Home / malware Trojan.Nancrat
First posted on 30 May 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Nancrat.
Explanation :
When the Trojan is executed, it creates the following file:
%UserProfile%\Application Data\5A67D756-5897-45F9-A64B-4168421A5D5E\run.dat
The Trojan copies itself to one of the following locations:
%ProgramFiles%\DHCP Manager\dhcpmgr.exe%ProgramFiles%\UDP Monitor\udpmon.exe%ProgramFiles%\DNS Host\dnshost.exe
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"DHCP Manger" = "%ProgramFiles%\DHCP Manager\dhcpmgr.exe"
The Trojan gathers the following information from the compromised computer:
Computer nameCPU and RAM usageActive window (the window the user has most recently interacted with)IP addressOperating system information
The Trojan connects to a command-and-control (C&C) server and sends the gathered information to it.
NOTE: The attacker can select any URL they want and use it as their C&C server.
The Trojan opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Transfer and execute filesEnter and execute commandsEdit the registryUse the compromised computer as a proxyAccess the webcam Access the microphoneView the desktopCreate instant message windowsUpdate the TrojanManage running processesLast update 30 May 2014
