Win32/Saflad [Threat Name] go to Threat

Win32/Saflad.AA [Threat Variant Name]

Category trojan
Size 2095616 B
Detection created Dec 12, 2016
Signature database version 14594
Aliases Trojan-Downloader.Win32.Upatre.fuge (Kaspersky)
  Trojan.DownLoader23.5340 (Dr.Web)
  Downloader (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Installation

When executed, the trojan creates the following files:

  • %currentfolder%\­unit.bat
  • C:\­Program Files\­Common Files\­System\­config.dat (128 B)
  • C:\­Program Files\­Common Files\­System\­safe.dat (707798 B)
  • C:\­Program Files\­Common Files\­System\­ado\­hehe.dll (379392 B, Win32/Saflad.AA)
  • c:\­windows\­system32\­drivers\­uiprotect.sys (62080 B, Win32/Saflad.AA)
  • %temp%\­safemonn.dll (379392 B, Win32/Saflad.AA)
  • %temp%\­proxy.dat (155648 B, Win32/Saflad.AAn)
  • %temp%\­safe.dat (707798 B)
  • %variable1%

The %variable1% is one of the following strings:

  • C:\­Program Files\­Common Files\­System\­safemonn32.dll (180224 B, Win32/Saflad.AA trojan)
  • C:\­Program Files\­Common Files\­System\­safemonn64.dll (182272 B, Win64/Saflad.AA trojan)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellIconOverlayIdentifiers\­0OverlayIcon]
    • "(Default)" = "{8D6E9E7B-57C4-4080-AAAE-5DC03C45B9D7}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{8D6E9E7B-57C4-4080-AAAE-5DC03C45B9D7}\­InProcServer32]
    • "(Default)" = "%variable2%"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­IRPIIP]
    • "(Default)" = "\­x00"
    • "ImagePath" = "%variable3%"
    • "ObjectName" = "LocalSystem"
    • "Start" = 2
    • "Type" = 32
    • "ErrorControl" = 2
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­IRPIIP\­Parameters]
    • "ServiceDll" = "..\­..\­Program Files\­Common Files\­System\­protect.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Wow6432Node\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellIconOverlayIdentifiers\­MyOverlayIcon]
    • "(Default)" = "{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
  • [HKEY_CLASSES_ROOT\­Wow6432Node\­CLSID\­{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}\­InprocServer32]
    • "(Default)" = "..\­Program Files\­Common Files\­System\­OverlayIcon.dll"
  • [HKEY_CLASESS_ROOT\­CLSID\­{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}\­InprocServer32]
    • "(Default)" = "..\­Program Files\­Common Files\­System\­OverlayIcon.dll"

This causes the trojan to be executed on every system start.


The %variable2% is one of the following strings:

  • ..\­Program Files\­Common Files\­System\­safemonn32.dll
  • ..\­Program Files\­Common Files\­System\­safemonn64.dll

The %variable3% is one of the following strings:

  • %systemroot%\­system32\­svchost.exe -k netsvcs
  • %systemroot%\­SysWOW64\­svchost.exe -k netsvcs

Installs the following system drivers (path, name):

  • c:\­windows\­system32\­drivers\­uiprotect.sys, TsFltMgr

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­uiprotect]
    • "Type" = 1
    • "ErrorControl" = 1
    • "Start" = 1
    • "ImagePath" = "c:\­windows\­system32\­drivers\­uiprotect.sys"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­uiprotect\­Instances]
    • "DefaultInstance" = "uiprotect Instatans"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­uiprotect\­uiprotect Instatans]
    • "Altitude" = "270035"
    • "Flags" = 0

This causes the trojan to be executed on every system start.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "SETUPTIME" = "%currentdate%"
    • "lock" = "1"
    • "DomainVer" = "1.0.0.2"
    • "IdVer" = "1.0.0.1"
    • "GlobalVer" = "1.0.1.12"
    • "MD5Ver" = "1.0.1.12"
  • [HKEY_CURRENT_USER\­Software\­Classes]
    • "update" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­ComputerName]
    • "PATH" = "C:\­Program Files\­Common Files\­System\­safe.dat"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost]
    • "netsvcs" = "%originalvalue%, IRPIIP"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­WOW6432Node\­Microsoft\­Windows NT\­CurrentVersion\­Svchost]
    • "netsvcs" = "%originalvalue%, IRPIIP"

The trojan launches the following processes:

  • cmd.exe

The trojan creates and runs a new thread with its own code within these running processes.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • computer name
  • volume serial number
  • operating system version
  • external IP address of the network device
  • application startup time

The trojan attempts to send gathered information to a remote machine. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (7) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • visit a specific website
  • simulate user's input (clicks, taps)
  • set up a proxy server
  • update itself to a newer version
  • create Registry entries
  • send gathered information

The trojan opens TCP port 6368 .


The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan may redirect the user to the specific web sites.


The trojan hides its presence in the system.


It uses techniques common for rootkits.


The trojan creates and runs a new thread with its own program code within the following processes:

  • 2345chrome.exe
  • 2345explorer.exe
  • 360chrome.exe
  • 360se.exe
  • baidubrowser.exe
  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • liebao.exe
  • maxthon.exe
  • opera\­launcher.exe
  • qqbrowser.exe
  • sogouexplorer.exe
  • theworld.exe
  • ucbrowser.exe
  • winlogon.exe

The trojan hooks the following Windows APIs:

  • CreateProcessW (kernel32.dll)
  • CreateProcessA (kernel32.dll)
  • ExitWindowsEx (user32.dll)
  • NtDeviceIoControlFile (ntdll.dll)

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­debug]
  • [HKEY_CLASSES_ROOT\­QQ]

Please enable Javascript to ensure correct displaying of this content and refresh this page.