Trojan.MSIL.LOKI.PUHBAZCRCQH
UDS:Backdoor.MSIL.Androm.gen (KASPERSKY)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
480,768 bytes
EXE
No
11 Sep 2023
Drops files
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan adds the following folders:
- %Application Data%\{6 Random Hex Values}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It drops the following files:
- %Application Data%\{6 Random Hex Values}\{6 Random Hex Values}.lck → Used to lock resource
- %Application Data%\Microsoft\Crypto\RSA\{SID}\{Combination of Machine GUID and a Random GUID} → Contains RSA Cryptographic Key
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It adds the following processes:
- %Windows%\Microsoft.NET\Framework\{Version Number}\RegSvcs.exe
(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Other Details
This Trojan does the following:
- It moves and renames the following file:
- Old Path: %Windows%\Microsoft.NET\Framework\{Version Number}\RegSvcs.exe
- New Path: %Application Data%\{6 Random Hex Values}\{6 Random Hex Values}.exe
- It sets the attributes of the following file into Hidden and System:
- %Application Data%\{6 Random Hex Values}\{6 Random Hex Values}.exe
- It sets the attributes of the following folder into Hidden:
- %Application Data%\{6 Random Hex Values}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)