TROJ_HANCITOR.YYSVM

 Analysis by: Francis Xavier Antazo

 ALIASES:

TrojanDownloader:Win32/Zdowbot.A (Microsoft); Trojan-Ransom.Win32.PornoAsset.cxlm (Kaspersky);

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

  TECHNICAL DETAILS

File Size:

88,064 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

01 Aug 2016

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %System%\WinHost32.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It executes then deletes itself afterward.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
WinHost32 = "%System%\WinHost32.exe"

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://api.{BLOCKED}y.org
  • http://{BLOCKED}gin.ru/ls/gate.php
  • http://{BLOCKED}ndar.com/ls/gate.php
  • http://{BLOCKED}osandpa.ru/ls/gate.php