General Explanation
Type: Trojan
Degree of destruction: high
Prevalence: medium
Malware names:
- Trojan.Win64.PurpleFox.VMProtect (Padvish)
- Trojan.Win32.PurpleFox.VMProtect (Padvish)
- Trojan.Win32.PurpleFox.sysupdate (Padvish)
- Rootkit.Win32.Vemptik.t (Padvish)
- Trojan.Win32.Vemptik.nd (Padvish)
- TR/Dldr.Delf.lzrar (Avira)
- Trojan:Win32/Occamy.C88 (Microsoft)
What is Trojan?
Trojans are malware types that introduced themselves as healthy and legal software and act similar to helpful and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching to an email, etc. are ways that trojans are using to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.
What is PurpleFox malware?
This malware is a rootkit-like trojan, and it leads to executing malware code in the format of svchost.exe processes on the victim’s system in the next reboot. In connection with the malware server, this process will download the main module and executes them on the victim’s system which contains malware distribution modules in the internal and external network and also cryptocurrency extraction module.
Technical Explanation
Signs of infection
- An IPsec Policy named qianye that blocks the following connections:
- srcaddr=any dstaddr=Me dstport=445 protocol=TCP
- srcaddr=any dstaddr=Me dstport=135 protocol=TCP
- srcaddr=any dstaddr=Me dstport=139 protocol=TCP
- srcaddr=any dstaddr=Me dstport=445 protocol=UDP
- srcaddr=any dstaddr=Me dstport=135 protocol=UDP
- srcaddr=any dstaddr=Me dstport=139 protocol=UDP
- srcaddr=Me dstaddr=any dstport=21 protocol=TCP
- srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
- srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
- srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
- srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
- srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
- srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
- srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
- srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
- srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
- srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
- srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
- A FsFilter named dump_X (X represents a string and being used in the name of other malware files)
- Following files in the victim’s system (“*” represents a string and being used in the name of other malware files)
-
- in the time of executing main file
C:\Windows\sysupdate.log
C:\Windows\winupdate64.log (or C:\Windows\winupdate32.log)
- after the first restart
C:\Windows\System32\drivers\dump_*.sys\
C:\Windows\System32\MsXApp.dll
- after the second restart
- AcLayers.sdb files and AcX.sdb in the
C:\windows\AppPatch
directory - Ke*.xs; in the
C:\windows\AppPatch
directory - Files with extensions such as “mos”, “mow” or “moe” in the
C:\Windows\AppPatch\Custome
directory
- AcLayers.sdb files and AcX.sdb in the
- in the time of executing main file
Explaining the action
Installing the malware
The malware’s main file will create two harmful files on the victim’s system after installation:
C:\Windows\sysupdate.log
C:\Windows\winupdate64.log (or C:\Windows\winupdate32.log)
This malware in the next boot will download and execute winupdate64.log (or winupdate32.log in 32 bit Windows version) instead of sens.dll (system file) by setting the PendingFileRenameOperation key.
Key: KLM\System\CurrentControlSet\Control\SESSION MANAGER
Name: PendingFileRenameOperations
Value:
\??\C:\Windows\AppPatch\Acpsens.dll,,
\??\C:\Windows\system32\sens.dll,??\C:\Windows\AppPatch\Acpsens.dll,
\??\C:\Windows\system32\sens.dll,,
??\C:\Windows\winupdate64.log,\??\C:\Windows\system32\sens.dll,
\??\C:\Windows\AppPatch\Ke583427.xsl,,
\??\C:\Windows\sysupdate.log,\??\C:\Windows\AppPatch\Ke583427.xsl
Then it blocks the connection in the victim’s system to prevent scanning these ports by other software and malware.
- srcaddr=any dstaddr=Me dstport=445 protocol=TCP
- srcaddr=any dstaddr=Me dstport=135 protocol=TCP
- srcaddr=any dstaddr=Me dstport=139 protocol=TCP
- srcaddr=any dstaddr=Me dstport=445 protocol=UDP
- srcaddr=any dstaddr=Me dstport=135 protocol=UDP
- srcaddr=any dstaddr=Me dstport=139 protocol=UDP
- srcaddr=Me dstaddr=any dstport=21 protocol=TCP
- srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
- srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
- srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
- srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
- srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
- srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
- srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
- srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
- srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
- srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
- srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
Setting up the service and driver of the malware
winupdate32.log corresponding process, creates and download the malware driver (normally, its name pattern is like “dump_X” which the “X” is a variable string).
This malware to protect a set of files and directories of the malware will register a FileSystem Filter (FsFilter) on the victim’s system and hides its files and directory. Also, it protects registry keys and prevents user to perform instructions by registering a RegistryCallback.
Executing the winupdate64.log file results in creating a library file with an algorithm named MsXApp.dll (X is the serial number of the Operating system’s drive) in the “C:\Windows\System32
” path. Corresponding malware with this file will register a service in the victim’s system and adds it to the sub-set service list “netsvcs” which executes in the format of svchost.exe. The name of this service is among the following names: “MsXApp”، “MsXAppA”، “MsXAppB”، “MsXAppC” or “MsXAppBak”.
Downloading malware module
MsXApp service creates two processes in each boot and injects an individual “dll” file into each one of them. One of these processes downloads malware modules, and the other decodes these downloaded modules and executes them.
How to deal with it and disinfect the system
Padvish Antivirus will detect this malware and disinfect the system. It is recommended users update their OS and especially install the security patch by Microsoft Co.