Home / malware

PDF

TrojanDownloader:JS/Crimace.A

First posted on 12 November 2016.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:JS/Crimace.A.

Explanation :

Arrival

This threat arrives as an attachment to spammed emails that pretend to be fax messages. It is a malicious Windows Script File (.WSF) contained within a password-protected RAR file attachment. The password is contained in the spammed email message:

When executed, this threat may show the following fake message:

Payload

Downloads malware

This threat attempts to download and execute a file. Information about download link, path, and other information it needs to do this download routine are contained in its configuration, which is embedded at the header of the script file.

We have seen it download and execute the following file, which is detected as Ransom:Win32/WinPlock.B:

%APPDATA% \Microsoft\Crypto\32mem.exe





Analysis by Francis Tan Seng

Last update 12 November 2016

 

TOP