SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  MalAgent.J_68632
MalAgent.J_68632 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • LKJ_HGFDS_VBNM_MNfewe


Directory level activity
  • delete - dir - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\VBOXGU~1\VBoxOGL
  • delete - dir - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\VBOXGU~1
  • delete - dir - C:\DOCUME~1\TestMachine\LOCALS~1\Temp
  • create - dir - C:\DOCUME~1\TestMachine\LOCALS~1\Temp


File level activity
  • delete - file - C:\Documents and Settings\TestMachine\Local Settings\Application Data\CSIDL_
  • delete - file - C:\Documents and Settings\TestMachine\Local Settings\Application Data\system.exe
  • delete - file - C:\Documents and Settings\TestMachine\Local Settings\Application Data\CSIDL_X
  • delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\299E40~1.BIN
  • delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\512.ini
  • delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\PERFLI~1.DAT


Registry level activity
  • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunSearchFilterHost
  • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSearchFilterHost
  • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersStartup
  • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData
  • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Startup


Library level activity
  • load - library - KERNEL32.DLL
  • load - library - ADVAPI32.dll
  • load - library - GDI32.dll
  • load - library - MFC42.DLL
  • load - library - MSVCRT.dll
  • load - library - PSAPI.DLL
  • load - library - SHELL32.dll
  • load - library - USER32.dll
  • load - library - mscoree.dll
  • load - library - kernel32.dll
  • load - library - mscoree.dll


Process API calls used
  • VirtualProtectEx
  • CreateProcessInternalW
  • ReadProcessMemory
  • NtFreeVirtualMemory
  • ExitProcess


Registry API calls used
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegCloseKey
  • RegCreateKeyExA
  • RegSetValueExA
  • RegCreateKeyExW
  • RegQueryValueExW
  • RegSetValueExW
  • RegCloseKey


System API calls used
  • LdrLoadDll
  • LdrGetProcedureAddress
  • SetWindowsHookExA
  • NtDelayExecution
  • NtDelayExecution


Filesystem API calls used
  • NtOpenFile
  • DeleteFileA
  • CopyFileW
  • CopyFileW

Network

UDP source >> destination
  • 192.168.30.10 >> 192.168.30.255
  • 192.168.30.254 >> 192.168.30.10


TCP source >> destination
  • 192.168.30.10 >> 192.168.30.254



Domains:
  • NA

DNS Request:
  • NA

HTTP Request:
  • NA

DLL related data
Number of DLL's imported = 8
  • ADVAPI32.dll
  • GDI32.dll
  • KERNEL32.DLL
  • MFC42.DLL
  • MSVCRT.dll
  • PSAPI.DLL
  • SHELL32.dll
  • USER32.dll


Relevant Information