{
	"id": "b0715e26-494f-4c01-8372-c74d5fce1d88",
	"created_at": "2026-04-06T00:14:51.996381Z",
	"updated_at": "2026-04-10T03:21:09.493195Z",
	"deleted_at": null,
	"sha1_hash": "76b5c9acde350b33b2bbe0c7e5324c27f89fd864",
	"title": "T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1157345,
	"plain_text": "T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis\r\nTechniques\r\nBy Josh Grunzweig, Jen Miller-Osborn\r\nPublished: 2016-02-04 · Archived: 2026-04-05 13:05:54 UTC\r\nMost custom backdoors used by advanced attackers have limited functionality. They evade detection by keeping\r\ntheir code simple and flying under the radar. But during a recent investigation we found a backdoor that takes a\r\nvery different approach. We refer to this backdoor as T9000, which is a newer variant of the T5000 malware\r\nfamily, also known as Plat1.\r\nIn addition to the basic functionality all backdoors provide, T9000 allows the attacker to capture encrypted data,\r\ntake screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to\r\nidentify a total of 24 potential security products that may be running on a system and customizes its installation\r\nmechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific\r\nchecks at each point to identify if it is undergoing analysis by a security researcher.\r\nThe primary functionality of this tool is to gather information about the victim. In fact, the author chose to store\r\ncritical files dropped by the Trojan in a directory named “Intel.” T9000 is pre-configured to automatically capture\r\ndata about the infected system and steal files of specific types stored on removable media.\r\nWe have observed T9000 used in multiple targeted attacks against organizations based in the United States.\r\nHowever, the malware’s functionality indicates that the tool is intended for use against a broad range of users. In\r\nthis report, we share an analysis of each stage in T9000’s execution flow. Stay tuned for a future report in which\r\nwe will provide more detail on how this tool has been used and the infrastructure we have identified as part of our\r\nanalysis.\r\nT9000 Backdoor Analysis\r\nThe entire execution flow of the malware is represented in the following diagram:\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 1 of 22\n\nAs this malware uses a multistage execution flow, we’ll discuss each stage individually.\r\nInitial Exploitation\r\nThe sample of T9000 used in this analysis was originally dropped via a RTF file that contained exploits for both\r\nCVE-2012-1856 and CVE-2015-1641. When triggered, an initial shellcode stage is run, which is responsible for\r\nlocating and executing a secondary shellcode stub. The second stage shellcode reads the initial RTF document and\r\nseeks to the end of the file, using the last four bytes as the size of the embedded payload.\r\nWith the payload size confirmed, the shellcode will create a file in the %TEMP% folder using a temporary\r\nfilename. The shellcode will decrypt and subsequently load the embedded payload in the RTF file. The decrypted\r\npayload is written to the temporary file and executed using WinExec. The shellcode then attempts to decrypt an\r\nembedded decoy document with the same algorithm used to decrypt the payload, which it will save to\r\n%TEMP%\\~tmp.doc path. This file is opened using the following command:\r\ncmd /C %TEMP%\\~tmp.doc\r\nHowever, this particular sample did not contain a decoy document.\r\nStage 1\r\nWhen this temporary file is initially executed, it will begin by creating the following mutex to ensure only one\r\ninstance of the malware is running at a given time:\r\n820C90CxxA1B084495866C6D95B2595xx1C3\r\nIt continues to perform a number of checks for installed security products on the victim machine. The following\r\nsecurity platforms are queried by checking entries within the HKLM\\Software\\ registry path:\r\nSophos\r\nINCAInternet\r\nDoctorWeb\r\nBaidu\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 2 of 22\n\nComodo\r\nTrustPortAntivirus\r\nGData\r\nAVG\r\nBitDefender\r\nVirusChaser\r\nMcAfee\r\nPanda\r\nTrend Micro\r\nKingsoft\r\nNorton\r\nMicropoint\r\nFilseclab\r\nAhnLab\r\nJiangMin\r\nTencent\r\nAvira\r\nKaspersky\r\nRising\r\n360\r\nThese security products are represented by a value that is binary AND-ed with any other products found. The\r\nfollowing numbers represent each respective security product.\r\n0x08000000 : Sophos\r\n0x02000000 : INCAInternet\r\n0x04000000 : DoctorWeb\r\n0x00200000 : Baidu\r\n0x00100000 : Comodo\r\n0x00080000 : TrustPortAntivirus\r\n0x00040000 : GData\r\n0x00020000 : AVG\r\n0x00010000 : BitDefender\r\n0x00008000 : VirusChaser\r\n0x00002000 : McAfee\r\n0x00001000 : Panda\r\n0x00000800 : Trend Micro\r\n0x00000400 : Kingsoft\r\n0x00000200 : Norton\r\n0x00000100 : Micropoint\r\n0x00000080 : Filseclab\r\n0x00000040 : AhnLab\r\n0x00000020 : JiangMin\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 3 of 22\n\n0x00000010 : Tencent\r\n0x00000004 : Avira\r\n0x00000008 : Kaspersky\r\n0x00000002 : Rising\r\n0x00000001 : 360\r\nSo, for example, if both Trend Micro and Sophos were discovered on a victim machine, the resulting value would\r\nbe 0x08000800. This numerical value is written to the following file:\r\n%APPDATA%\\Intel\\avinfo\r\nThe malware proceeds to drop the following files to the %APPDATA%\\Intel directory:\r\nAdditionally, the following two files are written to the Data directory:\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 4 of 22\n\nThe following table provides a description of each file dropped:\r\nFile Name Description\r\n~1 Debug information about files used by malware.\r\navinfo Installed security products on victim.\r\nhccutils.dll Malicious DLL. Loads ResN32.dll.\r\nhccutils.inf Malicious INF file. Points to hccutils.dll.\r\nhjwe.dat Encrypted core of malware family.\r\nigfxtray.exe Legitimate Microsoft executable. Loads hccutils.dll.\r\nqhnj.dat Encrypted plugin. Hooks a number of functions and logs results.\r\nQQMgr.dll Malicious DLL. Sets persistence via Run registry key.\r\nQQMgr.inf Malicious INF file. Points to QQMgr.dll\r\nResN32.dat String pointing to path of encrypted core of malware.\r\nResN32.dll Malicious DLL. Decrypts, decompresses, and loads core malware.\r\ntyeu.dat Encrypted plugin. Takes screenshots and collects Skype information.\r\nvnkd.dat Encrypted plugin. Finds files on removable drives on victim machine.\r\ndtl.dat Encrypted configuration information.\r\nglp.uin Plugin configuration information.\r\nYou’ll notice that QQMgr* files are not listed in the original malware execution flow diagram. In the event the\r\nvictim is running any of the following operating system versions, as well as either Kingsoft, Filseclab, or Tencent\r\nsecurity products, the malware will be installed using an alternative method.\r\nWindows 2008 R2\r\nWindows 7\r\nWindows 2012\r\nWindows 8\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 5 of 22\n\nIn such a situation, the malware will find and run the built-in Microsoft Windows InfDefaultInstall.exe program,\r\nwhich will install a DLL via an INF file. Should Tencent be installed, the malware will execute the\r\nInfDefaultInstall.exe program with an argument of ‘QQMgr.inf’. Otherwise, it will use ‘hccutils.inf’ as an\r\nargument.\r\nQQMgr.inf will install the QQMgr.dll, while hccutils.inf will install the hccutils.dll library. QQMgr.dll will set the\r\nfollowing registry key:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Eupdate - %APPDATA%\\Intel\\ResN32.dll\r\nThe QQMgr.dll file has the following debug string found within it:\r\nH:\\WORK\\PROJECT\\InfInstallBypassUAC\\Release\\BypassUAC.pdb\r\nThe hccutils.dll file is described later within this post.\r\nAfter the malware drops the required files, by default the malware will spawn %APPDATA%\\Intel\\igfxtray.exe in\r\na new process, which begins the second stage of the malware’s execution.\r\nStage 2\r\nThe igfxtray.exe is a legitimate Microsoft Windows executable that sideloads the malicious hccutils.dll DLL file.\r\nThis DLL has the following debug string embedded within it:\r\nD:\\WORK\\T9000\\hccutils_M4\\Release\\hccutils.pdb\r\nUpon loading this malicious DLL, the malware will initially perform the same queries for security products that\r\nwere witnessed in stage 1.\r\nThree separate techniques for starting stage 3 are used depending on the properties of the victim.\r\nThe first technique is used if the victim meets the following criteria:\r\nMicrosoft Windows 8 / Windows Server 2012 R2\r\nDoctorWeb security product installed\r\nFor this situation, the following registry key is set:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\update - %SYSTEM%\\rundll32.exe\r\n%APPDATA\\Intel\\ResN32.dll Run\r\nThis ensures that the ResN32.dll library will be run using the ‘Run’ exported function whenever the machine is\r\nrebooted.\r\nThe second technique is used if the victim meets any of the following sets of criteria:\r\nMicrosoft Windows 8 / Windows Server 2012 R2\r\nNot running Kingsoft, Tencent, or DoctorWeb security products\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 6 of 22\n\nMicrosoft Windows XP or lower\r\nNo security products installed, or running any of the following:\r\nSophos\r\nGData\r\nTrendMicro\r\nAhnLab\r\nKaspersky\r\nIn these situations, the following persistence technique is used.\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs - %APPDATA%\\Intel\\ResN32.dll\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs – 0x1\r\nSetting these registry keys both enables the AppInit_DLL functionality, and ensures that every user mode process\r\nthat is spawned will load the ResN32.dll library. More information about this can be found here.\r\nThe third technique is used in any other situation. When this occurs, the malware will first identify the\r\nexplorer.exe process identifier. It proceeds to inject the ResN32.dll library into this process.\r\nAt this point, the third stage of the malware family is loaded.\r\nStage 3\r\nThe third stage begins when the ResN32.dll file begins operating. This file contains the following debug string:\r\nD:\\WORK\\T9000\\ResN_M2\\Release\\ResN32.pdb\r\nThe ResN32.dll library begins by spawning a new thread that is responsible for the majority of the capabilities\r\nbuilt into this sample. This thread begins by checking the operating system version, and once again runs a query\r\non the various security products installed on the victim machine.\r\nUnder certain conditions, the following registry key is set, ensuring persistence across reboots:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\update – c:\\windows\\system32\\rundll32.exe\r\n%APPDATA\\Intel\\ResN32.dll Run\r\nFollowing this, a new thread is created that is responsible for deleting previously written files. This thread creates\r\nthe following mutex:\r\nGlobal\\\\deletethread\r\nIt proceeds to attempt to delete the following files in an infinite loop until said files have been deleted:\r\n%STARTUP%\\hccutils.dll\r\n%STARTUP%\\hccutil.dll\r\n%STARTUP%\\igfxtray.exe\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 7 of 22\n\nThe ResN32.dll malware proceeds to read in the ResN32.dat file that was previously written to disk. This file\r\ncontains a path to the hjwe.dat file, which is subsequently read in.\r\nThe data within the hjwe.dat file is decrypted using the RC4 algorithm, and subsequently decompressed using the\r\nLZMA algorithm. The following script can be used to decrypt the hjwe.dat file, along with the plugins that will be\r\ndiscussed later.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\nimport sys, pylzma\r\nfrom base64 import *\r\nfrom binascii import *\r\nfrom struct import *\r\ndef rc4( data , key ):\r\n  S = range(256)\r\n  j = 0\r\n  out = []\r\n  for i in range(256):\r\n    j = (j + S[i] + ord( key[i % len(key)] )) % 256\r\n    S[i] , S[j] = S[j] , S[i]\r\n  i = j = 0\r\n  for char in data:\r\n    i = ( i + 1 ) % 256\r\n    j = ( j + S[i] ) % 256\r\n    S[i] , S[j] = S[j] , S[i]\r\n    out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))\r\n  return ''.join(out)\r\nf = open(sys.argv[1], 'rb')\r\nfd = f.read()\r\nf.close()\r\nbytes_0_4, bytes_4_8, bytes_8_12, bytes_12_16 = unpack(\"\u003cIIII\", fd[0:16])\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 8 of 22\n\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\nif bytes_0_4 == 0xf7e4aa65:\r\n  length = bytes_8_12\r\n  if len(fd)-16 != length:\r\n    print \"[*] Possible error reading in length of data.\"\r\n  key_size = 260\r\n  key = fd[16:16+key_size]\r\n  data = fd[16+key_size:]\r\n  decrypted = rc4(data, key)\r\n  decompressed = pylzma.decompress_compat(decrypted)\r\n  f1 = open(sys.argv[1]+\".decompressed\", 'wb')\r\n  f1.write(decompressed)\r\n  f1.close\r\n  print \"[+] Wrote %s\" % (sys.argv[1]+\".decompressed\")\r\nAfter this file has been decrypted and decompressed, it is written to a file in the %TEMP% directory with a file\r\nprefix of ‘____RES’. This file, which contains a Windows DLL, is then loaded into the current process. After the\r\nmalicious library has been loaded, the previously written temporary file is deleted. This begins the last stage of the\r\nmalware, which will load the core of the malware family.\r\nStage 4\r\nOnce the decrypted and decompressed hjwe.dat file is loaded, it begins by checking its parent process against the\r\nfollowing list. If the parent process matches the following blacklist, the malicious DLL will exit without\r\nperforming any malicious activities.\r\nwinlogon.exe\r\ncsrss.exe\r\nlogonui.exe\r\nctfmon.exe\r\ndrwtsn32.exe\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 9 of 22\n\nlogonui.exe\r\nexplore.exe\r\nSystem\r\nDbgview.exe\r\nuserinit.exe\r\nlsass.exe\r\nwmiprvse.exe\r\nservices.exe\r\ninetinfo.exe\r\navp.exe\r\nRtvscan.exe\r\nThe malware proceeds to collect the username of the victim, as well as the operating system version. It then\r\ncompares its parent process against the following list of executables:\r\nwinlogon.exe\r\ncsrss.exe\r\nlogonui.exe\r\nctfmon.exe\r\ndrwtsn32.exe\r\nlogonui.exe\r\nSystem\r\nDwm.exe\r\nQQPCRTP.exe\r\nTasking.exe\r\nTaskhost.exe\r\nTaskmgr.exe\r\nDbgview.exe\r\nsuerinit.exe\r\nlsass.exe\r\nwmiprvse.exe\r\nservices.exe\r\ninetinfo.exe\r\navp.exe\r\nRtvscan.exe\r\nNotice the repeated check for the ‘logonui.exe’, as well as the overlap with the previous parent executable check,\r\nwhich implies sloppiness by the malware author.\r\nAfter these checks are performed, the following mutex is created.\r\nGlobal\\\\{A59CF429-D0DD-4207-88A1-04090680F714}\r\nThe following folders are then created:\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 10 of 22\n\nutd_CE31\r\nXOLOADER\r\nUpdate\r\nThe path of these folders is determined by the version of Microsoft Windows running. The following possibilities\r\nexist:\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\\r\n%PUBLIC%\\Downloads\\Update\\\r\nAt this point, the malware will read in the dtl.dat file, which contains configuration data. Data contained with this\r\nfile starting at offset 0x20 is xor-encrypted using a single-byte key of 0x5F. The following script can be used to\r\nextract the IP address and port for the C2 server from this file.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\nfrom struct import *\r\nimport sys, socket\r\ndef int2ip(addr):                                                              \r\n  return socket.inet_ntoa(pack(\"!I\", addr))      \r\nconfig_file = sys.argv[1]\r\nf = open(config_file, 'rb')\r\nfd = f.read()\r\nf.close()\r\ndecrypted = \"\"\r\nfor x in fd[32:]:\r\n  decrypted += chr(ord(x) ^ 0x5f)\r\nport = unpack(\"\u003cI\", decrypted[4:8])[0]\r\nip = int2ip(unpack(\"\u003eI\", decrypted[8:12])[0])\r\nprint \"IP Address : %s\" % ip\r\nprint \"Port       : %d\" % port\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 11 of 22\n\n19\r\n20\r\nThe malware will then read in and parse the included plugin configuration information, which is found within the\r\nglp.uin file that was previously dropped. These included plugins are encrypted and compressed using the same\r\nmethod witnessed by the hjwe.dat file previously. The previously included script can be used to decrypt and\r\ndecompress the following three plugin files:\r\ntyeu.dat\r\nvnkd.dat\r\nqhnj.dat\r\nThese three plugins are subsequently loaded after being decrypted and decompressed. An overview of these\r\nplugins can be found later in this post.\r\nThe malware proceeds to create the following event:\r\nGlobal\\\\{34748A26-4EAD-4331-B039-673612E8A5FC}\r\nAdditionally, the following three mutexes are created:\r\nGlobal\\\\{3C6FB3CA-69B1-454f-8B2F-BD157762810E}\r\nGlobal\\\\{43EE34A9-9063-4d2c-AACD-F5C62B849089}\r\nGlobal\\\\{A8859547-C62D-4e8b-A82D-BE1479C684C9}\r\nThe malware will spawn a new thread to handle network communication. The following event is created prior to\r\nthis communication occurring:\r\nGlobal\\\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E}\r\nThe malware includes proxy support in the event that the victim is behind a web proxy. Network traffic occurs\r\nover a binary protocol on the port specified within the configuration. Traffic is xor-encrypted with a single-byte\r\nkey of 0x55 in an attempt to bypass any network security products that may be in place. Once decrypted, the\r\nfollowing traffic is sent by the malware.\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 12 of 22\n\nFigure 1: Decrypted data sent by malware\r\nAs we can see from the above image, the malware will send out an initial beacon, followed by various collected\r\ninformation from the victim machine. The following information is exfiltrated:\r\nInstalled security products\r\nSystem time\r\nBuild Number\r\nCPU Architecture (32-bit/64-bit)\r\nMAC Address\r\nIP Address\r\nHostname\r\nUsername\r\nParent executable name\r\nPlugin configuration information\r\nThe malware is configured to receive a number of commands. The following command functionalities have been\r\nidentified.\r\nCommand Description\r\nDIR Directory listing\r\nLIR Drive listing\r\nRUN Execute command (Either interactively or not)\r\nCIT Send command to interactively spawned command\r\nCFI Kill interactively spawned process\r\nDOW Download file\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 13 of 22\n\nUPL Upload file\r\nDEL Delete file\r\nDTK Retrieve statistics for file\r\nERR Null command\r\nAdditionally, the following commands have been identified, however, their functionalities have yet to be fully\r\ndiscovered.\r\nPNG\r\nPLI\r\nPLD\r\nFDL\r\nOSC\r\nOSF\r\nSDA\r\nQDA\r\nTFD\r\nSDS\r\nSCP\r\nFMT\r\nSTK\r\nCRP\r\nPlugin #1 – tyeu.dat\r\nWhen this plugin is called with the default exported function, it will create the following mutex:\r\n{CE2100CF-3418-4f9a-9D5D-CC7B58C5AC62}\r\nWhen called with the SetCallbackInterface function export, the malicious capabilities of the plugin begin. The\r\nplugin begins by collecting the username of the running process, and determining if it is running under the\r\nSYSTEM account. If running as SYSTEM, the plugin will associate the active desktop with the plugin’s thread.\r\nThe plugin proceeds to create the following named event:\r\nGlobal\\\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E}\r\nMultiple threads are then spawned to handle various actions. The first thread is responsible for taking a screenshot\r\nof the desktop of the victim machine. This screenshot data is both compressed and encrypted using a single-byte\r\nxor key of 0x5F. This data is written to one of the following files:\r\n%PUBLIC%\\Downloads\\Update\\S[random].dat\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\S[random].dat\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 14 of 22\n\nThe random data is generated via the current system time. Additionally, when a screenshot is written, one of the\r\nfollowing log files has data appended to it:\r\n%PUBLIC%\\Downloads\\Update\\Log.txt\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\Log.txt\r\nFigure 2: Example data found within Log.txt file\r\nA second thread is responsible for monitoring the foreground window every 20 seconds. The thread will target the\r\nwindow names set within the plugin configuration. In this particular instance, the malware will target the\r\n‘notepad’ process.\r\nWhen this process is discovered to be running in the foreground window, the malware will take a screenshot of\r\nthis window. The data is compressed and encrypted using a single-byte xor key of 0x5F. This data is written to one\r\nof the following files:\r\n%PUBLIC%\\Downloads\\Update\\W[random].dat\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\W[random].dat\r\nLike the previous thread, this one attempts to write another log file to the disk. However, due to a bug within the\r\ncode of this plugin, the malware author attempts to append the ‘C:\\\\Windows\\\\Temp\\\\Log.txt’ string to the path,\r\nresulting in an inaccessible file path. In the event this bug did not exist, the following example data would be\r\nwritten:\r\n08:37:49 2000 [4] PrintKeyTitleWnd: ===\u003e\u003e Process ID : 2000\r\nThe third and final thread spawned by this plugin is responsible for collecting information from the Skype\r\nprogram. The malware will use the built-in Skype API to accomplish this. This only takes places if both Skype is\r\nrunning and the victim is logged into Skype. It makes calls to the following functions:\r\nSkypeControlAPIDiscover\r\nSkypeControlAPIAttach\r\nWhen hooking into the Skype API, the victim is presented with the following dialog:\r\nFigure 3: Skype API access request\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 15 of 22\n\nThe victim must explicitly allow the malware to access Skype for this particular functionality to work. However,\r\nsince a legitimate process is requesting access, the user may find him- or herself allowing this access without\r\nrealizing what is actually happening.\r\nOnce enabled, the malware will record video calls, audio calls, and chat messages. Audio and video files are\r\nstored in the following folder:\r\n%APPDATA%\\Intel\\Skype\r\nTemporary audio and video files are stored within the audio and video sub-folders respectively. After a call is\r\nfinished, this data is compressed and encrypted using the same techniques previously witnessed. These files\r\nare stored in randomly named .dat files within the Skype folder.\r\nWhen decrypted, we can see that the malware periodically takes images of the video calls. Audio calls are stored\r\nas .wav files.\r\nFigure 4: A lonely malware reverser is captured on video by the malicious plugin\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 16 of 22\n\nThe original name for this plugin is ‘CaptureDLL.dll’. This is aptly named, as we see that this plugin has the\r\nfollowing functionality:\r\nCapture full desktop screenshots\r\nCapture window screenshots of targeted processes\r\nCapture Skype audio, video, and chat messages\r\nPlugin #2 – vnkd.dat\r\nThe vnkd.dat plugin has the following debug path, leading us to believe that the original name for this plugin is\r\n‘FlashDiskThief’:\r\ne:\\WORK\\Project\\T9000\\Windows\\Target\\FlashDiskThief.pdb\r\nWhen loaded with the default DllEntryPoint exported function, it will create the following mutex:\r\nGlobal\\\\{6BB1120C-16E9-4c91-96D5-04B42D1611B4}\r\nLike the other plugins associated with this malware, the majority of the functionality for this malware resides\r\nwithin the SetCallbackInterface exported function. This function spawns a new thread that begins by registering a\r\nnew window with a class name and window name of ‘xx’.\r\nThe plugin proceeds to iterate through all connected drives on the system, looking for removable drives.\r\nFigure 5. Plugin check for removable drives\r\nShould a removable drive be discovered, the plugin will seek any files residing on this device based on the\r\nplugin’s configured list. In this particular instance, the malware will seek out the following file types:\r\n*.doc\r\n*.ppt\r\n*.xls\r\n*.docx\r\n*.pptx\r\n*.xlsx\r\nIf one of these file types is found, the malware will create a copy of the file in one of the following paths:\r\n%PUBLIC%\\Downloads\\Update\\D[random].tmp\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\D[random].tmp\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 17 of 22\n\nThe data found within this file is encrypted using a single-byte xor key of 0x41. The file header structure, with the\r\nunderlying data still encrypted, can be seen below.\r\nFigure 6: File structure prior to decryption\r\nFigure 7: File structure post decryption\r\nThis concludes the functionality of the vnkd.dat plugin, or FlaskDiskThief as it’s known by the malware’s author.\r\nWhile specific in nature, this plugin allows attackers to collect files being passed around from one machine to\r\nanother via removable drives.\r\nPlugin #3 – qhnj.dat\r\nThis particular plugin appears to have an original filename of ‘kplugin.dll’ due to debugging information found\r\nwithin the file. The qhnj.dat plugin is responsible for hooking a number of common Microsoft Windows API calls,\r\nand logging the results.\r\nThe following functions are hooked by this plugin:\r\nImmGetCompositionStringA\r\nImmGetCompositionStringW\r\nCreateFileW\r\nDeleteFileW\r\nCopyFileExW\r\nMoveFileWithProgressW\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 18 of 22\n\nCreateDirectoryW\r\nCreateDirectoryExW\r\nRemoveDirectoryW\r\nGetClipboardData\r\nCryptEncrypt\r\nCryptDecrypt\r\nThe plugin is most likely hooking the ImmGetCompositionString* functions in order to collect information about\r\nUnicode characters on the victim machine, such as Chinese, Japanese, and Korean.\r\nHooking the various file and directory operations allows the malware to log what file changes are occurring on the\r\nsystem. When a file is created, copied, moved, or deleted on the system, the malware will check the directory of\r\nsaid file against the following blacklist:\r\n\\\\\\\\.\\\\\r\n:\\\\program files\\\\\r\n\\\\AppData\\\\\r\n\\\\temporary internet files\\\\\r\n\\\\application data\\\\\r\n\\\\Local Settings\\\\\r\n\\\\cookies\\\\\r\n\\\\temp\\\\\r\n\\\\history\\\\\r\nAdditionally, the filename is compared against the ‘.tmp’ extension to ensure a temporary file is ignored.\r\nShould the file meet the required criteria, this data is logged. Additionally, all folder modifications and clipboard\r\ndata are logged as well.\r\nThe Crypt* functions allow the malware to collect sensitive encrypted data sent to and from the victim machine.\r\nThis is especially useful when viewing network traffic, allowing the attackers to potentially gain access to remote\r\nsystems used by the victim.\r\nAll of the data logged by the qhnj.dat plugin file is stored in one of the following file paths. Data is encrypted\r\nusing a single-byte XOR key of 0x79.\r\n%PUBLIC%\\Downloads\\Update\\uai[random].tmp\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\uai[random].tmp\r\nThis last plugin allows the attackers to record important actions taken by the victim, which in turn may allow them\r\nto gain additional access as well as insight into the victim’s actions.\r\nConclusion\r\nT9000 appears to be the latest version of this Trojan, which has been partially exposed in previous reports. In\r\n2013, Cylance published a report on a group they named “Grand Theft Auto Panda”, which includes some details\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 19 of 22\n\non the T5000 version of this Trojan. FireEye researchers also noted that the malware was used in an attack in 2014\r\nusing a lure related to the disappearance of Malaysian flight MH370.\r\nThe author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the\r\nmalware analysis community. We hope that sharing the details of how this tool works as well as the indicators in\r\nthe section below will help others defend themselves against attacks using this tool.\r\nIn a future report, we will detail the infrastructure used by the variants of the malware we have identified and\r\ndiscuss the methods attackers use to infect systems with it.\r\nPalo Alto Networks customers are protected from T9000/T5000 attacks through our next-generation security\r\nplatform, including the following.\r\nThreat Prevention signatures for the software vulnerabilities listed in this report are available to detect the\r\nexploit files during delivery.\r\nTraps is capable of preventing exploitation of the vulnerabilities exploited to install T9000.\r\nWildFire classifies all of the malware described in this report as malicious.\r\nAnti-malware signatures for the files listed in this report.\r\nAutoFocus users can identify the malware discussed in this report with the T5000 tag\r\nIndicators of Compromise\r\nHashes\r\nRTF File, d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c\r\nQQMGr.dll, bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f\r\nQQMGR.inf, ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a\r\nResN32.dat, aa28db689f73d77babd1c763c53b3e63950f6a15b7c1a974c7481a216dda9afd\r\nResN32.dll, 1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7\r\nhqwe.dat, bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b\r\nhqwe.dat.decrypted, 7daf3c3dbecb60bee3d5eb3320b20f2648cf26bd9203564ce162c97dcb132569\r\nhccutils.dll, 3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9\r\nhccutils.inf, f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27\r\nigfxtray.exe, 21a5818822a0b2d52a068d1e3339ed4c767f4d83b081bf17b837e9b6e112ee61\r\nqhnj.dat, c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3\r\nqhnj.dat.decrypted, 2b973adbb2addf62cf36cef9975cb0193a7ff0b960e2cff2c80560126bee6f37\r\ntyeu.dat, e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926\r\ntyeu.dat.decrypted, 5fc3dc25276b01d6cb2fb821b83aa596f1d64ae8430c5576b953e3220a01d9aa\r\nvnkd.dat, c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465\r\nvnkd.dat.decrypted, 157e0a9323eaaa911b3847d64ca0d08be8cd26b2573687be461627e410cb1b3f\r\ndtl.dat, 00add5c817f89b9ec490885be39398f878fa64a5c3564eaca679226cf73d929e\r\nglp.uin, 3fa05f2f73a0c44a5f51f28319c4dc5b8198fb25e1cfcbea5327c9f1b3a871d4\r\nMutexes\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 20 of 22\n\n820C90CxxA1B084495866C6D95B2595xx1C3\r\nGlobal\\\\deletethread\r\nGlobal\\\\{A59CF429-D0DD-4207-88A1-04090680F714}\r\nGlobal\\\\{3C6FB3CA-69B1-454f-8B2F-BD157762810E}\r\nGlobal\\\\{43EE34A9-9063-4d2c-AACD-F5C62B849089}\r\nGlobal\\\\{A8859547-C62D-4e8b-A82D-BE1479C684C9}\r\n{CE2100CF-3418-4f9a-9D5D-CC7B58C5AC62}\r\nGlobal\\\\{6BB1120C-16E9-4c91-96D5-04B42D1611B4}\r\nNamed Events\r\nGlobal\\\\{34748A26-4EAD-4331-B039-673612E8A5FC}\r\nGlobal\\\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E}\r\nFile Modifications\r\n%TEMP%\\~tmp.doc\r\n%APPDATA%\\Intel\\avinfo\r\n%APPDATA%\\Intel\\Data\\dtl.dat\r\n%APPDATA%\\Intel\\Data\\glp.uin\r\n%APPDATA%\\Intel\\Data\\\r\n%APPDATA%\\Intel\\~1\r\n%APPDATA%\\Intel\\hccutils.dll\r\n%APPDATA%\\Intel\\hccutils.inf\r\n%APPDATA%\\Intel\\hjwe.dat\r\n%APPDATA%\\Intel\\igfxtray.exe\r\n%APPDATA%\\Intel\\qhnj.dat\r\n%APPDATA%\\Intel\\QQMgr.dll\r\n%APPDATA%\\Intel\\QQMgr.inf\r\n%APPDATA%\\Intel\\ResN32.dll\r\n%APPDATA%\\Intel\\ResN32.dat\r\n%APPDATA%\\Intel\\tyeu.dat\r\n%APPDATA%\\Intel\\vnkd.dat\r\n%STARTUP%\\hccutils.dll\r\n%STARTUP%\\hccutil.dll\r\n%STARTUP%\\igfxtray.exe\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\utd_CE31\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\XOLOADER\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\update\r\n%ALLUSERSPROFILE%\\Documents\\My Document\\Log.txt\r\n%PUBLIC%\\Downloads\\Update\\utd_CE31\r\n%PUBLIC%\\Downloads\\Update\\XOLOADER\r\n%PUBLIC%\\Downloads\\Update\\update\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 21 of 22\n\n%PUBLIC%\\Downloads\\Update\\Log.txt\r\n%APPDATA%\\Intel\\Skype\r\nRegistry Modifications\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Eupdate - %APPDATA%\\Intel\\ResN32.dll\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\update - %SYSTEM%\\rundll32.exe\r\n%APPDATA\\Intel\\ResN32.dll Run\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs -\r\n%APPDATA%\\Intel\\ResN32.dll\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs – 0x1\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\update – c:\\windows\\system32\\rundll32.exe\r\n%APPDATA\\Intel\\ResN32.dll Run\r\nCommand and Control\r\n 198.55.120[.]143:8080\r\nSource: http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nhttp://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"
	],
	"report_names": [
		"t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434491,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76b5c9acde350b33b2bbe0c7e5324c27f89fd864.pdf",
		"text": "https://archive.orkl.eu/76b5c9acde350b33b2bbe0c7e5324c27f89fd864.txt",
		"img": "https://archive.orkl.eu/76b5c9acde350b33b2bbe0c7e5324c27f89fd864.jpg"
	}
}