**F** **R** **I** **D** **A** **Y** **,** **J** **A** **N** **U** **A** **R** **Y** **2**

# Malicious Office files dropping Kasidet and Dridex

 Introduction

**[We have covered Dridex Banking Trojan being delivered via various campaigns involving Office](http://research.zscaler.com/2015/10/dridex-activity-continues.html)**

**documents with malicious VBA macros in the past. However, over the past two weeks we are seeing**

**these malicious VBA macros leveraged to drop Kasidet backdoor in addition to Dridex on the infected**

**systems. These malicious Office documents are being spread as an attachment using spear phishing**

**[emails as described here. The malicious macro inside the Office document is obfuscated as shown in](http://blog.dynamoo.com/2016/01/malware-spam-scanned-document-color-mrh.html)**

**the code snapshot below -**

**Macro code**

**The macro downloads malware payload from the hardcoded URL. We have seen following URLs used**

**in different document payloads that we captured for this campaign:**

**armandosofsalem[.]com/l9k7hg4/b4387kfd[.]exe**

**trinity.ad-ventures[.]es/l9k7hg4/b4387kfd[.]exe**

**188.226.152[.]172/l9k7hg4/b4387kfd[.]exe**

**In this blog, we will provide a detailed analysis for the Kasidet variant that we spotted in this campaign.**

# Kasidet Analysis

**Installation:**

**Kasidet installs itself into %APPDATA% folder. It creates a new folder there with the name**

**"Y1FeZFVYXllb", this string is hardcoded in the malware. The same string is used as mutex name and**

**in creating a Registry key for ensuring persistence upon system reboot.**

**AntiVM Check:**

**Kasidet tries to detect analysis systems during execution through following checks.**

**Checking Dubugger through "IsDebuggerPresent" and "CheckRemoteDebuggerPresent" Windows**

**APIs. It also checks for the following popular sandbox related strings:**

**User Name: "MALTEST", "TEQUILABOOMBOOM", "SANDBOX", "VIRUS", "MALWARE"**

**File Name: "SAMPLE", "VIRUS", "SANDBOX"**

**It tries to detect wine software by checking if kernel32.dll is exporting "wine_get_unix_file_name"**

**function or not. It detects Vmware, VirtualBox, QEMU and Bochs by checking for following registry**

**entries:**

## "SOFTWARE\\VMware, Inc.\\VMware Tools"


**L** **I** **N** **K** **S**

**[Zscaler Homepage](http://www.zscaler.com/)**

**[Zscaler Analyst Scrapbook](http://scrapbook.zscaler.com/)**

**S** **E** **A** **R** **C** **H**

**S** **U** **B** **S** **C** **R**

**Posts**

**Comments**

**B** **L** **O** **G** **A**

**[▼ 2016 (5)](javascript:void(0))**

**[► February (1)](javascript:void(0))**

**[▼ January (4)](javascript:void(0))**

**Malicious Office files dropping**

**Kasidet and Dridex...**

**Music-themed Malvertising Lead**

**to Angler**

**There Goes The Neighborhood -**

**Bad Actors on GMHOS...**

**Yet Another Signed Malware -**

**Spymel**

**[► 2015 (48)](javascript:void(0))**

**[► 2014 (44)](javascript:void(0))**

**[► 2013 (59)](javascript:void(0))**

**[► 2012 (67)](javascript:void(0))**

**[► 2011 (116)](javascript:void(0))**

**[► 2010 (148)](javascript:void(0))**

**[► 2009 (75)](javascript:void(0))**

**[► 2008 (31)](javascript:void(0))**

**L** **A** **B** **E** **L** **S**

**[0-day (7)](http://research.zscaler.com/search/label/0-day)**

**[0day (3)](http://research.zscaler.com/search/label/0day)**

**[302 Cushioning (2)](http://research.zscaler.com/search/label/302 Cushioning)**

**[abuse (13)](http://research.zscaler.com/search/label/abuse)**

**[ActiveX (5)](http://research.zscaler.com/search/label/ActiveX)**

**[AdFraud (3)](http://research.zscaler.com/search/label/AdFraud)**

**[Adobe (3)](http://research.zscaler.com/search/label/Adobe)**

**[Adobe Flash (3)](http://research.zscaler.com/search/label/Adobe Flash)**

**[Adobe Flash vulnerability (2)](http://research.zscaler.com/search/label/Adobe Flash vulnerability)**

**[Adobe vulnerabilities (1)](http://research.zscaler.com/search/label/Adobe vulnerabilities)**

**[Adobe vulnerabilties (10)](http://research.zscaler.com/search/label/Adobe vulnerabilties)**

**[adware (4)](http://research.zscaler.com/search/label/adware)**

**[affiliates (6)](http://research.zscaler.com/search/label/affiliates)**

**[analysis (48)](http://research.zscaler.com/search/label/analysis)**

|B ▼|L O G A 2016 (5) ► February (1) ▼ January (4) Malicious Office files dropping Kasidet and Dridex...|
|---|---|


**B**


**Posts**


## Vmware


## "HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id", "Iden�fier", Vmware"�


**Comments**


-----

|Col1|"HARDWARE\DEVICEMAP\Scsi\Scsi Port\Scsi Bus\Target Id\Logical Unit Id", "Iden�fier", "VBOX"�|
|---|---|
|VirtualBox|"HARDWARE\\Descrip'on\\System", "SystemBiosVersion", "VBOX"� SOFTWARE\\Oracle\\VirtualBox Guest Addi'ons"� "HARDWARE\\Descrip'on\\System", "VideoBiosVersion", "VIRTUALBOX"�|
|QEMU|"HARDWARE\DEVICEMAP\Scsi\Scsi Port \Scsi Bus \Target Id \Logical Unit Id ", "Iden'fier", "QEMU"� "HARDWARE\\Descrip'on\\System", "SystemBiosVersion", "QEMU"�|
|Bochs|"HARDWARE\\Descrip'on\\System", "SystemBiosVersion", "BOCHS”�|


**Information Stealing capabilities:**

**Kasidet uses following two methods for stealing information from the victim's machine:**

**1. Memory Scraping – This allows Kasidet to steal credit card data from the memory of** **Point-Of-Sale**

**(POS) systems. It scans the memory of all the running processes except the operating system**

**processes listed below:**

**System**

**smss.exe**

**csrss.exe**

**winlogon.exe**

**lsass.exe**

**spoolsv.exe**

**devenv.exe**

**The stolen information is relayed back to the attacker using following URI format –**

**d=1&id=<MachineID>&name=<SystemName>&type=<Track1 or Track2 data>&data=<stolen data>&p=**

**< Process elevation status >**

**2. Browser Hooking – This allows Kasidet to steal data from Web browsers. It can inject code into**

**FireFox, Chrome, and Internet Explorer (IE). Browser names are not saved in plain text and instead this**

**variant uses the same hash function as used by Carberp malware to encrypt the browser names. The**

**following APIs are hooked in the web browser for stealing sensitive data:**

## Browser API FireFox PR_Write Chrome WSASend IE H�pSendRequestW, InternetWriteFile�

**The stolen information is relayed back to the attacker using following URI format –**

**ff=1&id=<MachineID>&name=<SystemName>&host=<Base64 encoded host name>&form=< Base64**

**encoded HTTP header data>&browser=<Browser name>**

**The information stealing feature of this Kasidet variant were deactivated if the system locale or**

**GeoUserID corresponds to Russia.**

**Network communication:**

**Kasidet contains a hardcoded list of Command & Control (C&C) server locations. It uses**

**CryptStringToBinary API call to decrypt the embedded C&C URLs as seen below:**


**( )**

**[Angler (2)](http://research.zscaler.com/search/label/Angler)**

**[Angler Exploit Kit (6)](http://research.zscaler.com/search/label/Angler Exploit Kit)**

**[anti-debug (2)](http://research.zscaler.com/search/label/anti-debug)**

**[antivirus (22)](http://research.zscaler.com/search/label/antivirus)**

**[App behaviour (1)](http://research.zscaler.com/search/label/App behaviour)**

**[App Economy (1)](http://research.zscaler.com/search/label/App Economy)**

**[Apple (1)](http://research.zscaler.com/search/label/Apple)**

**[APT (7)](http://research.zscaler.com/search/label/APT)**

**[assassins creed (1)](http://research.zscaler.com/search/label/assassins creed)**

**[Asymmetric encryption (1)](http://research.zscaler.com/search/label/Asymmetric encryption)**

**[Aurora (1)](http://research.zscaler.com/search/label/Aurora)**

**[BA (1)](http://research.zscaler.com/search/label/BA)**

**[backdoor (3)](http://research.zscaler.com/search/label/backdoor)**

**[Baidu Search (1)](http://research.zscaler.com/search/label/Baidu Search)**

**[Banking Trojan (6)](http://research.zscaler.com/search/label/Banking Trojan)**

**[Base64 encode/decode (5)](http://research.zscaler.com/search/label/Base64 encode%2Fdecode)**

**[bash (2)](http://research.zscaler.com/search/label/bash)**

**[BatteryBotPro (1)](http://research.zscaler.com/search/label/BatteryBotPro)**

**[Bedep (3)](http://research.zscaler.com/search/label/Bedep)**

**[black friday (1)](http://research.zscaler.com/search/label/black friday)**

**[blackhole (4)](http://research.zscaler.com/search/label/blackhole)**

**[BlueBotnet (1)](http://research.zscaler.com/search/label/BlueBotnet)**

**[Botnet (3)](http://research.zscaler.com/search/label/Botnet)**

**[botnets (10)](http://research.zscaler.com/search/label/botnets)**

**[browser (1)](http://research.zscaler.com/search/label/browser)**

**[captcha (2)](http://research.zscaler.com/search/label/captcha)**

**[certificates (1)](http://research.zscaler.com/search/label/certificates)**

**[Chanitor (1)](http://research.zscaler.com/search/label/Chanitor)**

**[Chinese APT (1)](http://research.zscaler.com/search/label/Chinese APT)**

**[Chinese malware (4)](http://research.zscaler.com/search/label/Chinese malware)**

**[Clear text authentication (5)](http://research.zscaler.com/search/label/Clear text authentication)**

**[Clicker (1)](http://research.zscaler.com/search/label/Clicker)**

**[ClickFaud (1)](http://research.zscaler.com/search/label/ClickFaud)**

**[ClickFraud (1)](http://research.zscaler.com/search/label/ClickFraud)**

**[cloud (3)](http://research.zscaler.com/search/label/cloud)**

**[Cloud Services (1)](http://research.zscaler.com/search/label/Cloud Services)**

**[CNN App (1)](http://research.zscaler.com/search/label/CNN App)**

**[Compromised (25)](http://research.zscaler.com/search/label/Compromised)**

**[Compromised WordPress (2)](http://research.zscaler.com/search/label/Compromised WordPress)**

**[Confidentiality (1)](http://research.zscaler.com/search/label/Confidentiality)**

**[credentials leak (1)](http://research.zscaler.com/search/label/credentials leak)**

**[crypt4 (1)](http://research.zscaler.com/search/label/crypt4)**

**[CryptoWall (3)](http://research.zscaler.com/search/label/CryptoWall)**

**[CryptoWall 3.0 (1)](http://research.zscaler.com/search/label/CryptoWall 3.0)**

**[Cutwail (1)](http://research.zscaler.com/search/label/Cutwail)**

**[CVE (7)](http://research.zscaler.com/search/label/CVE)**

**[CVE-2013-0074 (2)](http://research.zscaler.com/search/label/CVE-2013-0074)**

**[CVE-2013-2460 (1)](http://research.zscaler.com/search/label/CVE-2013-2460)**

**[CVE-2013-2551 (2)](http://research.zscaler.com/search/label/CVE-2013-2551)**

**[CVE-2013-3896 (1)](http://research.zscaler.com/search/label/CVE-2013-3896)**

**[CVE-2014-0515 (1)](http://research.zscaler.com/search/label/CVE-2014-0515)**

**[CVE-2014-4130 (1)](http://research.zscaler.com/search/label/CVE-2014-4130)**

**[CVE-2014-6271 (2)](http://research.zscaler.com/search/label/CVE-2014-6271)**

**[CVE-2014-6332 (1)](http://research.zscaler.com/search/label/CVE-2014-6332)**

**[CVE-2015-0311 (1)](http://research.zscaler.com/search/label/CVE-2015-0311)**

**[CVE-2015-0313 (1)](http://research.zscaler.com/search/label/CVE-2015-0313)**

|Browser|API|
|---|---|
|FireFox|PR_Write|
|Chrome|WSASend|
|IE|H2pSendRequestW , InternetWriteFile�|


-----

## Kasidet C&C list

**Upon successful infection, Kasidet sends a HTTP POST request with data “enter=1” (without quotes).**

**All HTTP header fields (User-Agent, Content-type and Cookie) are hard coded in the payload itself.**

## Kasidet Hardcoded HTTP fields�

**C&C Server will not return required data if HTTP header fields are different. The server sends a fake**

**404 response code and html data stating that page is not found but the C&C commands will be hidden**

**in the response HTML comment tag as seen below:**

## Kasidet - First communica�on with�
 C&C

**Kasidet will request for additional commands from the C&C server with the following POST request:**


**( )**

**[CVE-2015-5119 (3)](http://research.zscaler.com/search/label/CVE-2015-5119)**

**[CVE-2015-5122 (1)](http://research.zscaler.com/search/label/CVE-2015-5122)**

**[CVE-2015-5123 (1)](http://research.zscaler.com/search/label/CVE-2015-5123)**

**[CWE (1)](http://research.zscaler.com/search/label/CWE)**

**[Cyber espionage (2)](http://research.zscaler.com/search/label/Cyber espionage)**

**[cyber monday (1)](http://research.zscaler.com/search/label/cyber monday)**

**[data breach (2)](http://research.zscaler.com/search/label/data breach)**

**[Data Loss Prevention (1)](http://research.zscaler.com/search/label/Data Loss Prevention)**

**[DDoS (1)](http://research.zscaler.com/search/label/DDoS)**

**[de-obfuscation (1)](http://research.zscaler.com/search/label/de-obfuscation)**

**[decoding (3)](http://research.zscaler.com/search/label/decoding)**

**[diassembly (3)](http://research.zscaler.com/search/label/diassembly)**

**[Domain Shadowing (1)](http://research.zscaler.com/search/label/Domain Shadowing)**

**[Dorkbot (1)](http://research.zscaler.com/search/label/Dorkbot)**

**[Downloader (1)](http://research.zscaler.com/search/label/Downloader)**

**[Dridex (3)](http://research.zscaler.com/search/label/Dridex)**

**[drive-by-downlad (1)](http://research.zscaler.com/search/label/drive-by-downlad)**

**[dropper (1)](http://research.zscaler.com/search/label/dropper)**

**[dynamic DNS (1)](http://research.zscaler.com/search/label/dynamic DNS)**

**[Dyre (1)](http://research.zscaler.com/search/label/Dyre)**

**[Dyreza (1)](http://research.zscaler.com/search/label/Dyreza)**

**[Emissary Panda (1)](http://research.zscaler.com/search/label/Emissary Panda)**

**[encryption (8)](http://research.zscaler.com/search/label/encryption)**

**[exploit (9)](http://research.zscaler.com/search/label/exploit)**

**[Exploit Kit (7)](http://research.zscaler.com/search/label/Exploit Kit)**

**[exploit kits (18)](http://research.zscaler.com/search/label/exploit kits)**

**[Extrat Xtreme RAT (1)](http://research.zscaler.com/search/label/Extrat Xtreme RAT)**

**[facebook (19)](http://research.zscaler.com/search/label/facebook)**

**[Fake AV (19)](http://research.zscaler.com/search/label/Fake AV)**

**[Fake codec (2)](http://research.zscaler.com/search/label/Fake codec)**

**[fake Dubsmash app](http://research.zscaler.com/search/label/fake Dubsmash app)** **(1)**

**[fake flash (6)](http://research.zscaler.com/search/label/fake flash)**

**[fake porn (1)](http://research.zscaler.com/search/label/fake porn)**

**[Fake porn site (1)](http://research.zscaler.com/search/label/Fake porn site)**

**[fareit (1)](http://research.zscaler.com/search/label/fareit)**

**[Fiesta (1)](http://research.zscaler.com/search/label/Fiesta)**

**[financial firm (1)](http://research.zscaler.com/search/label/financial firm)**

**[FLASH (1)](http://research.zscaler.com/search/label/FLASH)**

**[Flash vulnerabilities (5)](http://research.zscaler.com/search/label/Flash vulnerabilities)**

**[Flash vulnerability (3)](http://research.zscaler.com/search/label/Flash vulnerability)**

**[FlashPack (1)](http://research.zscaler.com/search/label/FlashPack)**

**[Gamarue (1)](http://research.zscaler.com/search/label/Gamarue)**

**[Gameover (1)](http://research.zscaler.com/search/label/Gameover)**

**[google (54)](http://research.zscaler.com/search/label/google)**

**[Google Cloud Server (1)](http://research.zscaler.com/search/label/Google Cloud Server)**

**[Google code (1)](http://research.zscaler.com/search/label/Google code)**

**[Google Play store (1)](http://research.zscaler.com/search/label/Google Play store)**

**[H-Worm (1)](http://research.zscaler.com/search/label/H-Worm)**

**[Hacking Team (3)](http://research.zscaler.com/search/label/Hacking Team)**

**[hacktivism (2)](http://research.zscaler.com/search/label/hacktivism)**

**[Hencitor (1)](http://research.zscaler.com/search/label/Hencitor)**

**[heuristics (4)](http://research.zscaler.com/search/label/heuristics)**

**[HttpBrowser (2)](http://research.zscaler.com/search/label/HttpBrowser)**

**[IFRAME (18)](http://research.zscaler.com/search/label/IFRAME)**

**[iframe trampolining (1)](http://research.zscaler.com/search/label/iframe trampolining)**

**[incognito (1)](http://research.zscaler.com/search/label/incognito)**


-----

## Kasidet request for addi�onal commands�

**Variable** **Descriptions**

**cmd** **Command. It is hardcoded in the malware payload as '1'.**

**id** **MachineGuid value fetched from Software\Microsoft\Cryptography registry key**

**name** **System Name**

**os** **Operating system version**

**p** **Process elevation status**

**av** **Antivirus installed on the infected system**

**v** **Version of the bot. It is hardcoded in the malware. Current version that we analysed is 4.4**

**w** **Flag that indicates whether the system locale and UserGeoID is Russia**

**Like browser names, all the command strings are also encrypted using a hash function. Below are some**

**of the important commands:**

**Command Hash** **Description**

**0x0E587A65 (rate** **It is used in sleep function**

**<number>)**

**0x89127D3** **DDOS using HTTP protocol**

**0x0B37A84B6** **Start keylogging and screen capture threads**

**0x89068E8h** **Download and execute additional component. This file can be DLL, EXE**

**or VBS.**

**0x4A9981B7** **Search for given process name in current running processes in the**

**system**

**0x8D26744** **Find given file in system and upload to the server**

**0CAB1E64A** **Drop setting.bin file, change firewall settings to download and execute**

**plugin component**

**0x10E6C4** **Execute given command using windows cmd.exe**

# Conclusion

**Malicious Office document file is a popular vector for malware authors to deliver their payloads. Dridex**

**authors have leveraged this technique for over a year and it was interesting to see the same campaign**

**and URLs being leveraged to deliver Kasidet payloads. While this does not establish any links between**

**the two malware family authors, it reaffirms the fact that a lot of the underlying infrastructure and delivery**

**mechanisms are often shared by these cyber criminals.**

**ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.**

**Analysis by - Abhay Yadav, Avinash Kumar and Nirmal Singh**

**P** **O** **S** **NT** **IE** **RD** **M** **A** **AB** **6T** **LY:** **4** **S** **6** **I** **N** **A** **G** **M** **H**

**Recommend this on Google**

**L** **A** **BD** **ER** **,LIK** **[SDA](http://research.zscaler.com/search/label/Kasidet)** **:E,S** **M** **XI** **A** **D** **L** **[E](http://research.zscaler.com/search/label/Malicious Document)** **I** **T** **C** **I** **O** **U** **S** **D** **O** **C** **U** **M** **E** **N** **T**

**N** **O** **C** **O** **M** **M** **E** **N** **T** **S** **:**

**[Post a Comment](https://www.blogger.com/comment.g?blogID=5262423634906095657&postID=1857387187894861304)**


**[Information Stealer (1)](http://research.zscaler.com/search/label/Information Stealer)**

**[information stealing (2)](http://research.zscaler.com/search/label/information stealing)**

**[Infostealer (2)](http://research.zscaler.com/search/label/Infostealer)**

**[internet explorer (18)](http://research.zscaler.com/search/label/internet explorer)**

**[iOS (5)](http://research.zscaler.com/search/label/iOS)**

**[IRC Botnet (1)](http://research.zscaler.com/search/label/IRC Botnet)**

**[iTunes (1)](http://research.zscaler.com/search/label/iTunes)**

**[itunes app store](http://research.zscaler.com/search/label/itunes app store)** **(1)**

**[Jar (2)](http://research.zscaler.com/search/label/Jar)**

**[Java (10)](http://research.zscaler.com/search/label/Java)**

**[Java Vulnerability (1)](http://research.zscaler.com/search/label/Java Vulnerability)**

**[javascript (19)](http://research.zscaler.com/search/label/javascript)**

**[Kasidet (1)](http://research.zscaler.com/search/label/Kasidet)**

**[Kelihos Botnet](http://research.zscaler.com/search/label/Kelihos Botnet)** **(1)**

**[Keylogger (1)](http://research.zscaler.com/search/label/Keylogger)**

**[KINS (1)](http://research.zscaler.com/search/label/KINS)**

**[legal (1)](http://research.zscaler.com/search/label/legal)**

**[Lethic (1)](http://research.zscaler.com/search/label/Lethic)**

**[linux (1)](http://research.zscaler.com/search/label/linux)**

**[lock out malware (1)](http://research.zscaler.com/search/label/lock out malware)**

**[lollipop (1)](http://research.zscaler.com/search/label/lollipop)**

**[Machine Translation (1)](http://research.zscaler.com/search/label/Machine Translation)**

**[Magnitude (2)](http://research.zscaler.com/search/label/Magnitude)**

**[malcious JavaScrip (2)](http://research.zscaler.com/search/label/malcious JavaScrip)**

**[malcious JavaScript (11)](http://research.zscaler.com/search/label/malcious JavaScript)**

**[Malicious APK (1)](http://research.zscaler.com/search/label/Malicious APK)**

**[Malicious Code (24)](http://research.zscaler.com/search/label/Malicious Code)**

**[Malicious Document (1)](http://research.zscaler.com/search/label/Malicious Document)**

**[malicious JavaScript (8)](http://research.zscaler.com/search/label/malicious JavaScript)**

**[malvertising (6)](http://research.zscaler.com/search/label/malvertising)**

**[malware (47)](http://research.zscaler.com/search/label/malware)**

**[Malzilla (4)](http://research.zscaler.com/search/label/Malzilla)**

**[March Madness (1)](http://research.zscaler.com/search/label/March Madness)**

**[MediaFire (1)](http://research.zscaler.com/search/label/MediaFire)**

**[Microsoft Word (1)](http://research.zscaler.com/search/label/Microsoft Word)**

**[mobile (10)](http://research.zscaler.com/search/label/mobile)**

**[Mobile apps category (1)](http://research.zscaler.com/search/label/Mobile apps category)**

**[mobile malware (3)](http://research.zscaler.com/search/label/mobile malware)**

**[Mobile Porn (1)](http://research.zscaler.com/search/label/Mobile Porn)**

**[MS06-014 (1)](http://research.zscaler.com/search/label/MS06-014)**

**[MultiPlug (1)](http://research.zscaler.com/search/label/MultiPlug)**

**[NCAA (1)](http://research.zscaler.com/search/label/NCAA)**

**[Necurs (1)](http://research.zscaler.com/search/label/Necurs)**

**[Neutrino (2)](http://research.zscaler.com/search/label/Neutrino)**

**[ngrBot (1)](http://research.zscaler.com/search/label/ngrBot)**

**[njRAT (1)](http://research.zscaler.com/search/label/njRAT)**

**[Nuclear (2)](http://research.zscaler.com/search/label/Nuclear)**

**[Nuclear Exploit Kit (4)](http://research.zscaler.com/search/label/Nuclear Exploit Kit)**

**[obfuscation (22)](http://research.zscaler.com/search/label/obfuscation)**

**[OllyDbg (3)](http://research.zscaler.com/search/label/OllyDbg)**

**[Olympics (4)](http://research.zscaler.com/search/label/Olympics)**

**[openads (1)](http://research.zscaler.com/search/label/openads)**

**[openx (1)](http://research.zscaler.com/search/label/openx)**

**[OS X (1)](http://research.zscaler.com/search/label/OS X)**

**[p2p (1)](http://research.zscaler.com/search/label/p2p)**

**[patches (2)](http://research.zscaler.com/search/label/patches)**

**PDF** **l it** **(5)**

|Variable|Descriptions|
|---|---|
|cmd|Command. It is hardcoded in the malware payload as '1'.|
|id|MachineGuid value fetched from Software\Microsoft\Cryptography registry key|
|name|System Name|
|os|Operating system version|
|p|Process elevation status|
|av|Antivirus installed on the infected system|
|v|Version of the bot. It is hardcoded in the malware. Current version that we analysed is 4.4|
|w|Flag that indicates whether the system locale and UserGeoID is Russia|

|Command Hash|Description|
|---|---|
|0x0E587A65 (rate <number>)|It is used in sleep function|
|0x89127D3|DDOS using HTTP protocol|
|0x0B37A84B6|Start keylogging and screen capture threads|
|0x89068E8h|Download and execute additional component. This file can be DLL, EXE or VBS.|
|0x4A9981B7|Search for given process name in current running processes in the system|
|0x8D26744|Find given file in system and upload to the server|
|0CAB1E64A|Drop setting.bin file, change firewall settings to download and execute plugin component|
|0x10E6C4|Execute given command using windows cmd.exe|


-----

**[Phorpiex (1)](http://research.zscaler.com/search/label/Phorpiex)**

**[plugins (17)](http://research.zscaler.com/search/label/plugins)**

**[PlugX (1)](http://research.zscaler.com/search/label/PlugX)**

**[Porn (1)](http://research.zscaler.com/search/label/Porn)**

**[Porn Droid (1)](http://research.zscaler.com/search/label/Porn Droid)**

**[Potentially Unwanted Application (1)](http://research.zscaler.com/search/label/Potentially Unwanted Application)**

**[predictions (2)](http://research.zscaler.com/search/label/predictions)**

**[privacy (14)](http://research.zscaler.com/search/label/privacy)**

**[PUA (1)](http://research.zscaler.com/search/label/PUA)**

**[quikr mobile app (1)](http://research.zscaler.com/search/label/quikr mobile app)**

**[Radamant (1)](http://research.zscaler.com/search/label/Radamant)**

**[Ragebot (1)](http://research.zscaler.com/search/label/Ragebot)**

**[ransomware (9)](http://research.zscaler.com/search/label/ransomware)**

**[RAT (3)](http://research.zscaler.com/search/label/RAT)**

**[RCS (1)](http://research.zscaler.com/search/label/RCS)**

**[Redirections (3)](http://research.zscaler.com/search/label/Redirections)**

**[reverse engineering (7)](http://research.zscaler.com/search/label/reverse engineering)**

**[Rig (2)](http://research.zscaler.com/search/label/Rig)**

**[RIG EK (2)](http://research.zscaler.com/search/label/RIG EK)**

**[Rogue software (7)](http://research.zscaler.com/search/label/Rogue software)**

**[SaaS (2)](http://research.zscaler.com/search/label/SaaS)**

**[scam (22)](http://research.zscaler.com/search/label/scam)**

**[scamware (1)](http://research.zscaler.com/search/label/scamware)**

**[SDLC (1)](http://research.zscaler.com/search/label/SDLC)**

**[security features (1)](http://research.zscaler.com/search/label/security features)**

**[SEO (58)](http://research.zscaler.com/search/label/SEO)**

**[Shaadi.com app (1)](http://research.zscaler.com/search/label/Shaadi.com app)**

**[Shellcode (3)](http://research.zscaler.com/search/label/Shellcode)**

**[Shellshock (2)](http://research.zscaler.com/search/label/Shellshock)**

**[Signed malware (2)](http://research.zscaler.com/search/label/Signed malware)**

**[SilverLight (2)](http://research.zscaler.com/search/label/SilverLight)**

**[SilverLight vulnerability](http://research.zscaler.com/search/label/SilverLight vulnerability)** **(1)**

**[skype (3)](http://research.zscaler.com/search/label/skype)**

**[SMS stealer (3)](http://research.zscaler.com/search/label/SMS stealer)**

**[SMS trojan (2)](http://research.zscaler.com/search/label/SMS trojan)**

**[social (5)](http://research.zscaler.com/search/label/social)**

**[spam (30)](http://research.zscaler.com/search/label/spam)**

**[sports (1)](http://research.zscaler.com/search/label/sports)**

**[Spy Banker Telax (1)](http://research.zscaler.com/search/label/Spy Banker Telax)**

**[Spyware (1)](http://research.zscaler.com/search/label/Spyware)**

**[ssl (12)](http://research.zscaler.com/search/label/ssl)**

**[storm worm (1)](http://research.zscaler.com/search/label/storm worm)**

**[Style tag (1)](http://research.zscaler.com/search/label/Style tag)**

**[Sundown (1)](http://research.zscaler.com/search/label/Sundown)**

**[SWF (2)](http://research.zscaler.com/search/label/SWF)**

**[thanksgiving (1)](http://research.zscaler.com/search/label/thanksgiving)**

**[Thanksgiving scam (1)](http://research.zscaler.com/search/label/Thanksgiving scam)**

**[Threat Finder (1)](http://research.zscaler.com/search/label/Threat Finder)**

**[Tinba (1)](http://research.zscaler.com/search/label/Tinba)**

**[Tinychat (1)](http://research.zscaler.com/search/label/Tinychat)**

**[tool (6)](http://research.zscaler.com/search/label/tool)**

**[Traffic Analysis (2)](http://research.zscaler.com/search/label/Traffic Analysis)**

**[Trends (39)](http://research.zscaler.com/search/label/Trends)**

**[Trojan (17)](http://research.zscaler.com/search/label/Trojan)**

**[troldesh (1)](http://research.zscaler.com/search/label/troldesh)**

**[Tsunami (1)](http://research.zscaler.com/search/label/Tsunami)**

**[twitter (4)](http://research.zscaler.com/search/label/twitter)**


-----

**( )**

**[VBScipt (1)](http://research.zscaler.com/search/label/VBScipt)**

**[vbscript (1)](http://research.zscaler.com/search/label/vbscript)**

**[Vulnerability (1)](http://research.zscaler.com/search/label/Vulnerability)**

**[Vulnerabilties (2)](http://research.zscaler.com/search/label/Vulnerabilties)**

**[wattpad (1)](http://research.zscaler.com/search/label/wattpad)**

**[Whitepaper (2)](http://research.zscaler.com/search/label/Whitepaper)**

**[wikileaks (2)](http://research.zscaler.com/search/label/wikileaks)**

**[Wordpress (2)](http://research.zscaler.com/search/label/Wordpress)**

**[worm (2)](http://research.zscaler.com/search/label/worm)**

**[Youdao (1)](http://research.zscaler.com/search/label/Youdao)**

**[Youdao Dictionary (1)](http://research.zscaler.com/search/label/Youdao Dictionary)**

**[Zbot (2)](http://research.zscaler.com/search/label/Zbot)**

**[Zegost (1)](http://research.zscaler.com/search/label/Zegost)**

**[Zeus (2)](http://research.zscaler.com/search/label/Zeus)**

**[zulu (2)](http://research.zscaler.com/search/label/zulu)**

**[信息[披露] (1)](http://research.zscaler.com/search/label/%E4%BF%A1%E6%81%AF%E6%8A%AB%E9%9C%B2)**

**[有道 (1)](http://research.zscaler.com/search/label/%E6%9C%89%E9%81%93)**

**[有道[词典] (1)](http://research.zscaler.com/search/label/%E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8)**

**A** **B** **O** **U** **T**

**[Julien Sobrier](https://www.blogger.com/profile/06741851635998994926)**

**[rubin azad](https://www.blogger.com/profile/14499731653620781078)**

**[Uday Pratap Singh](https://plus.google.com/108707720779438285631)**

**[Pradeep Mp](https://plus.google.com/110759999578946368781)**

**[Loren Weith](https://plus.google.com/117840357114415530287)**

**[Jithin Nair](https://www.blogger.com/profile/09270979470282714044)**

**[Abhaykant Yadav](https://plus.google.com/105133806916425804796)**

**[Tarun Dewan](https://www.blogger.com/profile/00242448932457148165)**

**[Dhruval Gandhi](https://plus.google.com/105220683935822081170)**

**[Unknown](https://www.blogger.com/profile/17576982822462026125)**

**[Amandeep Kumar](https://www.blogger.com/profile/11347957209466787165)**

**[Dhanalakshmi Pk](https://plus.google.com/115768477447212759443)**

**[Ed Miles](https://www.blogger.com/profile/15928350762546654244)**

**[viral](https://www.blogger.com/profile/05388605593074919812)**

**[Chris Mannon](https://www.blogger.com/profile/14013814933540483983)**

**[Sameer Patil](https://plus.google.com/103830792876802810198)**

**[Webmaster](https://www.blogger.com/profile/14952917787057908066)**

**[Kuldeep Kumar](https://plus.google.com/109257244104955170408)**

**[Deepen Desai](https://plus.google.com/104799054674960248904)**

**[Nirmal Singh](https://www.blogger.com/profile/04167674147535264668)**

**[John Mancuso](https://www.blogger.com/profile/04816524404352314235)**

**[Amit Sinha](https://plus.google.com/104255170714136948216)**

**[Shivang Desai](https://www.blogger.com/profile/17410460930764640047)**

**[Avinash kumar](https://www.blogger.com/profile/02462213577458903701)**

**[Lenart Brave](https://plus.google.com/107311571316175032095)**

**[Manish Mukherjee](https://plus.google.com/107265512701397545143)**

**[Michael Sutton](https://www.blogger.com/profile/12614648693197428321)**

**S** **U** **B** **S** **C** **R** **I** **B** **E** **T** **O**


**P** **O** **S** **T** **S**

**C** **O** **M** **M** **E** **N** **T** **S**


**P** **O** **S** **T** **S**


-----