Adobe Flash player installer packaged with Siromost Trojan (Feb 28, 2014)


The Dell SonicWall Threats Research Team has spotted a sample packed with a legitimate installer for Adobe Flash player (Version Once this is executed, both the legitimate file and the malware are executed.

Since the downloaded malware arrives from the Flash player package, it is saved here:

    %AppData%Adobeplugin.exe [Detected as GAV: Siromost.A (Trojan)]

This malicious file is signed using an expired certificate:

Once it is executed, the malware creates the following mutex:

    Sessions1BaseNamedObjectsInternet Explorer Verifier

It injects code into the system processes:


The malware sends out an initial HTTP GET request over TCP port 80:

This looks to be an authentication request which doesn’t have any system information.

The second request is sent out with the system information along:

Once the relevant system information is sent out, a similar request is sent out with an additional parameter “list”. In response to this, the C&C server responded with a jpeg file.

Here is the downloaded jpeg image:

After a series of requests are exchanged, the malware sends out the encrypted stolen system information to the C&C server.

Overall the main motive of this malware is to steal system information. The malware also downloads more files to be executed on the system. We will continue to monitor this threat and provide updates on its capabilities.

Dell SonicWALL protects against this threat with the following signatures:

  • GAV: Siromost.A (Trojan)
  • GAV: Siromost.A_2 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.