SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Wacatac.B_2_13
Wacatac.B_2_13 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • Global\syncronize_6I77XUA
  • Global\syncronize_6I77XUU


Directory level activity
    • Nothing to report


    File level activity
    • write - file - PIPE\lsarpc
    • write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\raw.txt
    • delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\
    • write - file - C:\WINDOWS\System32\d96a5448a96093c8d684ec74ca19522b.bin
    • write - file - C:\Documents and Settings\TestMachine\Start Menu\Programs\Startup\d96a5448a96093c8d684ec74ca19522b.bin
    • write - file - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\d96a5448a96093c8d684ec74ca19522b.bin
    • write - file - C:\Device\NamedPipe\Win32Pipes.0000062c.00000001
    • write - file - C:\Documents and Settings\All Users\Application Data\desktop.ini.id-D0EAE3B2.[decrypt@files.mn].ROGER
    • write - file - C:\agent.pyw.id-D0EAE3B2.[decrypt@files.mn].ROGER


    Registry level activity
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Rund96a5448a96093c8d684ec74ca19522b.bin


    Library level activity
    • load - library - KERNEL32.DLL
    • load - library - ADVAPI32.dll
    • load - library - NTDLL.DLL
    • load - library - mscoree.dll
    • load - library - ulib.dll
    • load - library - C:\WINDOWS\system32\uxtheme.dll
    • load - library - uxtheme.dll
    • load - library - C:\WINDOWS\system32\rpcss.dll
    • load - library - C:\WINDOWS\system32\winlogon.exe
    • load - library - xpsp2res.dll
    • load - library - kernel32.dll
    • load - library - OLE32.DLL
    • load - library - ole32.dll
    • load - library - mswsock.dll
    • load - library - ws2_32.dll
    • load - library - kernel32
    • load - library - COMCTL32.DLL
    • load - library - ntdll
    • load - library - KERNEL32.dll
    • load - library - advapi32.dll
    • load - library - user32.dll
    • load - library - Shell32.dll
    • load - library - ntdll.dll
    • load - library - mpr.dll
    • load - library - C:\WINDOWS\system32\VBoxMRXNP.dll
    • load - library - C:\WINDOWS\System32\drprov.dll
    • load - library - C:\WINDOWS\System32\ntlanman.dll
    • load - library - C:\WINDOWS\System32\davclnt.dll
    • load - library - kernel32.dll


    Process API calls used
    • NtFreeVirtualMemory
    • CreateProcessInternalW
    • ReadProcessMemory
    • NtOpenSection
    • ZwMapViewOfSection
    • ExitProcess


    Registry API calls used
    • RegOpenKeyExW
    • RegQueryValueExW
    • RegCloseKey
    • NtOpenKey
    • NtQueryValueKey
    • NtQueryValueKey


    System API calls used
    • LdrGetDllHandle
    • LdrGetProcedureAddress
    • LdrLoadDll
    • LdrGetDllHandle


    Filesystem API calls used
    • FindFirstFileExW
    • NtWriteFile
    • NtQueryInformationFile
    • NtSetInformationFile
    • NtReadFile
    • NtWriteFile

    Network

    UDP source >> destination
    • 192.168.30.254 >> 192.168.30.4
    • 192.168.30.4 >> 192.168.30.255


    TCP source >> destination
    • 192.168.30.4 >> 192.168.30.254



    Domains:
    • NA

    DNS Request:
    • NA

    HTTP Request:
    • NA

    DLL related data
    Number of DLL's imported = 15
    • KERNEL32.dll
    • USER32.dll
    • GDI32.dll
    • ADVAPI32.dll
    • SHELL32.dll
    • ole32.dll
    • WINMM.dll
    • CRYPT32.dll
    • SHLWAPI.dll
    • RPCRT4.dll
    • gdiplus.dll
    • Secur32.dll
    • dbghelp.dll
    • AUTHZ.dll
    • TAPI32.dll

    Relevant Information


    © SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0