SecurityHome.eu Trojan:Win32/Cuffahlt.B

Home / malware PDF

Trojan:Win32/Cuffahlt.B

First posted on 20 April 2017.
Source: Microsoft
Aliases :
There are no other names known for Trojan:Win32/Cuffahlt.B.
Explanation :
Installation

This threat adds the following registry keys:

HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D830B6B8939ACB4928401060203BB648456BB4F8

HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F53E693DDABF57A88A9B12B608B09B26C0608B74

It also modifies the following registry key:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "cmdrun"
With data: "cmd.exe /C ipconfig /flushdns"

Payload

Reroutes network traffic

This threat adds two malicious root certificates and modifies the file dnsapi.dll which allows it to reroute network traffic.

It can also modify the browser certificates of (but not restricted to) the following applications:

Firefox

Opera

Thunderbird

This threat also creates the following folders and file:

\

\\

\\\.dat

It modifies the following file:

\dnsapi.dll

Analysis by Jody Koo
Last update 20 April 2017

TOP

Malware :

Last 20

Family:

Trojan:Win32/Cuffahlt.B