Home / malware

PDF

Trojan:Win32/FoggyBrass.A!dha

First posted on 15 December 2017.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/FoggyBrass.A!dha.

Explanation :

Installation
It can create the following installation file on your PC: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HncChecker



Payload

Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:

• Downloading and uploading files
• Enumerating files and folders
• Enumerating running processes
• Executing arbitrary commands
• Gathering system information such as IP address and computer name

All C2 communicatons take place over HTTP. Data is sent with XOR enscoded form-data to ASP scripts, which are generally hosted on compromised web servers.

The data is obfuscated and sent within form-data to an ASP script, generally placed on a compromised web server.



Connects to a remote host

We have seen this threat connect to a remote host, including the following C2 servers:

• http[:]//www.genesispure[.]kr/upload/main.php
• http[:]//www.boniel.co[.]kr/html/face/board.php

This malware description was published using the analysis of file SHA1 323258353c244b373c758906d88a2bf9663abf8d.

Last update 15 December 2017

 

TOP