Home / malwarePDF  

Backdoor.Jolob


First posted on 28 February 2014.
Source: Symantec

Aliases :

There are no other names known for Backdoor.Jolob.

Explanation :

When the Trojan is executed, it drops the following file:
%SYSTEM%\Netfilter.dll

It registers the DLL as a service with the following registry keys:
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\Security\"Security" = hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00...
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\Parameters\"ServiceMain" = "ServiceMain"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\Parameters\"ServiceDll" = expand:"%SYSTEM%\Netfilter.dll"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\"Type" = dword:00000010
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\"Start" = dword:00000002
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\"ObjectName" = "LocalSystem"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\"ImagePath" = expand:"%SystemRoot%\system32\svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\"ErrorControl" = dword:00000001
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Network Access Management Agent\"DisplayName" = "Network Access Management Agent"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_NETWORK_ACCESS_MANAGEMENT_AGENT\0000\"Service" = "Network Access Management Agent"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_NETWORK_ACCESS_MANAGEMENT_AGENT\0000\"Legacy" = dword:00000001
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_NETWORK_ACCESS_MANAGEMENT_AGENT\0000\"DeviceDesc" = "Network Access Management Agent"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_NETWORK_ACCESS_MANAGEMENT_AGENT\0000\"ConfigFlags" = dword:00000000
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_NETWORK_ACCESS_MANAGEMENT_AGENT\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_NETWORK_ACCESS_MANAGEMENT_AGENT\0000\"Class" = "LegacyDriver"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_NETWORK_ACCESS_MANAGEMENT_AGENT\"NextInstance" = dword:00000001

It then connects to the following URLs and downloads instructions for execution:
http://cdn.5ljob.net
http://cdn.5job.net/6D0AB0F41

Last update 28 February 2014

 

TOP

Malware :

Family: