Home / malware Trojan:Win32/CrashOverride.A
First posted on 24 June 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/CrashOverride.A.
Explanation :
Payload
Connects to a remote host
We have seen this threat connect to any of the following remote hosts (C2 server/ToR nodes):
- 195.16.88.6
- 46.28.200.132
- 188.42.253.43
- 5.39.218.152
- 93.115.27.57
It connects to a remote host to:
- Send information about the hardware profile, malware version
- Execute arbitrary commands and files
- Download files
- Copy files
- Start or stop a service
Creates the following mutex
We have seen this threat create the following mutex: “\Sessions\1\Windows\ApiPortection”
Manipulates power control system without your consent
It also uses four different types of payloads that are used to control switches and circuit breakers at an electric power control system. To achieve this goal, it implements the following protocols:
- IEC101
- IEC104
- IEC61850
Wipes data
It also has a data wiper component named haslo.dat which can:
- Delete registry keys and files (this can render the system unusable)
- Overwrite files
Analysis by: Andrei SaygoLast update 24 June 2017
