Win32/Revokery [Threat Name] go to Threat

Win32/Revokery.A [Threat Variant Name]

Category trojan
Size 9146648 B
Detection created Jan 17, 2017
Signature database version 14783
Aliases Trojan-Downloader.Win32.Agent.wuqju (Kaspersky)
  Trojan.Revokery (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using ASPack .

Installation

When executed, the trojan creates the following folders:

  • %variable1%\­Recovery
  • %variable1%\­Recovery\­bin
  • %variable1%\­Recovery\­bin\­sys
  • %variable1%\­Recovery\­bin\­sys\­systemLog
  • %variable1%\­Recovery\­bin\­sys\­systemHistory
  • %variable1%\­Recovery\­bin\­sys\­oldVersion
  • %variable1%\­Recovery\­bin\­sys\­sysTime
  • %variable1%\­WinRAR
  • %variable1%\­Windows
  • %variable1%\­WindowsShell
  • %variable2%\­Update
  • %variable2%\­WinTools

The trojan copies itself to the following location:

  • %variable1%\­Win10Shell.exe

The %variable1% is one of the following strings:

  • C:\­Documents and Settings\­%username%\­Application Data
  • C:\­ProgramData

The %variable2% is one of the following strings:

  • C:\­Documents and Settings\­%username%\­Application Data
  • C:\­Users\­%username%\­AppData\­Roaming

The trojan creates the following file:

  • %startup%\­WinShellUpdate.lnk

The file is a shortcut to a malicious file.


This causes the trojan to be executed on every system start.


The trojan creates the following files:

  • %workingfolder%\­libeay32.dll (1363456 B)
  • %workingfolder%\­ssleay32.dll (359936 B)

The trojan executes the following commands:

  • cmd.exe /C copy "%malwarefilepath%" "%variable1%\­Win10Shell.exe"
  • cmd.exe /C wmic DISKDRIVE get SerialNumber

The trojan may execute the following commands:

  • cmd.exe /C choice /C Y /N /D Y /T 3 & Del "%variable1%\­WindowsShell\­*.exe"
Information stealing

The trojan collects the following information:

  • computer name
  • user name
  • volume serial number
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (13) URLs. The HTTPS protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • shut down/restart the computer
  • update itself to a newer version
  • terminate running processes
  • send the list of running processes to a remote computer
  • send the list of disk devices and their type to a remote computer
  • capture screenshots
  • uninstall itself
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.