Home / malware

PDF

Trojan.Sofacy.C

First posted on 18 August 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Sofacy.C.

Explanation :

Once executed, the Trojan creates the following files:
%Temp%\nvsdata.dat%Temp%\nvgdata.dat%System%\netui.dll%Temp%\tmp.dat
The Trojan then creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"id" = "[BINARY DATA]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"id" = "[BINARY DATA]"HKEY_CLASSES_ROOT\CLSID\{61113868-6B5D-4195-8966-B26462B909FA}\InProcServer32\"[DEFAULT]" = "%System%\netui.dll"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\"{61113868-6B5D-4195-8966-B26462B909FA}" = "Network User Interface"
Next, the Trojan may gather accounts information found under the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
The Trojan may also gather the following information from the compromised computer:
Account details stored in Internet ExplorerSystem information
The Trojan may then perform the following actions:
Log keystrokesList filesRead and write to filesDelete files and directoriesRead and write registry entriesList, create, and end processesList available drivesEnumerate network sharesExecute commands through cmd.exe and save the results to %Temp%\tmp.datDownload files
The Trojan then sends the stolen information to one or more of the following email addresses:
shjanashvili@mia.gov.geg.zaridze@mia.gov.ge

Last update 18 August 2015

 

TOP