SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  MalAgent.J_89800
MalAgent.J_89800 is a Virus. Virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive

Mutexes created
  • _!MSFTHISTORY!_
  • c:!documents and settings!soumy!local settings!temporary internet files!content.ie5!
  • c:!documents and settings!soumy!cookies!
  • c:!documents and settings!soumy!local settings!history!history.ie5!
  • WininetStartupMutex
  • WininetConnectionMutex
  • WininetProxyRegistryMutex


Directory level activity
    • Nothing to report


    File level activity
    • write - file - PIPE\lsarpc
    • write - file - PIPE\lsarpc


    Registry level activity
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData
    • write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData
    • write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy
    • write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable
    • write - registry - HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable
    • write - registry - HKEY_USERS\S-1-5-21-1454471165-842925246-1957994488-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet


    Library level activity
    • load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\2295e8293ae10777216f7593f336d23f.ENU
    • load - library - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\2295e8293ae10777216f7593f336d23f.EN
    • load - library - kernel32.dll
    • load - library - oleaut32.dll
    • load - library - USER32.DLL
    • load - library - USER32
    • load - library - comctl32.dll
    • load - library - User32.dll
    • load - library - url
    • load - library - WININET.dll
    • load - library - Secur32.dll
    • load - library - shell32.dll
    • load - library - KERNEL32
    • load - library - rnaapp.exe
    • load - library - Kernel32
    • load - library - \xe6\xb5\x81\xe6\xa5\xb3
    • load - library - Amsi
    • load - library - user32.dll
    • load - library - advapi32.dll
    • load - library - winmm.dll
    • load - library - wininet.dll
    • load - library - \xe7\xd1\xae\xe6\xb1\xa4l\xe6\xb1\xa4l
    • load - library - C:\WINDOWS\system32\winmm.dll
    • load - library - wsock32
    • load - library - ws2_32
    • load - library - RASAPI32.DLL
    • load - library - RTUTILS.DLL
    • load - library - sensapi.dll
    • load - library - ntdll.dll
    • load - library - SHELL32.dll
    • load - library - USERENV.dll
    • load - library - netapi32.dll
    • load - library - VERSION.dll
    • load - library - userenv.dll
    • load - library - secur32.dll
    • load - library - wintrust.dll
    • load - library - C:\WINDOWS\system32\wintrust.dll
    • load - library - schannel
    • load - library - crypt32
    • load - library - urlmon.dll
    • load - library - C:\WINDOWS\system32\schannel.dll


    Process API calls used
    • NtOpenSection
    • NtCreateSection
    • ZwMapViewOfSection
    • NtFreeVirtualMemory
    • VirtualProtectEx
    • NtFreeVirtualMemory


    Registry API calls used
    • RegOpenKeyExA
    • RegQueryValueExA
    • RegCloseKey
    • RegOpenKeyExW
    • RegCreateKeyExW
    • RegQueryValueExW
    • RegSetValueExW
    • RegSetValueExA
    • RegEnumKeyExA
    • RegCreateKeyExA
    • NtOpenKey
    • NtQueryValueKey
    • RegQueryInfoKeyW
    • RegEnumValueW
    • RegDeleteValueA
    • RegEnumKeyExW
    • RegQueryValueExA


    System API calls used
    • LdrGetDllHandle
    • LdrGetProcedureAddress
    • LdrLoadDll
    • LdrGetProcedureAddress


    Filesystem API calls used
    • NtOpenFile
    • NtSetInformationFile
    • NtCreateFile
    • NtQueryInformationFile
    • NtReadFile
    • NtWriteFile
    • FindFirstFileExW
    • NtQueryDirectoryFile
    • NtDeviceIoControlFile
    • NtDeviceIoControlFile

    Network

    UDP source >> destination
    • 192.168.30.254 >> 192.168.30.6
    • 192.168.30.6 >> 192.168.30.254
    • 192.168.30.6 >> 192.168.30.255
    • 192.168.30.6 >> 8.8.8.8


    TCP source >> destination
    • 192.168.30.6 >> 13.107.42.13
    • 192.168.30.6 >> 192.168.30.254



    Domains:
    • onedrive.live.com with IP - 168.62.109.28

    DNS Request:
    • onedrive.live.com

    HTTP Request:
    • NA

    DLL related data
    Number of DLL's imported = 13
    • oleaut32.dll
    • advapi32.dll
    • user32.dll
    • kernel32.dll
    • kernel32.dll
    • user32.dll
    • gdi32.dll
    • version.dll
    • kernel32.dll
    • advapi32.dll
    • kernel32.dll
    • oleaut32.dll
    • comctl32.dll

    Relevant Information


    © SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0