A critical part of recent malware binaries is the executable component responsible for downloading the actual malware from a designated malware server.

Our colleague, security researcher Mila Parkour, published a link to a great post at DeepEnd Research (posted by Andre M. DiMino) with some interesting results about a downloader/trojan dubbed Trojan.Plague.13604.B. This malware is a variation of Mutopy  – Win32 found by Sophos.

I decided to give it a go and run Mutopy through our Vinsula Execution Engine and find out just what it does. After analyzing the results, we can confirm all of the findings published by Andre M. DiMino, and can provide some additional detail related to the behavior of this malware.

Interestingly enough, as with most other malware the authors modify the file properties (though it is still not clear to me why they bother). The full description of the file image of this downloader is:

Version: 6.1.7600.16385 Company: Microsoft Corporation Description: Remote Desktop Connection


A quick static code analysis shows that the downloader executable imports most of the Debugging APIs needed to build a custom debugger. That makes this malware a bit different from the others. Its ability to attach to a target victim process(es) allows it to hook API functions by placing debugging breakpoints into the target function, giving it the ability to modify their behavior. More about writing a basic debugger is available here at MSDN: Writing the Debugger’s Main Loop; and a full reference covering all debugging APIs is available here: Debugging Functions.

Here is a snapshot of some of some of the imported Debugging APIs:


The .rdata section is used for holding the debug directory, which is only present in EXE files. The downloader executable has been compiled with debug information and we can see from the snapshot below the name of the PDB (Program Database) file. An interesting fact is that one of the subfolders is titled “mutator9.1”.



Let’s have a quick look at what this specific downloader actually does. I’ve used our own Vinsula kernel level monitoring framework to capture the behavior of Trojan.Plague.13604.B.

I find it easier to analyze malware by putting together a simple process cascade view that allows me to connect the dots and easily tell whether or not we are dealing with malicious software. As implemented by Vinsula, the approach of structuring collected information and applying behavior pattern matching to the activity log can also be easily automated and scaled out.

Following process tree is being created as a result of launching the malicious downloader WordPress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe:

WordPress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe [Process Id: 3792]
Image Name: [C:\temp\Wordpress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe]

-----+cmstp.exe [Process Id: 1416]
------Image Name: [C:\PROGRA~2\MICROS~1\cmstp.exe]

----------+smss.exe [Process Id: 3176]
-----------Image Name: [C:\ProgramData\smss.exe]

Here, the following files are being created:

  • cmstp.exe
  • mstsc.exe
  • smss.exe
  • esentutl.exe
  • sessmgr.exe

How did these files get into the file system? The answer here is clear: the downloader, Wordpress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe, connected to a malicious server and downloaded all needed additional files.

In the network log, we can see that the downloader connects to IP address on port 80. The geographic location of the IP Address is shown below:



From the file part of the activity log, we have:

WordPress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe [Process Id: 3792]
----------+Event: File[C:\ProgramData\Microsoft\cmstp.exe]
----------+Event:Create File[C:\ProgramData\Microsoft\cmstp.exe]
----------+Event:NetworkQueryOpen File[C:\ProgramData\Microsoft\cmstp.exe]
----------+Event:Open File[C:\ProgramData\Microsoft\cmstp.exe]
----------+Event:Read File[C:\ProgramData\Microsoft\cmstp.exe]
----------+Event:Write File[C:\ProgramData\Microsoft\cmstp.exe]
----------+Event:NetworkQueryOpen File[C:\ProgramData\Microsoft\mstsc.exe]
----------+Event:Open File[C:\ProgramData\Microsoft\mstsc.exe]
----------+Event: File[C:\ProgramData\Microsoft\RCXA43E.tmp]
----------+Event:Create File[C:\ProgramData\Microsoft\RCXA43E.tmp]
----------+Event:Open File[C:\ProgramData\Microsoft\RCXA43E.tmp]
----------+Event:Read File[C:\ProgramData\Microsoft\RCXA43E.tmp]
----------+Event:Rename File[C:\ProgramData\Microsoft\RCXA43E.tmp] New File[\Device\HarddiskVolume1\PROGRA~2\MICROS~1\cmstp.exe]
----------+Event:Write File[C:\ProgramData\Microsoft\RCXA43E.tmp]
----------+Event: File[C:\ProgramData\RCXA21B.tmp]
----------+Event:Create File[C:\ProgramData\RCXA21B.tmp]
----------+Event:Open File[C:\ProgramData\RCXA21B.tmp]
----------+Event:Read File[C:\ProgramData\RCXA21B.tmp]
----------+Event:Rename File[C:\ProgramData\RCXA21B.tmp] New File[\Device\HarddiskVolume1\ProgramData\smss.exe]
----------+Event:Write File[C:\ProgramData\RCXA21B.tmp]
----------+Event: File[C:\ProgramData\RCXCA86.tmp]
----------+Event:Create File[C:\ProgramData\RCXCA86.tmp]
----------+Event:Open File[C:\ProgramData\RCXCA86.tmp]
----------+Event:Read File[C:\ProgramData\RCXCA86.tmp]
----------+Event:Rename File[C:\ProgramData\RCXCA86.tmp] New File[\Device\HarddiskVolume1\ProgramData\sessmgr.exe]
----------+Event:Write File[C:\ProgramData\RCXCA86.tmp]
----------+Event: File[C:\ProgramData\sessmgr.exe]
----------+Event:Create File[C:\ProgramData\sessmgr.exe]
----------+Event:NetworkQueryOpen File[C:\ProgramData\sessmgr.exe]
----------+Event:Open File[C:\ProgramData\sessmgr.exe]
----------+Event:Read File[C:\ProgramData\sessmgr.exe]
----------+Event:Write File[C:\ProgramData\sessmgr.exe]
----------+Event: File[C:\ProgramData\smss.exe]
----------+Event:Create File[C:\ProgramData\smss.exe]
----------+Event:NetworkQueryOpen File[C:\ProgramData\smss.exe]
----------+Event:Open File[C:\ProgramData\smss.exe]
----------+Event:Read File[C:\ProgramData\smss.exe]
----------+Event:Write File[C:\ProgramData\smss.exe]
----------+Event: File[C:\Users\VanDamme\AppData\Local\Microsoft\Windows\esentutl.exe]
----------+Event:Create File[C:\Users\VanDamme\AppData\Local\Microsoft\Windows\esentutl.exe]
----------+Event:NetworkQueryOpen File[C:\Users\VanDamme\AppData\Local\Microsoft\Windows\esentutl.exe]
----------+Event:Open File[C:\Users\VanDamme\AppData\Local\Microsoft\Windows\esentutl.exe]
----------+Event:Write File[C:\Users\VanDamme\AppData\Local\Microsoft\Windows\esentutl.exe]

Now, let’s review the registry modifications as a result of launching this malware.

The downloader’s main goal is to deliver the malicious software on demand, drop it into the file system and update critical registry settings to ensure that the malware is persistent and will run after the machine is rebooted.

The downloader (WordPress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe) registers two of its satellites as startup applications. Some more details below from the activity log:

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Node:Value Name: Value:Mstsc New Value:C:\ProgramData\Microsoft\mstsc.exe

\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Node:Value Name: Value:Sessmgr New Value:C:\ProgramData\sessmgr.exe

\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Node:Value Name: Value:Sessmgr New Value:C:\ProgramData\smss.exe

Below is a snapshot of the mstsc.exe registration. Notice, this is registered under HKLM hive:


And a snapshot of the smss.exe registration. This one is registered under HKCU hive:


Another interesting fact is that the malicious processes are utilizing remote process modification techniques to pass parameters between each other. Here is a short snippet from the section of the report capturing remote process modifications using remote threads:

=== Remote Threads Events ===

WordPress-Mutopy_20A6EBF61243B760DD65F897236B6AD3.exe [Process Id: 3792]
Target:cmstp.exe Target Process Id:[1416] Image:[\Device\HarddiskVolume1\PROGRA~2\MICROS~1\cmstp.exe]
cmstp.exe [Process Id: 1416]
Target:smss.exe Target Process Id:[3176] Image:[\Device\HarddiskVolume1\ProgramData\smss.xe]

The downloader executable is using WinInet API to download any additional malware payloads.

We will keep investigating the internals of this malware, and will publish additional updates as they are discovered.