RDP (Remote Desktop Protocol) backdoor – Malware analysis

Hello.
I found something interesting for today.
The form i found the file is the classic one: Hacking forum-> Magic software for Bitcoin etc.
The beautiful part is that today I can show you a file that changes the registry so that it can get very simple access.
We are talking about RDP or Remote Desktop Protocol.

[quote]Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software[/quote]

wikipedia.org

These are the downloaded files.
It looks like SoftHuyare.exe is the last one edited.
So there might be a problem.

yesterday when I first scanned it … was 11/67…

Virus Total Report

We make a first analysis of it with ResourceHacker and we notice that we have information about 2 executable files.
SoftHuyare.exe and cxzczczczxcdd.exe, which means that the analyzed file contains 2 executable files.
It is understandable that one is the original SoftHuyare and the other is the virus, which will work hidden.

On my analysis lab, the file did not work as it should. For a few seconds appear like proccess and after that … nothing.

In those few seconds the two files broke apart and each one did something. The first nothing … but the second had some activity.

  • Tries to access unusual system drive letter
  • Monitors specific registry key for changes (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder)
  • Reads terminal service related keys (often RDP related) (HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER)

If the value data it is 1 (Remote Desktop disabled) if 0 (Remote Desktop enabled.

This means that reads to see if connection is possible.

 

So…

Have fun & Stay safe!

Alex Anghelus

SC Prodefence SRL CEO - Cyber Security, Pentesting & Ethical Hacking - Malware Analyst

Leave a Reply

SC ProDefence SRL - Cyber Security Services