TrojanDropper:Win32/Sakelua!dha

Installation

This malware's runs a file, for example, %TEMP%\Center<6 random-numbers>.dat, (detected as Trojan:Win32/Sakelua.A!dha), which then drops the following files onto your PC:

• msi.dll
• s.exe
• setup.msi

The s.exe file drops an executable file that is commonly clean and has a name that makes it look like a legitimate program, for example:

• JuniperSafeACX.exe
• MediaCenter.exe
• MediaSoft.exe

These files might try to look like legitimate applications when they run. See the following sample screenshots: 

This clean executable file, or the original s.exe file, loads the malicious DLL, msi.dll, which we detect as Trojan:Win32/Sakelua.B!dha.

The DLL file loads the final payload, which we detect as Backdoor:Win32/Plugx.N!dha.

The clean executable file also changes the registry entries so that the threat runs each time you start your PC.

The registry changes depend on the name of the executable, for example: 

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: MediaCenter
With data: %TEMP%\MicroMedia\MediaCenter.exe

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: MicroSoftMedia
With data: %TEMP%\MicroSoftMedia\MediaSoft.exe

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: JuniperSafeACX
With data: %TEMP%\JuniperACX\JuniperSafeACX.exe

At the end of the installation, the original dropper, TrojanDropper:Win32/Sakelua!dha, deletes itself. 

This threat can also create files on your PC, including:

• %TEMP%\Center166093.dat
• %TEMP%\msi.dll
• %TEMP%\s.exe
• %TEMP%\setup.msi
• %TEMP%\MicroMedia
• %TEMP%\MicroMedia\MediaCenter.exe
• %TEMP%\MicroMedia\msi.dll
• %TEMP%\MicroMedia\setup.msi
• %TEMP%\JuniperACX\JuniperSafeACX.exe
• %TEMP%\JuniperACX\setup.msi
• %TEMP%\JuniperACX\msi.dll
• %TEMP%\MicroSoftMedia
• %TEMP%\MicroSoftMedia\MediaSoft.exe
• %TEMP%\MicroSoftMedia\msi.dll
• %TEMP%\MicroSoftMedia\setup.msi

Payload

Installs malware or unwanted software

This trojan can install other malware or unwanted software onto your PC.

We have seen it drop the following malware:

• Backdoor:Win32/Plugx.N!dha
• Trojan:Win32/Sakelua.A!dha
• Trojan:Win32/Sakelua.B!dha

Connects to a remote host

It might inject a process to SVCHOST.EXE and connect to a remote server. We have seen it connect to the following, among others:

• 180.210.206.246
• 23.27.112.143
• extcitrix.we11point.com
• sharepoint-vaeit.com
• web.vipreclod.com
• www.we11point.com