TrojanDropper:Win32/Ambler.A is detection for a trojan that drops and installs another malware.
Installation
Upon execution, TrojanDropper:Win32/Ambler.A drops and installs another malware in the system, detected as
TrojanSpy:Win32/Ambler.C.
It creates the following encrypted file:
It also creates a randomly-named file in the Windows system folder, which is also encrypted. It then attempts to delete its currently-running copy to avoid detection.
Payload
Drops and installs other malware
TrojanDropper:Win32/Ambler.A attempts to install variants of TrojanSpy:Win32/Ambler, for example,
TrojanSpy:Win32/Ambler.C.
Upon execution, TrojanDropper:Win32/Ambler.A drops an encrypted, randomly-named file in the Windows system folder, for example:
This DLL file is detected as TrojanSpy:Win32/Ambler.C.
TrojanDropper:Win32/Ambler.A also registers the dropped DLL file as a Browser Helper Object (BHO) by creating an entry in the following registry key:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
It also creates the following registry keys:
- HKLM\Software\MRSoft
- HKLM\SOFTWARE\Classes\CLSID\<CLSID>, for example:
- HKLM\SOFTWARE\Classes\CLSID{E8FD36B2-A25B-47e3-9477-82557F5F5995}
It may also register its dropped malware by running the following command:
"rundll32.exe", "<malware name>.dll",InitDll
Modifies system settings
To ensure that its dropped malware automatically runs when Internet Explorer is launched, TrojanDropper:Win32/Ambler.A creates or modifies the following registry entry:
Adds value: "Enable Browser Extensions"
With data: "yes"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Deletes files
TrojanDropper:Win32/Ambler.A attempts to delete certain files from the Windows system folder:
di1.gif
dr1.gif
cookie1.dat
boa1.dat
cs.dat
ps1.dat
rc.dat
tb.dr
Analysis by Patrik Vicol
