSTEM:F /E
  • cacls.exe %system%\­sysprep\­CRYPTBASE.dll /G SYSTEM:F /E
  • cacls.exe %system%\­migwiz\­CRYPTBASE.dll /G SYSTEM:F /E
  • %system%\­cliconfg.exe %temp%\­ISUAC_DF_%variable3%.tmp
  • %system%\­sysprep\­sysprep.exe %temp%\­ISUAC_DF_%variable3%.tmp
  • %system%\­migwiz\­migwiz.exe %temp%\­ISUAC_DF_%variable3%.tmp

Win32/Shyape.T replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.


The trojan can write its own data to the end of the physical drive.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\­InProcServer32]
    • "(Default)" = "%temp%\­RSUAC_DL_%variable2%.tmp"
    • "RSUAC_DF_NAME" = "%temp%\­RSUAC_DF_%variable2%.tmp"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{B12AE898-D056-4378-A844-6D393FE37956}\­InProcServer32]
    • "(Default)" = "%temp%\­RSUAC_DL_%variable2%.tmp"
    • "RSUAC_DF_NAME" = "%temp%\­RSUAC_DF_%variable2%.tmp"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­{6CD70ECA-9CA1-4862-B00C-BACA47548B1B}]
    • "SrvCode" = %binvalue1%
    • "SrvHash" = %binvalue2%
    • "ConfigInfo" = %binvalue3%
    • "PluginInfo" = 0
    • "GroupIndex" = 0
    • "UserNote" = 0

After the installation is complete, the trojan deletes the original executable file.

Other information

Win32/Shyape.T is a trojan which tries to download other malware from the Internet.


The trojan contains a list of (3) URLs. It tries to download several files from the addresses. The HTTP protocol is used in the communication.


Downloaded files are stored in Registry in encrypted form.


The data is saved into the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­{6CD70ECA-9CA1-4862-B00C-BACA47548B1B}]
    • "SrvCode" = %binvalue1%

The file is then decrypted and executed.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • KSafeSvc.exe
  • KSafeTray.exe
  • kxetray.exe

The trojan behaves differently if it detects a running process containing one of the following strings in its name:

  • 360rp.exe
  • 360rps.exe
  • 360Safe.exe
  • 360sd.exe
  • 360Tray.exe
  • AvastSvc.exe
  • AvastUI.exe
  • avgcsrvx.exe
  • avgidsagent.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • BaiduSd.exe
  • BaiduSdSvc.exe
  • bdagent.aye
  • odscanui.aye
  • QQPCRTP.exe
  • QQPCTray.exe
  • seccenter.aye
  • vsserv.aye
  • ZhuDongFangYu.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • dwm.exe
  • taskhostex.exe
  • taskhostw.exe
  • cliconfg.exe
  • migwiz.exe
  • sysprep.exe

The trojan creates the following temporary files:

  • %system%\­ntwdblib.dll (36864 B, Win32/Shyape.T)
  • %system%\­sysprep\­CRYPTBASE.dll (36864 B, Win32/Shyape.T)
  • %system%\­migwiz\­CRYPTBASE.dll (36864 B, Win32/Shyape.T)

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.