Home / malware Backdoor.Mapafes
First posted on 12 March 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Mapafes.
Explanation :
Once executed, the Trojan creates the following files:
%Temp%\lO25\sysinfo.log%Temp%\lO25\fsc.tmp%Temp%\[RANDOM CHARACTERS FILE NAME].tmp
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Configure\"Name" = "S^78ACC08836A6"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Configure\"CName" = "Soname"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\"TrapPollTimeMilliSecs" = "3a98"
Next the Trojan connects to the following remote location through TCP port 8080:
220.73.173.111
The Trojan may also connect to the following remote location:
[http://]cstour.net/wizboard/table/recruit01/confi[REMOVED]
The Trojan may also create the following mutex:
A9DB83DB_A9FD_77D0_333666660000_MAPFS
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Upload, download, and execute filesCreate directoriesParse directories and filesExecute commandsLoad downloaded libraries in memoryChange the timestamp for downloaded filesGather system information such as operating system type, network information, and date
The Trojan may also remove the following file:
%Windir%\system32\mfc80u.dllLast update 12 March 2015
