SHA1:
- bb64ea9dd561db41253814587f22985f51f9ad17
Description
A phase 1 trojan in a multi-phase infection sequence that facilitates data theft, clipboard contents monitoring, backdoor deployment, rogue mining and infecting other files.
- Phase 1 — Trojan.DownLoader49.35384,
- Phase 2 — Trojan.DownLoader49.35687,
- Phase 3 — BackDoor.Siggen2.5906,
- Phase 4 — Trojan.Packed2.50953, Trojan.BtcMine.3956 — phase 5 downloader.
This trojan initiates the entire infection sequence.
Operation
Files of various legitimate applications having a similar structure are found on the Internet. A global object is introduced into the original executable file. As soon as the trojanized application starts to be executed, the malware takes advantage of the PEB walking technique to gain access to system APIs. Next, the standard initterm method walks the table of function pointers and initializes them. One of these functions is malicious and runs a PowerShell command. It downloads and executes the phase 2 malware — Trojan.DownLoader49.35687. In some versions of the trojan, this payload is encrypted.
MITRE ATT@CK MATRIX
| Tactic | Technique |
|---|---|
| Executor |
Command and scripting interpreter (T1059) PowerShell (T1059.001) User execution (T1204) |
| Stealth |
Obfuscated files or information (T1027) Masquerading (T1036) |
| Command and Control | Application layer protocol (T1071) |
More about Trojan.DownLoader49.35687
More about BackDoor.Siggen2.5906
More about Trojan.BtcMine.3956
Indicators of Compromise
Trojan review publication