EternalRocks.G6 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.
Mutexes created
- Global\20b70e57-1c2e-4de9-99e5-69f369006912
Directory level activity- create - dir - c:\Program Files\Microsoft Updates
- create - dir - c:\Program Files\Microsoft Updates\temp
- create - dir - c:\Program Files\Microsoft Updates\TaskScheduler
File level activity- write - file - c:\Program Files\Microsoft Updates\required.glo
- write - file - PIPE\lsarpc
- write - file - c:\Program Files\Microsoft Updates\TaskScheduler.zip
- write - file - c:\Program Files\Microsoft Updates\dotnetfx.exe
- write - file - c:\Program Files\Microsoft Updates\required.glo
Registry level activity- write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData
- write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData
- write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy
- write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable
- write - registry - HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable
- write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings
- write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsDefaultConnectionSettings
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0932c062-299c-11e2-afd8-806d6172696f}\BaseClass
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0932c060-299c-11e2-afd8-806d6172696f}\BaseClass
- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {000214E6-0000-0000-C000-000000000046} 0x401
Library level activity- load - library - C:\WINDOWS\system32\rpcss.dll
- load - library - C:\WINDOWS\system32\uxtheme.dll
- load - library - uxtheme.dll
- load - library - OLEAUT32.DLL
- load - library - oleaut32.dll
- load - library - ole32.dll
- load - library - SXS.DLL
- load - library - USER32
- load - library - C:\WINDOWS\system32\MSVBVM60.DLL
- load - library - CLBCATQ.DLL
- load - library - KERNEL32.DLL
- load - library - C:\WINDOWS\system32\scrrun.dll
- load - library - kernel32
- load - library - advapi32.dll
- load - library - urlmon
- load - library - RASAPI32.DLL
- load - library - RTUTILS.DLL
- load - library - sensapi.dll
- load - library - ntdll.dll
- load - library - SHELL32.dll
- load - library - USERENV.dll
- load - library - netapi32.dll
- load - library - C:\WINDOWS\System32\mswsock.dll
- load - library - rasadhlp.dll
- load - library - NTDLL.DLL
- load - library - IPHLPAPI.DLL
- load - library - urlmon.dll
- load - library - C:\WINDOWS\system32\wbem\wbemdisp.dll
- load - library - C:\WINDOWS\system32\advapi32.dll
- load - library - C:\WINDOWS\system32\wbem\wbemprox.dll
- load - library - C:\WINDOWS\system32\wbem\wmiutils.dll
- load - library - wmisvc.dll
- load - library - C:\WINDOWS\system32\winlogon.exe
- load - library - xpsp2res.dll
- load - library - OLE32
- load - library - OLE32.DLL
- load - library - C:\WINDOWS\system32\wbem\wbemsvc.dll
- load - library - C:\WINDOWS\system32\wbem\fastprox.dll
- load - library - C:\WINDOWS\system32\SHELL32.dll
- load - library - OLEAUT32.dll
- load - library - SHDOCVW.dll
- load - library - SETUPAPI.dll
- load - library - appHelp.dll
- load - library - zipfldr.dll
- load - library - C:\WINDOWS\system32\zipfldr.dll
- load - library - EXPLORER.EXE
- load - library - netmsg.dll
- load - library - Kernel32
- load - library - mscoree.dll
Process API calls used
- ZwMapViewOfSection
- VirtualProtectEx
- NtCreateSection
- NtOpenSection
- NtFreeVirtualMemory
- CreateProcessInternalW
- NtFreeVirtualMemory
Registry API calls used
- NtOpenKey
- NtQueryValueKey
- RegOpenKeyExA
- RegOpenKeyExW
- RegQueryValueExW
- RegCloseKey
- RegQueryValueExA
- RegCreateKeyExA
- RegCreateKeyExW
- RegQueryInfoKeyW
- RegEnumValueW
- RegSetValueExW
- RegSetValueExA
- RegEnumKeyExA
- RegDeleteValueA
- RegQueryInfoKeyA
- RegEnumKeyExW
- RegEnumKeyW
- RegCloseKey
System API calls used
- LdrGetDllHandle
- LdrLoadDll
- IsDebuggerPresent
- LdrGetProcedureAddress
- SetWindowsHookExA
- NtDelayExecution
- LookupPrivilegeValueW
- NtDelayExecution
Filesystem API calls used
- NtCreateFile
- NtQueryInformationFile
- NtSetInformationFile
- NtReadFile
- CreateDirectoryW
- NtWriteFile
- NtDeviceIoControlFile
- FindFirstFileExW
- NtOpenFile
- NtCreateFile
DLL related data
Number of DLL's imported = 1
Domains:- api.nuget.org with IP - 72.21.81.200
- download.microsoft.com with IP - 23.75.71.57
DNS Request:- download.microsoft.com
- api.nuget.org
HTTP Request:- GET URI - http://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe
- GET URI - http://api.nuget.org/packages/taskscheduler.2.5.23.nupkg
Network
UDP source >> destination
- 192.168.30.254 >> 192.168.30.8
- 192.168.30.8 >> 192.168.30.254
- 192.168.30.8 >> 192.168.30.255
- 192.168.30.8 >> 8.8.8.8
TCP source >> destination
- 192.168.30.8 >> 192.168.30.254
- 192.168.30.8 >> 23.44.160.32
- 192.168.30.8 >> 72.21.81.200
VirusTotal
- Scans show 51 positive out of 60 scanners
|
