SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  MalAgent.J_61600
MalAgent.J_61600 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • Nothing to report


Directory level activity
  • create - dir - C:\Documents and Settings\TestMachine\Local Settings\Application Data\Chrome


File level activity
  • delete - file - C:\Documents and Settings\TestMachine\Local Settings\Application Data\Chrome\StikyNot.exe
  • delete - file - C:\Documents and Settings\TestMachine\Local Settings\Application Data\Chrome\SyncHost.exe


Registry level activity
  • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData
  • write - registry - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMicrosoft OneDrive


Library level activity
  • load - library - kernel32.dll
  • load - library - oleaut32.dll
  • load - library - advapi32.dll
  • load - library - user32.dll
  • load - library - msimg32.dll
  • load - library - gdi32.dll
  • load - library - version.dll
  • load - library - comctl32.dll
  • load - library - comdlg32.dll
  • load - library - SHFolder.dll
  • load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\a3a09226cd3350851e08ea71b49d9cc8.ENU
  • load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\a3a09226cd3350851e08ea71b49d9cc8.EN
  • load - library - USER32.DLL
  • load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\a3a09226cd3350851e08ea71b49d9cc8.bin
  • load - library - USER32
  • load - library - User32.dll
  • load - library - ole32.dll
  • load - library - uxtheme.dll
  • load - library - shell32.dll
  • load - library - ntdll
  • load - library - kernel32
  • load - library - advapi32
  • load - library - C:\Windows\explorer.ENU
  • load - library - C:\Windows\explorer.EN
  • load - library - kernel32.dll


Process API calls used
  • NtFreeVirtualMemory
  • VirtualProtectEx
  • CreateProcessInternalW
  • WriteProcessMemory
  • ReadProcessMemory
  • ExitProcess


Registry API calls used
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegCloseKey
  • NtOpenKey
  • RegOpenKeyExW
  • RegQueryValueExW
  • RegCreateKeyExW
  • RegSetValueExW
  • RegSetValueExA
  • RegCloseKey


System API calls used
  • LdrGetDllHandle
  • LdrGetProcedureAddress
  • LdrLoadDll
  • NtDelayExecution
  • LdrGetProcedureAddress


Filesystem API calls used
  • CreateDirectoryW
  • NtCreateFile
  • NtQueryInformationFile
  • NtReadFile
  • CopyFileA
  • DeleteFileA
  • CopyFileA

Network

UDP source >> destination
  • 192.168.30.10 >> 192.168.30.255
  • 192.168.30.10 >> 8.8.8.8


TCP source >> destination
  • 192.168.30.10 >> 72.21.91.29



Domains:
  • s.symcb.com with IP - 72.21.91.29
  • sw.symcb.com with IP - 72.21.91.29

DNS Request:
  • sw.symcb.com
  • s.symcb.com

HTTP Request:
  • GET URI - http://s.symcb.com/pca3-g5.crl
  • GET URI - http://sw.symcb.com/sw.crl

DLL related data
Number of DLL's imported = 1
  • kernel32.dll


Relevant Information