Articles in this section

See more

TROJAN W32/Rodecap.BA

  • Updated

Description               

  • This trojan is a dropper at its core as it facilitates the installation of more harmful malware, but also offers command and control activity as well through the use of URLs that can be found in the malware code. This malware is usually discovered due to its outbound beaconing (Connectivity checks, IP checks, and generic command and control) it is easily spotted by signature-based detection due to the communication taking place over an unencrypted web traffic port 80 HTTP. This malware is spotted and removed by Windows Defender on Windows 10/8 versions or Microsoft Security Essentials on Windows 7 and Vista.

Vector

  • Port 80 HTTPS

Screen_Shot_2021-07-20_at_8.46.26_AM.png

  • This malware is installed via drive-by downloading done by visiting a compromised website. It can also be downloaded as part of a bundled package of 3rd party software or as a malicious attachment on a phishing email. 

Local Actions

  • Once a machine is infected with the malware it replicates itself usually in one of or all of the following folders
    • %temp%
    • %appdata%
    • %appdata%\­microsoft
    • %localappdata%
    • %windir%
    • %system%
    • %system%\­drivers

 

  • The malware file name could be one of the following (With variants/ detection evasion this could change)
    • cisvc.exe
    • clipsrv.exe
    • cmstp.exe
    • comrepl.exe
    • dllhst3g.exe
    • esentutl.exe
    • ieudinit.exe
    • logman.exe
    • mqtgsvc.exe
    • mstinit.exe
    • mstsc.exe
    • rsvp.exe
    • sessmgr.exe
    • spoolsv.exe

 

  • The malware will perform the following registry entries to allow it to run on every system start.
    • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
      • variable = malwarepath /waitservice
    • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
      • variable = malwarepath /waitservice
    • [HKEY_CURRENT_USER\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
      • variable = malwarepath /waitservice
    • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows\­load]
      • variable = malwarepath /waitservice

 

 

Known False Positive Indicators

  • N/A

 

Affected Host

  • Windows Machine

Classification

  • Malware

Sentinel Signature

  • TROJAN W32/Rodecap.BA connectivity Check

DNS Calls

  • N/A

Related articles

Comments

0 comments

Article is closed for comments.