SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  MalAgent.J_48493
MalAgent.J_48493 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • zonaWeb
  • dwnloader_web_setup_mutex


Directory level activity
  • create - dir - C:\Documents and Settings\TestMachine\Application Data\Zona


File level activity
  • write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\ZonaInstall.log
  • write - file - C:\Documents and Settings\TestMachine\Application Data\Zona\init.xml
  • write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\hd.vbs
  • write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\pin5.tmp
  • write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\zon2D4.tmp
  • write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\zon2D5.tmp
  • write - file - PIPE\lsarpc
  • write - file - C:\WINDOWS\system32\en-US\vbscript.dll.mui


Registry level activity
  • write - registry - HKEY_CURRENT_USER\Software\Zonaexec
  • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData
  • write - registry - HKEY_CURRENT_USER\Software\Pinstalli_user_id
  • write - registry - HKEY_CURRENT_USER\Software\ZonaDownloadsDir
  • write - registry - Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsDefaultConnectionSettings
  • write - registry - HKEY_CURRENT_USER\Software\Pinstalls_user_id


Library level activity
  • load - library - KERNEL32.DLL
  • load - library - ADVAPI32.dll
  • load - library - GDI32.dll
  • load - library - gdiplus.dll
  • load - library - ole32.dll
  • load - library - OLEAUT32.dll
  • load - library - SHELL32.dll
  • load - library - SHLWAPI.dll
  • load - library - USER32.dll
  • load - library - UxTheme.dll
  • load - library - WININET.dll
  • load - library - C:\WINDOWS\system32\rpcss.dll
  • load - library - C:\WINDOWS\system32\uxtheme.dll
  • load - library - uxtheme.dll
  • load - library - wininet.dll
  • load - library - C:\WINDOWS\System32\mswsock.dll
  • load - library - rasadhlp.dll
  • load - library - kernel32.dll
  • load - library - user32.dll
  • load - library - gdi32.dll
  • load - library - C:\WINDOWS\system32\winlogon.exe
  • load - library - xpsp2res.dll
  • load - library - C:\WINDOWS\system32\cscript.exe
  • load - library - oleaut32.dll
  • load - library - SXS.DLL
  • load - library - CLBCATQ.DLL
  • load - library - C:\WINDOWS\system32\vbscript.dll
  • load - library - C:\WINDOWS\system32\advapi32.dll
  • load - library - advapi32
  • load - library - WINTRUST.dll
  • load - library - rsaenh.dll
  • load - library - MSISIP.DLL
  • load - library - C:\WINDOWS\system32\CRYPT32.dll
  • load - library - C:\WINDOWS\system32\wshext.dll
  • load - library - C:\WINDOWS\system32\scrobj.dll
  • load - library - C:\WINDOWS\system32\wbem\wbemdisp.dll
  • load - library - C:\WINDOWS\system32\wbem\wbemprox.dll
  • load - library - C:\WINDOWS\system32\wbem\wmiutils.dll
  • load - library - wmisvc.dll
  • load - library - OLE32
  • load - library - OLE32.DLL
  • load - library - C:\WINDOWS\system32\wbem\wbemsvc.dll
  • load - library - C:\WINDOWS\system32\wbem\fastprox.dll
  • load - library - kernel32.dll


Process API calls used
  • VirtualProtectEx
  • ZwMapViewOfSection
  • NtFreeVirtualMemory
  • CreateProcessInternalW
  • NtCreateSection
  • ZwMapViewOfSection


Registry API calls used
  • RegOpenKeyExW
  • RegQueryValueExW
  • RegCloseKey
  • RegCreateKeyExW
  • RegSetValueExW
  • NtOpenKey
  • RegCreateKeyExA
  • RegQueryInfoKeyA
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegSetValueExA
  • RegCloseKey


System API calls used
  • LdrLoadDll
  • LdrGetProcedureAddress
  • LdrGetDllHandle
  • IsDebuggerPresent
  • NtDelayExecution
  • NtDelayExecution


Filesystem API calls used
  • NtCreateFile
  • NtQueryInformationFile
  • NtSetInformationFile
  • NtWriteFile
  • NtReadFile
  • CreateDirectoryW
  • NtOpenFile
  • NtQueryInformationFile

Network

UDP source >> destination
  • 192.168.30.10 >> 192.168.30.255
  • 192.168.30.10 >> 8.8.8.8


TCP source >> destination
  • 192.168.30.10 >> 178.218.223.40
  • 192.168.30.10 >> 46.254.17.199
  • 192.168.30.10 >> 72.21.91.29



Domains:
  • s.symcb.com with IP - 72.21.91.29
  • sw.symcb.com with IP - 72.21.91.29
  • stat.miniload.org with IP - 46.254.17.199
  • i0.x8.net with IP - 178.218.223.40

DNS Request:
  • i0.x8.net
  • sw.symcb.com
  • stat.miniload.org
  • s.symcb.com

HTTP Request:
  • GET URI - http://sw.symcb.com/sw.crl
  • GET URI - http://stat.miniload.org/installer.html?param=253007624adb1667be35614f3ce4079ba61fe1e47447236d7cae53c0245fdf967d39d098272344be300306e9413e856881fecbe76380fb44667917d0db6e9e8502899251762f65c731aa400edb4a261fbcc8b67b5735b4dba8ce6a152f3e5dbddd1d3c1bd371c94a9b278bbb2d67331e01b48ae47b196c10f61df5131f00c41a196efb986b13d8a093216b9d8f8104a6d8f84c3edf452c058eadb0b561de2ec2a7e9f15be007d39ee1299d15ec19047a96a9dadce05abf654fc320963c3f0f49fc5082feaf8ae0ffcf648900a42ec91bc2d95949d27fc7d340d58cbbc8c1d83daeee882cba36aa8d3294140423b5a24f68916800c8a2f3776bc3cf987dd2b3c4d13d7bbb94b86e2e9e3791eb4d67149d6bb0b32b8863c30a45eff38c7194190ab9863b6e2a6b5f9b6ecea047260bada389155fed4086b229b39dc5ba5b4efcd92a74fc2149a228fc1edf02932c5b349b588b8d531a14376181cdb89eaeb04d62c94d60cbaffb22fde2245c1828c2075566b3c154a4c0cea327dd732601c58f18111026ee5030cbc2a284e401e99190692c79f2de01162b82518bf0173a3c2917fe97f4ae815702ce68879e52fe6dc3e4b7fa2853af49ce389c1a7bdd85c9bce85ab5c090f9c0c6a6333d5f6c260afb302c79f2de01162b827ca2e8549bc85b3c7a325057dbb85881
  • GET URI - http://stat.miniload.org/getActiveCampaigns?userId=64A4340F-3D78-4179-BFA8-7EB43D6A309A&pid=3&appId=1
  • GET URI - http://s.symcb.com/pca3-g5.crl
  • GET URI - http://i0.x8.net/T/YvoB_X.jpeg

DLL related data
Number of DLL's imported = 11
  • KERNEL32.DLL
  • ADVAPI32.dll
  • GDI32.dll
  • gdiplus.dll
  • ole32.dll
  • OLEAUT32.dll
  • SHELL32.dll
  • SHLWAPI.dll
  • USER32.dll
  • UxTheme.dll
  • WININET.dll


Relevant Information