Trojan Upclicker: Using a Mouse To Evade Automated Analysis

Dec 14, 2012 | comments

We came across another sample, called Trojan Upclicker, that went one step further: using a mouse to evade automated analysis.

Trojan Upclicker

 Per the code in Figure , the function SetWinodwsHookExA is called with 0Eh as a parameter. Per MSDN the parameter 0Eh is used to hook a mouse. Pointer fn is the pointer to the hooked procedure in the code.

The Trojan analyzed by FireEye, Upclicker, is interesting because the malicious code is executed only after the user clicks the left mouse button and releases it.
Upclicker establishes malicious communication only when this particular action is performed.

Trojan Upclicker establishes malicious communication only when the left mouse button is clicked and released. Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment.
When the code runs, it waits 300,000 milliseconds, or five minutes, before executing the DecryptCode subroutine. It then waits 20 minutes and executes the ModifyRegistry subroutine. After executing the Network_main subroutine, it waits another 20 minutes.

Automated threat analysis systems only spend a small amount of time on one file so they may not detect the code as malware.
Share this article :

Post a Comment

I'm certainly not an expert, but I'll try my hardest to explain what I do know and research what I don't know. Be sure to check back again , after moderation i do make every effort to reply to your comments .

Copyright © 2011. INDIATRIKS - All Rights Reserved
Template Edited By Indiatriks
Proudly Powered By Blogger