My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2021-10-22

Virus description added:

Packer: absent

Compilation date: 2021-29-03

  • SHA1 hash: abfd737b14413a7c6a21c8757aeb6e151701626a


A multi-functional backdoor trojan for 64-bit and 32-bit operating systems of the Microsoft Windows family. Designed to establish an encrypted connection with the command and control server and unauthorized control of an infected computer. It has the functions of a file manager and Remote Shell.

Preparing procedures

At the beginning of the work, the backdoor decrypts the overlay provided by the shellcode. The first encryption layer is removed by the following algorithm:

k = 0x37
s = bytearray()
for i in range(len(d)):
    c = d[i] ^ k
    k = (k + c) & 0xff

The second layer is the XOR operation with the key 0xCC.

This overlay contains:

  • configuration of trojan;
  • module for bypassing UAC.

Configuration looks as follows:

struct st_proxy
  char proxy_addr[32];
  char proxy_login[64];
  char proxy_password[64];
 _BYTE pad[2];
struct st_config
  char cnc_addr[4][34];
  st_proxy proxies[4];
  char home_dir[260];
  char exe_name[50];
  char loader_name[50];
  char shellcode_name[50];
  char software_name[260];
  char startup_argument[50];
  _DWORD reg_hkey;
  char reg_run_key[200];
  char reg_value_name[52];
  char taskname[52];
  _DWORD mstask_mo;
  char svcname[50];
  char svcdisplayname[50];
  char svcdescription[256];
  char reg_uninstall_key[50];
  char inject_target_usr[260];
  char inject_target[260];
  _BYTE byte0[2];
  _BYTE flags;
  _BYTE pad[3];
  _DWORD keepalivetime;
  unsigned __int8 key[16];

The flags field displays which autoload methods the trojan should use, as well as what launch features are:

enum em_flags
  UNK_FLAG_2 = 0x2,
  UNK_FLAG_4 = 0x4,
  RUN_AS_USER = 0x80,

If the launch is specified via the task scheduler ([string]INSTALL_AS_MSTASK[/string]), then after decrypting the configuration [string]flags[/string] creates a mutex to prevent restart:


Next, it checks if the trojan has enough rights to launch in the way that was previously specified in the configuration. If not, then it restarts itself bypass UAC.

Trojan checks for the presence of a file in the path C:Users\Public\Downloads\clockinstall.tmp, and if it exists, it deletes clockinstall.tmp.

If the clockinstall.tmpfile is missing, then it checks if the install file exists in the folder from which the Trojan was launched and removes it if it exists.

Then installs itself into the system in accordance with the type specified in the configuration. In addition, the backdoor will try to hide its activity from the user.

If the Trojan runs on a 32-bit OS, then the same mechanism for hiding a service from running ones is valid, as inBackDoor.PlugX.28, - deleting that structure from the list of [string]ServiceDatabase[/string] structures, which corresponds to the trojan service.

If the configuration specifies that the Trojan should be injected into a process, then it will be injected into the target process. If the [string]RUN_AS_USER[/string] flag is specified in the configuration, then the Trojan will wait until at least one authorized user appears, after which it will create its own process, but on behalf of the user.

Regardless of the trojan's autorun type, only one process can communicate with the command and control server. This creates a mutex:


Before attempting to establish a connection with the command and control server, trojan determines the proxy server settings. For this purpose:

  • The presence of the [string]<process_name>.ini[/string] file in the folder from which the Trojan process was launched is checked. Example of the configuration:
  • Reads a file named [string]<loader_name>.tmp[/string] in the Trojan folder, where [string]<loader_name>[/string] is the value from the configuration;
  • Reads proxy settings from registry [string][HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings][/string], keys [string]ProxyEnable[/string] and [string]ProxyServer[/string]
  • Reads proxy settings from Mozilla Firefox settings - [string]%APPDATA%\Mozilla\Firefox\<profile>\prefs.js[/string]
  • Also checks for stored login:password from the proxy server in Mozilla Firefox and Internet Explorer.

Control server protocol

Establishing a connection to the server mimics the creation of a TLS1.0 connection between the client and the server. Trojan body contains two buffers:

  1. Contains the TLS1.0 Client Hello package:


  2. Contains TLS 1.0 Client Key Exchange packets with key length [string]0x100[/string] bytes, Change Cipher Spec, Client Handshake Finished:


When sending a Client Hello packet, the trojan encrypts all bytes of the Client Random field, starting from the 4th one, using the XOR method with random bytes, and records the current time in the first 4. The server's response to this message is accepted, but the data is ignored.

When sending the second packet, the backdoor also encrypts the public key field of the Client Key Exchange packet using the XOR method with random bytes, and writes its 28-byte key into the data of the Client Handshake Finished packet, which will be used to encrypt and decrypt packets sent or received from the server . The backdoor encrypts the last 4 bytes of the Client Handshake Finished packet with random bytes and sends it to the command and control server. In response, the server sends its own key, which is used to initialize the key shared with the client.

After that, the backdoor enters the command processing cycle from the control server. The traffic between the client and the server is encrypted using the [string]RC4[/string] algorithm.

The list of commands:

opcode Command
0x01Gathering information regarding the infected device
0x02Remote shell
0x03File manager (see below for commands ending in 3)
0x103Open file for writing
0x203Download a file
0x303Data to be written
0x400Reconnect to server
0x403Obtain information about disk or directory listing;
0x500To finish work
0x503Move a file;
0x600Delete proxy configuration ini file
0x603Delete a file
0x703Run a process;
0x700Execute a command during ShellExecute
0x800Renew configuration

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies