Home / malwarePDF  

Downloader.Eitenckay


First posted on 24 March 2015.
Source: Symantec

Aliases :

There are no other names known for Downloader.Eitenckay.

Explanation :

When the Trojan is executed, it downloads the following files:
%Temp%\[SAMPLE NAME].exe%CurrentFolder%\[RANDOM CHARACTERS]%Temp%\{[RANDOM NUMBERS]}\[RANDOM FILE NAME].ppt%Temp%\~E8BA34~.tmp
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Adobe Flash" = "%System%\msflash.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"daumAgent" = "%System%\msflash.exe"
The Trojan displays a PowerPoint document to trick the user into believing the Trojan is not malicious.

The Trojan drops and runs a malicious payload in the following location:
%System%\msflash.exe
The Trojan may contact one of the following URLs:
[http://]www.syenergy.co.kr/admin/data/member/1/inde[REMOVED][http://]www.syenergy.co.kr/admin/data/member/1/inde[REMOVED]
The Trojan may then download and run potentially malicious files.

Last update 24 March 2015

 

TOP