Win32/Tapaoux [Threat Name] go to Threat

Win32/Tapaoux.O [Threat Variant Name]

Category trojan
Size 350980 B
Detection created Nov 18, 2015
Detection database version 12587
Aliases Trojan:Win32/Tapaoux!rfn (Microsoft)
  Troj/Tapaoux-AC (Sophos)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan creates the following files:

  • %appdata%\­Microsoft\­windows\­offcvu\­AcroUpd32.exe (63488 B, Win32/Tapaoux.O)
  • %appdata%\­Microsoft\­windows\­offcvu\­reader_sl.exe (72704 B, Win32/Tapaoux.O)
  • %appdata%\­Microsoft\­windows\­offcvu\­msrtsp32.dll (256512 B, Win32/Tapaoux.O)

The trojan executes the following files:

  • %appdata%\­Microsoft\­windows\­offcvu\­AcroUpd32.exe

The trojan may create the following files:

  • %startup%\­reader_sl.lnk

The file is a shortcut to a malicious file.


This way the trojan ensures that the file is executed on every system start.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "reader_sl" = "%appdata%\­Microsoft\­windows\­offcvu\­reader_sl.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "reader_sl" = "%appdata%\­Microsoft\­windows\­offcvu\­reader_sl.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{7e581f7f-58ef-5e0c-46ee-79087b7c3c26}]
    • "StubPath" = "%appdata%\­Microsoft\­windows\­offcvu\­reader_sl.exe"
    • "Version" = "1,0,0,1"
    • "IsInstalled" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{fe581f7f-f8ef-fe0c-f6ee-f9087b7c3c26}]
    • "StubPath" = "%appdata%\­Microsoft\­windows\­offcvu\­reader_sl.exe"
    • "Version" = "1,0,0,1"
    • "IsInstalled" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­InternetSettings]
    • "ProxySecurityUpgrade" = %variable%

A string with variable content is used instead of %variable% .

Information stealing

The trojan collects the following information:

  • computer name
  • list of files/folders on a specific drive
  • list of running processes
  • screenshots
  • Registry entries

The trojan attempts to send gathered information to a remote machine.

Payload information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


The network communication with remote computer/server is encrypted.


The 3DES encryption algorithm is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information
  • upload files to a remote computer
  • execute shell commands
  • capture screenshots
  • various Registry operations
  • delete files
  • terminate running processes
Other information

The trojan terminates processes with any of the following strings in the name:

  • AVGIDSAgent.exe
  • avgui.exe

The trojan behaves differently if it detects a running process containing one of the following strings in its name:

  • ccsvchst.exe
  • NIS.exe

The trojan behaves differently if any of the following Registry keys/values is detected:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Norton\­SecurityStatusSDK]

The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • www.microsoft.com

The trojan may execute the following files:

  • %windir%\­System32\­dwm.exe
  • %windir%\­System32\­ctfmon.exe
  • %windir%\­System32\­wscntfy.exe
  • %windir%\­System32\­wuauclt.exe

The trojan creates and runs a new thread with its own code within these running processes.

Please enable Javascript to ensure correct displaying of this content and refresh this page.