{"id":2643,"date":"2024-09-25T19:14:21","date_gmt":"2024-09-25T19:14:21","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2643"},"modified":"2025-07-29T05:56:47","modified_gmt":"2025-07-29T05:56:47","slug":"valyrian-trojan-a-cut-above-the-rest","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/valyrian-trojan-a-cut-above-the-rest\/","title":{"rendered":"Valyrian Trojan \u2013 a cut above the rest"},"content":{"rendered":"
\n
\"Valyrian<\/figure>\n<\/div>\n\n\n

Due to their unrivalled strength and cutting edges, Valyrian Steel weapons are highly prized throughout Westeros \u2013 the main continent in A Game of Thrones. Should anyone, even a White Walker, face off against a swordsman (or swordswoman) wielding a Valyrian Steel weapon, the odds are already sharply against them. The same could be said of users encountering the Valyrian Trojan, a particularly insidious malware that hands attackers control of victim machines. 

Not only do the trojan\u2019s advanced techniques enable attackers to hijack the computers, Valyrian can also redirect users to compromised websites, block access to various websites, monitor network traffic, steal personal information, and even update itself.  

Valyrian is typically spread via Microsoft document files, using Visual Basic for Applications to download and execute a file on the infected system.

Once infected, a computer will suffer severe performance degradation including memory loss, CPU spikes or unexpected system crashes.<\/p>\n\n\n\n

Distribution<\/strong>

Valyrian is usually distributed via fake Windows updates, malicious third-party programs (generally a user is told to download these programs to properly view a webpage or video), or via weaponized attachments sent via email or social media. 

Another popular distribution method is via pirated copies of games and software available on Torrent sites. 

Once executed, Valyria may also disable other software on your PC \u2013 like anti-virus security suites or firewalls \u2013 and it can even contact CnC servers to execute further server-side scripts or download additional malware.

Persistence<\/strong>

Valyria stays concealed in the victim’s system by writing itself to the Windows startup folder via an installer. When Windows starts, programs in the startup folder are automatically launched, meaning the malware executes and performs its malicious activities whenever the computer is turned on.

File Details<\/strong><\/p>\n\n\n\n

File Type <\/strong><\/td>.hta  File<\/td><\/tr>
Md5 hash <\/strong><\/td>8c2368c23fc97ebc235d62887f66ea0c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis\u00a0<\/strong>

Static analysis shows this sample uses wscript.shell to drop javascripts.exe and task_manager.exe in the %TEMP% folder, while javaupdate.exe is dropped in the Startup folder in order to maintain persistence (as mentioned above).

Below we see the downloaded executable using Runexe():
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Dynamic Analysis<\/strong>

Upon executing the malware sample, we witnessed Valyrian download and start javascript.exe while wscript.shell connected to 104.16.12.231, and starts RegAsm.exe which contacted 81.22.255.145 and dropped the following files:

C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\RDGT5DXT\\task_manager[1].exe

C:\\Users\\<user-name>\\AppData\\Local\\Temp\\javascript.exe

C:\\Users\\<user-name>\\AppData\\Local\\Temp\\javascripts.exe

C:\\Users\\<user-name>\\AppData\\Local\\Temp\\jv (2).js

C:\\Users\\<user-name>\\AppData\\Local\\Temp\\syst.exe

C:\\SystemFiles\\system.exe

C:\\Users\\<user-name>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Javaupdate.exe\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In the above images, we see Syst.exe remain persistent across reboot, thereby making sure the malware executes whenever the PC is turned on.

Command and Control<\/strong>

We observed connections to IP addresses \u201c104.16.12.231\u201d and \u201c81.22.255.145\u201d during the period of infection.

Indicators of Compromise<\/strong>

Below are the respective Indicators of Compromise (IOC\u2019s) for this malware:

File analyzed: 8c2368c23fc97ebc235d62887f66ea0c

Files Dropped:

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\javascript.exe\u00a0

o\u00a0\u00a0 \u00a0md5: e63a322888ae16375a46af1acb8a0aed

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\javascripts.exe\u00a0

o\u00a0\u00a0 \u00a0md5:0f225efbbcb33c155b22335afffb8c94

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\jv (2).js\u00a0

o\u00a0\u00a0 \u00a0md5: e24f16ac4fbae07c25e830efabca217a

\u2022\u00a0\u00a0 \u00a0C:\\SystemFiles\\system.exe\u00a0

o\u00a0\u00a0 \u00a0md5: 0f225efbbcb33c155b22335afffb8c94

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Temp\\syst.exe\u00a0

o\u00a0\u00a0 \u00a0md5: 0f225efbbcb33c155b22335afffb8c94

\u2022\u00a0\u00a0 \u00a0C:\\Users\\<user-name>\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\RDGT5DXT\\task_manager[1].exe\u00a0

o\u00a0\u00a0 \u00a0md5: 0f225efbbcb33c155b22335afffb8c94

Registries added<\/strong>

\u2022\u00a0\u00a0 \u00a0HKU\\.DEFAULT\\Software\\Classes\\Local Settings\\MuiCache\\1E\\52C64B7E\\@C:\\Windows\\System32\\mshta.exe,-6412: “HTML Application”

\u2022\u00a0\u00a0 \u00a0HKU\\S-1-5-21-1218962352-309658065-3384228893-1000_Classes\\Local Settings\\MuiCache\\1E\\52C64B7E\\@C:\\Windows\\System32\\mshta.exe,-6412: “HTML Application”

\u2022\u00a0\u00a0 \u00a0HKU\\S-1-5-18\\Software\\Classes\\Local Settings\\MuiCache\\1E\\52C64B7E\\@C:\\Windows\\System32\\mshta.exe,-6412: “HTML Application”

Memory analysis<\/strong>

On capturing the infected system\u2019s RAM image, we noted several malicious functions:

Connection to the IP \u201c81.22.255.145\u201d:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

RegAsm.exe persistently running in the infected machine:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

New registries created by RegAsm.exe:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

RegAsm.exe ending, syst.exe starting, and the registries being used:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Command and Control servers (C&C):<\/strong>

104.16.12.231

81.22.255.145

Conclusion:<\/strong>

Valyrian\u2019s wide range of functionality and its multiple propagation methods make it particularly devastating to anyone unlucky enough to fall victim to it.

Just like Valyrian Steel, we don\u2019t know exactly who crafted the Valyrian Trojan, but they\u2019ve created an incredibly sophisticated weapon capable of causing immense damage.

Updating blacklist rules to include the aforementioned C&C IOCs and keeping antivirus updated with the latest threat signatures will help mitigate exposure to Valyrian Trojan.<\/p>\n","protected":false},"excerpt":{"rendered":"

Due to their unrivalled strength and cutting edges, Valyrian Steel weapons are highly prized throughout Westeros – the main continent in A Game of Thrones. Should anyone, even a White Walker, face off against a swordsman (or swordswoman) wielding a Valyrian Steel weapon, the odds are already sharply against them. The same could be said […]<\/p>\n","protected":false},"author":1,"featured_media":2662,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2643","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2643"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2643\/revisions"}],"predecessor-version":[{"id":4300,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2643\/revisions\/4300"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2662"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}