Home / malware Trojan.Dogarat
First posted on 03 April 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Dogarat.
Explanation :
When the Trojan is executed, it creates the following mutex to make sure only one instance of itself is running:
xws2_32
The Trojan creates the following files:
%Temp%~[COMPUTER NAME].tmp%Temp%\{2D93B73E-36B9-40C4-9FD8-93C067157A8F}%Temp%\[NAME OF COMPROMISED HOST]_p.ax%Temp%\{3B6654D0-C2C8-11D2-B313-00C04F79DC72}
The Trojan then connects to one or more of the following remote locations through TCP ports 443 and 8080 respectfully:
cache.dnsde.com10.215.10.16
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Download additional modulesGather system information such as computer name, timezone information, whether or not the user has administration privileges, or if the host process is running under wow64Last update 03 April 2015