Shamoon (Troj/Mdrop-ELD) – Targeted destructive malware explained


I work in SophosLabs, and one of my jobs is to write detections for new malware. What makes this piece of malware stand apart is that it is targeted.

On the afternoon of 15 August, SophosLabs received a file called str.exe that claimed to be a Microsoft file:

screenshot of the properties of str.exe

At first glance, the file didn’t look to be legitimate, so I launched the program. It copied itself to:


The file contained some interesting strings:

\System32\cmd.exe /c "ping -n 30 >;nul && sc config TrkSvr binpath= system32\trksrv.exe && ping -n 10 >;nul && sc start TrkSvr"

Immediately, I became suspicious. There is the apparent misspelling of trksvr (it is also called trksrv in the file – spot the difference?), the use of, and the hackerish way that the code started itself as a service.

The more technical of you might have noticed that the code is interspersed by the command ping -n 30, which pauses between actions (about 30 seconds each time on my test machine).

I was confident it was malicious. And, because no other security lab seemed to detect the file, I picked a name, Troj/MDrop-ELD, wrote a quick detection, and went home.

The next day, we saw a flurry of queries about a “new” piece of malware called Disttrack or Shamoon. It turned out that it was the same piece of malware that I had detected the previous night. So one of my colleagues did some more detailed analysis.

Thanks to Darrel for the following information:

Troj/MDrop-ELD is a targeted attack; due to some quirks of the malware, there’s currently no chance of data exfiltration (unless you happen to be the company targeted by this attack).

Troj/MDrop-ELD attempts to contact IP address – this is probably the internal IP address of the first owned machine in the target’s network – on ports 1103 (xrl) and 1104 (adobeserver).

Troj/MDrop-ELD attempts to gather information about the target’s machines:

dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i download
2>;nul >;f1.inf
dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i document
2>;nul >;>;f1.inf
dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i download 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i document 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i picture 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i video 2>;nul >;>;f1.inf dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i music 2>;nul >;>;f1.inf dir "C:\Documents and Settings\" /s /b /a:-D 2>;nul | findstr -i desktop
2>;nul >;f2.inf
dir C:\Users\ /s /b /a:-D 2>;nul | findstr -i desktop 2>;nul >;>;f2.inf dir C:\Windows\System32\Drivers /s /b /a:-D 2>;nul >;>;f2.inf dir C:\Windows\System32\Config /s /b /a:-D 2>;nul | findstr -v -i systemprofile 2>;nul >;>;f2.inf dir f1.inf /s /b 2>;nul >;>;f1.inf dir f2.inf /s /b 2>;nul >;>;f1.inf

This Trojan then attempts to overwrite a number of files in the *userprofile areas of the disk, killing various .lnk, .bmp, .ini, .cab etc file types with a broken JPG (JFIF) file. It also attempts to overwrite the MBR, rendering the machine unbootable. This is most likely being used to obfuscate the source of the user’s infection and prevent Data Recovery on the system.

While this is going to be quite frustrating and annoying for users, the good news is that this piece of malware doesn’t do anything unrecoverable. The various overwritten files are non-critical ones, so infected machines can be fixed with a fixmbr command from some boot media.

Sophos customers have been protected against this attack since Wednesday 15 August. As always, we are reminded that it is important to back up systems regularly. This particular piece of malware didn’t destroy important files permanently, but the next one might.

Trojan image from Shutterstock.