Miras Backdoor Trojan

October 3, 2014

The Dell SonicWall Threats Research team has received reports of a recent backdoor that targets the Windows platform, called Miras. This malware sends out system information to a remote server and accepts various commands. The commands could allow to search/rename/delete/execute files, enumerate processes, terminate a process, collect system information information, or execute shell commands.

Infection cycle:

Once the trojan is executed, the trojan it is copied into a DLL at: %WinDir%System32wbemraswmi.dll

It then creates a batch file on the user's desktop called "dd.bat" and writes the following code:

Upon execution of the batch file, the dll is run. It also sends a ping request to the IP This IP belongs to US Air Force group known as 754th Electronic Systems Group.

Another batch file "d.bat" is created on the user's desktop and deletes the executable.

The dll's function GetMain is called, it creates a service to deletes its previous instance.

We found that the malware tries to communicate its command and control server:

It then constructs a request and sends it to the command and control server.

This request in XOR encrypted with key "6". Once it is decrypted, it resolves to: U n Admintest D F A FE C SYSTEMU q

At the time of research, the remote server was not available to analyze the behavior of the malware.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Miras.A (Trojan)