Home / malwarePDF  

Trojan.Celptex


First posted on 12 July 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Celptex.

Explanation :

Once executed, the Trojan creates the following files:
%Temp%\libcurl-4.dll%Temp%\pthreadGC2.dll%Temp%\zlib1.dll
It then creates the following alternate data streams (ADS):
%Temp%:rnd.dat%Temp%:[RANDOM CHARACTERS].dat%Temp%:pid1%Temp%:pid2
The Trojan creates the following registry entries so that it runs whenever Windows starts:
%HKEY_LOCAL_MACHINE%\SOFTWARE\microsoft\windows\currentversion\run\"svchost:regsvr32 /s" = "%Temp%:[RANDOM CHARACTERS].dat" %HKEY_LOCAL_MACHINE%\SOFTWARE\microsoft\windows\currentversion\run\"[LETTER A REPEATED]" = "1"
The Trojan then launches a new explorer.exe process and infects it with malicious code.

The infected explorer.exe process may then perform the following actions:
Carries out the following checks to make sure it is not running in a sandbox or on a virtual machine:Checks for running debuggersChecks for a number of keywords in the environment: SANDBOX, VIRUS, MALWARE, ANUBIS, MALWRChecks for the presence of sbiedll.dll (used by some sandbox software)Checks for the presence of procedures that would suggest the sample is running under LinuxChecks for the presence of registry keys related to VirtualBox/Vmware/Qemu emulation software
The infected explorer.exe then creates the following mutexes:
[COMPUTER SPECIFIC VALUE]Pe[COMPUTER SPECIFIC VALUE]le[COMPUTER SPECIFIC VALUE]ltc
It also connects to the following remote location in order to check Internet connectivity:
http://www.google.com/search?q=google

The Trojan then gathers the following information from the compromised computer:
Windows versionHostname
It then sends the gathered information to the following remote location:
[http://]207.12.89.163/inde[REMOVED]?product_id=[COMPUTER SPECIFIC VALUE]-FbsGEN&dispatch=[HOSTNAME]&target=[WINDOWS VERSION]&v=1&q=009

The Trojan will attempt to infect the explorer.exe process multiple times, causing multiple explorer.exe processes to be created on the compromised computer.

The Trojan will then attempt to inject the cpuminer application into explorer.exe in order to use the compromised computer for cryptocurrency mining.

Last update 12 July 2014

 

TOP

Malware :

Family: