Home / malware Infostealer.Zanjif
First posted on 15 December 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Zanjif.
Explanation :
The Trojan may arrive on the compromised computer after being downloaded by other malicious files.
When the Trojan is executed, it creates the following files:
%Windir%\Microsoft.NET\Framework\v2.0.50727\hookmgr.sys%UserProfile%\Application Data\Fantasy\sockix.exe%UserProfile%\Application Data%\puris.txt%UserProfile%\Application Data\win64.txt%Temp%\aboliv.txt%Temp%\bobs.txt%CurrentFolder%\hookmgr
The Trojan creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Fantasy" = %USERAPPDATA%\Fantasy\sockix.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"SecurityCenter" = %USERAPPDATA%\FileZill\netw.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hookmgrHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hookmgr\"Type" = 0x0012fd0cHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hookmgr\"ImagePath" = %Windir%\Microsoft.NET\Framework\v2.0.50727\hookmgr.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKMGR\0000\"Legacy" = 0x00000001HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKMGR\"NextInstance" = 0x00000001HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKMGR\0000\"ConfigFlags" = 0x00000000HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKMGR\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKMGR\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKMGR\0000\"Service" = "hookmgr"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKMGR\0000\"DeviceDesc" = "hookmgr"
The Trojan creates the following mutex:
ZANGIEF555555
The Trojan may steal the following information from the compromised computer and send it to a remote location:
HW IDThreat versionOperating system versionDefault web browserList of installed security productsMouse actionsKeystrokes
The Trojan may perform the following actions:
Restart the computerUninstall itselfLast update 15 December 2015