Home / malwarePDF  

Trojan.Dustky


First posted on 12 January 2016.
Source: Symantec

Aliases :

There are no other names known for Trojan.Dustky.

Explanation :

The Trojan may arrive through malicious email.

Once executed, the Trojan creates the following files:
%Temp%\[RANDOM DIGITS].exe%Temp%\News.doc
The Trojan creates the following folder:
%Temp%\temps
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM EIGHT CHARACTER FILE NAME].[RANDOM THREE CHARACTER FILE EXTENSION]" = "%Temp%\[RANDOM DIGITS].exe"
The Trojan connects to one or more of the following command and control (C&C) servers:
[http://]news.buybit.us[http://]ksm5sksm5sksm5s.zzux.com
The Trojan then gathers the following information from the compromised computer and sends it to its C&C server:
HostnameUser nameCampaign IDUnique IDOperating system versionInstalled security softwareMalware version
Next, the Trojan logs keystrokes on the compromised computer and stores them in the following location before sending them to its C&C server:
%Temp%\temps
The Trojan may also download additional potentially malicious files.

Last update 12 January 2016

 

TOP