Miras Backdoor Trojan (September 12, 2014)


The Dell SonicWall Threats Research team has received reports of a recent backdoor that targets the Windows platform, called Miras. This malware sends out system information to a remote server and accepts various commands. The commands could allow to search/rename/delete/execute files, enumerate processes, terminate a process, collect system information information, or execute shell commands.

Infection cycle:

Once the trojan is executed, the trojan it is copied into a DLL at: %WinDir%System32wbemraswmi.dll

It then creates a batch file on the user’s desktop called “dd.bat” and writes the following code:

Upon execution of the batch file, the dll is run. It also sends a ping request to the IP This IP belongs to US Air Force group known as 754th Electronic Systems Group.

Another batch file “d.bat” is created on the user’s desktop and deletes the executable.

The dll’s function GetMain is called, it creates a service to deletes its previous instance.

We found that the malware tries to communicate its command and control server:

It then constructs a request and sends it to the command and control server.

This request in XOR encrypted with key “6”. Once it is decrypted, it resolves to: U n Admintest D F A FE C SYSTEMU q

At the time of research, the remote server was not available to analyze the behavior of the malware.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Miras.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.