SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  MalAgent.J_74907
MalAgent.J_74907 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • Remcos_Mutex_Inj
  • Rjdididyprodgf-BX2KDU


Directory level activity
  • create - dir - C:\Documents and Settings\TestMachine\Application Data\remcos


File level activity
  • write - file - C:\Documents and Settings\TestMachine\Start Menu\Programs\Startup\jacob.vbe
  • write - file - C:\Documents and Settings\TestMachine\Application Data\jacob.exe


Registry level activity
  • write - registry - HKEY_CURRENT_USER\Software\Rjdididyprodgf-BX2KDU\EXEpath


Library level activity
  • load - library - C:\WINDOWS\system32\rpcss.dll
  • load - library - C:\WINDOWS\system32\uxtheme.dll
  • load - library - uxtheme.dll
  • load - library - OLEAUT32.DLL
  • load - library - oleaut32.dll
  • load - library - ole32.dll
  • load - library - SXS.DLL
  • load - library - USER32
  • load - library - C:\WINDOWS\system32\MSVBVM60.DLL
  • load - library - shell32
  • load - library - NTDLL
  • load - library - kernel32
  • load - library - user32
  • load - library - ntdll
  • load - library - advapi32
  • load - library - IPHlpApi
  • load - library - User32
  • load - library - KERNEL32.dll
  • load - library - USER32.dll
  • load - library - GDI32.dll
  • load - library - ADVAPI32.dll
  • load - library - SHELL32.dll
  • load - library - MSVCP60.dll
  • load - library - MSVCRT.dll
  • load - library - WINMM.dll
  • load - library - SHLWAPI.dll
  • load - library - WS2_32.dll
  • load - library - urlmon.dll
  • load - library - gdiplus.dll
  • load - library - WININET.dll
  • load - library - User32.dll
  • load - library - kernel32.dll
  • load - library - Psapi.dll
  • load - library - Shell32
  • load - library - Secur32.dll


Process API calls used
  • ZwMapViewOfSection
  • VirtualProtectEx
  • NtFreeVirtualMemory
  • VirtualProtectEx


Registry API calls used
  • NtOpenKey
  • NtQueryValueKey
  • RegOpenKeyExA
  • RegQueryValueExW
  • RegQueryValueExA
  • RegCloseKey
  • RegCreateKeyExA
  • RegSetValueExA
  • NtQueryValueKey


System API calls used
  • LdrGetDllHandle
  • LdrLoadDll
  • IsDebuggerPresent
  • LdrGetProcedureAddress
  • SetWindowsHookExA
  • NtDelayExecution
  • NtDelayExecution


Filesystem API calls used
  • NtCreateFile
  • NtDeviceIoControlFile
  • NtWriteFile
  • NtQueryInformationFile
  • NtReadFile
  • FindFirstFileExW
  • CreateDirectoryW

Network

UDP source >> destination
  • 192.168.30.254 >> 192.168.30.3
  • 192.168.30.3 >> 192.168.30.254
  • 192.168.30.3 >> 192.168.30.255
  • 192.168.30.3 >> 8.8.8.8


TCP source >> destination
  • 192.168.30.3 >> 192.168.30.254



Domains:
  • ddns.njegidi888.xyz with IP -

DNS Request:
  • ddns.njegidi888.xyz

HTTP Request:
  • NA

DLL related data
Number of DLL's imported = 1
  • MSVBVM60.DLL


Relevant Information