TROJANSPY.WIN32.LOKI.AW.HP

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

• %Application Data%\{Random Characters}\{Random Characters}.lck

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)

It drops the following copies of itself into the affected system:

• %Application Data%\{random characters}\{random characters}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)

It creates the following folders:

• %Application Data%\{random characters}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• F763FD6CB32A01D7B8238AA4

It terminates itself if it finds the following processes in the affected system's memory:

• procexp64exe
• procmon64.exe
• procmon.exe
• ollydbg.exe
• procexp.exe
• windbg.exe

Process Termination

This Trojan Spy terminates the following processes if found running in the affected system's memory:

• avastsvc.exe
• aavastui.exe
• avgsvc.exe
• iavgui.exe

Information Theft

Upon execution of the affected application, it gathers the following information:

• User name
• Computer Name

It attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• AbleFTP10
• AbleFTP11
• AbleFTP12
• AbleFTP13
• AbleFTP14
• AbleFTP7
• AbleFTP8
• AbleFTP9
• ALFTP
• Automize10
• Automize11
• Automize12
• Automize13
• Automize14
• Automize7
• Automize8
• Automize9
• BlazeFtp
• Cyberduck
• DeluxeFTP
• EasyFTP
• ExpanDrive
• Far
• Far Manager
• Far2
• Fastream
• FileZilla
• FlashFXP
• FTP Now
• FTPBox
• FTPGetter
• FTPInfo
• FTPShell
• GHISLER
• GoFTP
• JaSFtp10
• JaSFtp11
• JaSFtp12
• JaSFtp13
• JaSFtp14
• JaSFtp7
• JaSFtp8
• JaSFtp9
• LinasFTP
• MyFTP
• NexusFile
• Notepad++ NppFTP
• NovaFTP
• SftpNetDrive
• sherrod FTP
• SmartFTP
• Staff-FTP
• Steed
• SuperPutty
• Xftp

It attempts to steal stored email credentials from the following:

• Foxmail
• OUTLOOK
• pocomail
• GmailNotifierPro
• Opera Mail
• Mail2
• ymail
• TrulyMail

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• 360Browser
• Chrome
• ChromeSxS
• Chromium
• ChromiumViewer
• Chromodo
• Citrio
• CocCoc
• Comodo
• Coowon
• Cyberduck
• Epic Privacy Browser
• Firefox
• Iridium
• Lunascape
• MapleStudio ChromePlus
• Mustang Browser
• Nichrome
• Opera
• Orbitum
• QupZilla
• RockMelt
• Spark
• SuperBird
• Titan
• Torch
• Vivaldi
• YandexBrowwer

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}p.co/{BLOCKED}oo/kertyuiodgf/fre.php

Other Details

This Trojan Spy does the following:

• Steals credentials from the following password managers:
  • Enpass
  • RoboForm
  • 1Password
• Steals information from the following sticky notes:
  • To-Do DeskList
  • stickies
  • NoteFly
  • Conceptworld
  • Sticky Notes
• Steals credentials from the following instant messaging application:
  • .purple
• Displays the following if the local time is less than January 2016