Home / malware TrojanDownloader:Win32/Kraddare.G
First posted on 14 May 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Kraddare.G is also known as Variant.Adware.Kraddare.4 (BitDefender), TR/Dldr.Delphi.Gen (Avira), Trojan-Downloader.Win32.Kraddare (Ikarus).
Explanation :
Installation
When run, TrojanDownloader:Win32/Kraddare.G attempts to download updated copies of itself from one of the following URLs:
- down.signkey.co.kr/<removed>.snk
- down.signkey.co.kr/<removed>.snk
The files are downloaded to %LOCALAPPDATA%\signkey with the following file names:
- iesignkey.exe
- ie_signkey.exe
- signkey.exe
- skun.exe
The malware modifies the following registry entry to ensure that its copy is run when Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: signkey
With data: %LOCALAPPDATA%\signkey\signkey.exe
The malware also makes the following registry modification to serve as an infection marker:
In subkey: HKCU\Software\signkey
Sets value: User
With data: acc0e9de_<10 or 11-digit number>, for example acc0e9de_1479113141
It also modifies the following registry key that it uses to uninstall itself:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\signkey
Sets value: DisplayIcon
With data: %LOCALAPPDATA%\signkey\skun.exe,0
Payload
Downloads other files, which may be other malware
TrojanDownloader:Win32/Kraddare.G attempts to contact the remote host at findlock.co.kr to download and install arbitrary programs, which may be other malware. Currently, we are unable to confirm the exact nature of the downloaded files.
Analysis by Hyun Choi
Last update 14 May 2013
