SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  XPACK.A_9247
XPACK.A_9247 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

Mutexes created
  • Nothing to report


Directory level activity
  • create - dir - C:\Documents and Settings\TestMachine\Application Data\aplsbg


File level activity
    • Nothing to report


    Registry level activity
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData
    • write - registry - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Desktop
    • write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktop


    Library level activity
    • load - library - api-ms-win-core-synch-l1-2-0
    • load - library - kernel32
    • load - library - api-ms-win-core-fibers-l1-1-1
    • load - library - advapi32
    • load - library - api-ms-win-core-localization-l1-2-1
    • load - library - kernel32.dll
    • load - library - api-ms-win-core-sysinfo-l1-2-1
    • load - library - api-ms-win-appmodel-runtime-l1-1-1
    • load - library - ext-ms-win-kernel32-package-current-l1-1-0
    • load - library - C:\WINDOWS\system32\ws2_32
    • load - library - KERNEL32.dll
    • load - library - USER32.dll
    • load - library - GDI32.dll
    • load - library - ADVAPI32.dll
    • load - library - SHELL32.dll
    • load - library - ole32.dll
    • load - library - OLEAUT32.dll
    • load - library - gdiplus.dll
    • load - library - SHLWAPI.dll
    • load - library - COMCTL32.dll
    • load - library - PSAPI.DLL
    • load - library - IPHLPAPI.DLL
    • load - library - VERSION.dll
    • load - library - WININET.dll
    • load - library - urlmon.dll
    • load - library - USERENV.dll
    • load - library - WS2_32.dll
    • load - library - api-ms-win-core-string-l1-1-0
    • load - library - Riched20.dll
    • load - library - msimg32.dll
    • load - library - C:\WINDOWS\system32\uxtheme.dll
    • load - library - uxtheme.dll
    • load - library - user32.dll
    • load - library - gdi32.dll
    • load - library - ntdll.dll
    • load - library - advapi32.dll
    • load - library - ntdll.dll


    Process API calls used
    • VirtualProtectEx
    • ZwMapViewOfSection
    • NtFreeVirtualMemory
    • NtCreateSection
    • NtFreeVirtualMemory


    Registry API calls used
    • RegOpenKeyExW
    • RegCreateKeyExW
    • RegQueryValueExW
    • RegCloseKey
    • RegSetValueExW
    • RegOpenKeyExA
    • RegQueryValueExA
    • NtOpenKey
    • NtEnumerateValueKey
    • NtQueryValueKey
    • RegOpenKeyExW


    System API calls used
    • LdrLoadDll
    • LdrGetProcedureAddress
    • LdrGetDllHandle
    • NtDelayExecution
    • IsDebuggerPresent
    • NtDelayExecution


    Filesystem API calls used
    • NtDeviceIoControlFile
    • CreateDirectoryW
    • NtCreateFile
    • NtOpenFile
    • NtQueryInformationFile
    • FindFirstFileExW
    • NtQueryDirectoryFile
    • NtDeviceIoControlFile

    Network

    UDP source >> destination
    • 192.168.30.3 >> 192.168.30.255
    • 192.168.30.3 >> 8.8.8.8


    TCP source >> destination
    • 192.168.30.3 >> 157.185.156.120
    • 192.168.30.3 >> 157.185.172.169
    • 192.168.30.3 >> 47.98.239.235



    Domains:
    • dwonload.frrykt.cn with IP - 157.185.156.120
    • api.ip138.com with IP - 157.185.179.222
    • dl.tzgcg.com with IP - 47.98.239.235
    • aa.tzgcg.com with IP - 47.98.239.235

    DNS Request:
    • aa.tzgcg.com
    • dwonload.frrykt.cn
    • api.ip138.com
    • dl.tzgcg.com

    HTTP Request:
    • GET URI - http://aa.tzgcg.com/op.php?value=NDA1ODg0NTQ2NTA4NzAxMjYzNTI2NTM3NjU1MjU0MDgzOTUxMTUzMTQxNDU0NzMwMzk2MDQxMDg2MzUyMTE0NjQxMzQ2MjUwNjU0NTU1MzA2MTQ1NDkwODY1NjAyNzcxNTcxODQ3NDIzOTY2NDgyNjU3MjIyNjQyMzk1NDMwNzE2NzExNjE0OTQ2MTY0NDYwMzA2NTYxNTc0NjE2MjU2MDI3Mzg2MTQ5NDYyMDM0NjAzMTM4NjExMjU4NTE2MjQyNjUzNTE2NDg2NzM0NDkyOQ%3D%3D
    • GET URI - http://api.ip138.com/query/
    • GET URI - http://dl.tzgcg.com/a/.dat
    • GET URI - http://dwonload.frrykt.cn/wuming/png/monids.png
    • GET URI - http://aa.tzgcg.com/e.php?value=NTc0NTYwNTU2NjM2NjkwNDY0NTE2NjQwNjY1MTUzMzY0MjAwMTUzMTQ0NDg1MDI2NDI1OTQ0MzY2NDUxMTE0NTQ0MzA2MTQ5NjY0ODU2MjY2MjQ4NTIzNjY2NTkyNzcxNTgxNDUwNDE0MjY1NDcyMjU4MTgyMjQxNDI1MzI2NDc2ODMwNjk0MTY2NTQwODM4NTc1ODE0MTQ0MTEyMjUxMDM1MDI2NzA2MjI3MTE0MTAzNTE2MjQyOQ%3D%3D
    • GET URI - http://aa.tzgcg.com/x.php?value=M2I3NzM0MzA2ZTdhYWVkZDY2NzcwYjEyMWRkOWU2MDgJQnVuZGxlQmluZAkxLjIuMS41CQlXaW5kb3dzWFAJMAkwCQkJMQlvcGVuCQ%3D%3D
    • GET URI - http://aa.tzgcg.com/e.php?value=NTAzNjQ4MzUxNTY0MDY2MDE5NDExNTcxMTU0MTM3NjQ2NzQzMTQzMDYzNTU1MTQyNjcyNTYzNjQxOTQxMTA1MzYzMzgyMTQ1MTU1NTM1NDIyMzU1NDc2NDE1MjUyNjAzMzE1NDUxNjE2NzEzNDk0NjMxNTA0NjYxNjczNzQyNDkxMTM4MDY2MTE1Mzk1NjY4MjkzMTU0NTQ2MTUyMjA1ODcwNjYwOTYyNDYwMzU0NTg3MDQ4NDAyNA%3D%3D

    DLL related data
    Number of DLL's imported = 3
    • KERNEL32.dll
    • WS2_32.dll
    • ADVAPI32.dll

    Relevant Information


    © SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0