Home / malware Trojan:Win32/Dofoil.AB
First posted on 08 March 2018.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Dofoil.AB.
Explanation :
When run, this trojan drops an executable file—a randomly named copy of itself—into the %LOCALAPPDATA% folder.
To stay persistent, it creates a variably named registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value:
With data:
We have observed some samples of this trojan use names from the Uninstall key in the registry. This disguises the trojan registry entry as something created by another application.
This trojan connects to the following IP addresses, which appear to be proxies for connecting to the decentralized NameCoin network infrastructure:
It then attempts to connect to its command-and-control server located in the decentralized network:
- 139.59.208.246
- 142.0.68.13
- 103.253.12.18
- 62.112.8.85
- 69.164.196.21
- 107.150.40.234
- 162.211.64.20
- 217.12.210.54
- 89.18.27.34
- 193.183.98.154
- 51.255.167.0
- 91.121.155.13
- 87.98.175.85
- 185.97.7.7
vinik.bit
Analyzed samples of this trojan support the following backdoor commands:
- Connect to a certain IP address
- Disconnect from an IP address
- Download and execute file from a URL
- Stop malware
- Sleep for certain period
Last update 08 March 2018