Trojan.DownLoader27.23282

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\NaveriskAgent] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\NaveriskAgent] 'ImagePath' = '"%ProgramFiles(x86)%\Naverisk\Agent\NAS.exe"'
[<HKLM>\System\CurrentControlSet\Services\NaveriskServiceMonitor] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\NaveriskServiceMonitor] 'ImagePath' = '"%ProgramFiles(x86)%\Naverisk\Agent\ServiceMonitor.exe" servicename=NaveriskAgent heartbeat=1000 checkinterval=1...
[<HKLM>\System\CurrentControlSet\Services\winvnc] 'ImagePath' = '%ProgramFiles(x86)%\Naverisk\Agent\Packages\RemoteControlPackage\WinVNC.exe -service'

Creates the following services

'NaveriskAgent' "%ProgramFiles(x86)%\Naverisk\Agent\NAS.exe"
'NaveriskAgent' %ProgramFiles(x86)%\Naverisk\Agent\NAS.exe
'NaveriskServiceMonitor' "%ProgramFiles(x86)%\Naverisk\Agent\ServiceMonitor.exe" servicename=NaveriskAgent heartbeat=1000 checkinterval=10000
'winvnc' %ProgramFiles(x86)%\Naverisk\Agent\Packages\RemoteControlPackage\WinVNC.exe -service

Malicious functions

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /F /IM WinVNC.exe

Modifies file system

Creates the following files

%ALLUSERSPROFILE%\naverisk\logs\installer 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\performancemonitorpackage\performancemonitorpackage.dll
%ALLUSERSPROFILE%\naverisk\logs\package_performancemonitor 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\eventlogscanpackage\eventlogscanpackage.dll
%ALLUSERSPROFILE%\naverisk\logs\package_eventlogscan 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\windowsupdatepackage\windowsupdatepackage.dll
%ALLUSERSPROFILE%\naverisk\logs\package_windowsupdatescan 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\windowsupdatepackage\czipper.exe
%ProgramFiles(x86)%\naverisk\agent\packages\windowsupdatepackage\windowsupdate.zip
%ProgramFiles(x86)%\naverisk\agent\packages\windowsupdatepackage\windowsupdate\windowsupdate.exe
%ProgramFiles(x86)%\naverisk\agent\packages\remoteconsolepackage\remoteconsolepackage.dll
%ProgramFiles(x86)%\naverisk\agent\resources\icon_naverisk_tray_disconn.ico
%ALLUSERSPROFILE%\naverisk\logs\package_remoteconsole 2020-09-05.txt
%ALLUSERSPROFILE%\naverisk\logs\package_portmonitor 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\filepackage\filepackage.dll
%ALLUSERSPROFILE%\naverisk\logs\package_fileexplorer 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\remotecontrolpackage.dll
%ALLUSERSPROFILE%\naverisk\logs\package_remotecontrol 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\package.cfg
%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\ultravnc.ini
%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\package.cfg.tmp
%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\killvnc.bat
%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\vnchooks.dll
%ALLUSERSPROFILE%\naverisk\logs\package_osscan 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\operatingsystemscanpackage\package.cfg
%ProgramFiles(x86)%\naverisk\agent\packages\operatingsystemscanpackage\operatingsystemscanpackage.dll
%ProgramFiles(x86)%\naverisk\agent\packages\softwarescanpackage\package.cfg.tmp
%ProgramFiles(x86)%\naverisk\agent\packages\softwarescanpackage\package.cfg
%ProgramFiles(x86)%\naverisk\agent\nas.exe
%ALLUSERSPROFILE%\naverisk\agent\nas.cfg
%ALLUSERSPROFILE%\naverisk\logs\agent 2020-09-05.txt
%ALLUSERSPROFILE%\naverisk\agent\nas.cfg.tmp
%ProgramFiles(x86)%\naverisk\agent\servicemonitor.exe
%ALLUSERSPROFILE%\naverisk\logs\servicemonitor 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\trayclient.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\naverisk notification client.lnk
%ALLUSERSPROFILE%\naverisk\logs\navtray 2020-09-05.txt
%ALLUSERSPROFILE%\naverisk\trayclient\trayclient.cfg
%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\sas.dll
%ProgramFiles(x86)%\naverisk\agent\packages\portmonitorpackage\portmonitorpackage.dll
%ProgramFiles(x86)%\naverisk\agent\resources\icon_naverisk_tray_conn.ico
%ALLUSERSPROFILE%\naverisk\trayclient\icon_naverisk_tray_conn.ico
%ALLUSERSPROFILE%\naverisk\trayclient\icon_naverisk_tray_disconn.ico
%ALLUSERSPROFILE%\naverisk\trayclient\icon_naverisk_tray_rc.ico
%ALLUSERSPROFILE%\naverisk\trayclient\trayclient.cfg.tmp
%ALLUSERSPROFILE%\naverisk\agent\nas.cfg.bak
%ProgramFiles(x86)%\naverisk\agent\packages\hardwarescanpackage\hardwarescanpackage.dll
%ALLUSERSPROFILE%\naverisk\logs\package_hardwarescan 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\packages\hardwarescanpackage\package.cfg
%ProgramFiles(x86)%\naverisk\agent\packages\softwarescanpackage\softwarescanpackage.dll
%ALLUSERSPROFILE%\naverisk\logs\package_softwarescan 2020-09-05.txt
%ALLUSERSPROFILE%\naverisk\logs\zipper 2020-09-05.txt
%ProgramFiles(x86)%\naverisk\agent\resources\icon_naverisk_tray_rc.ico
%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\winvnc.exe

Deletes the following files

%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\killvnc.bat

Network activity

TCP

'cl####.naverisk.com':9202
'localhost':23873
'localhost':49174
'cl####.naverisk.com':8092

UDP

DNS ASK cl####.naverisk.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%ProgramFiles(x86)%\naverisk\agent\nas.exe'
'%ProgramFiles(x86)%\naverisk\agent\servicemonitor.exe' servicename=NaveriskAgent heartbeat=1000 checkinterval=10000
'%ProgramFiles(x86)%\naverisk\agent\trayclient.exe'
'%ProgramFiles(x86)%\naverisk\agent\packages\windowsupdatepackage\czipper.exe' -u "%ProgramFiles(x86)%\Naverisk\Agent\Packages\WindowsUpdatePackage\WindowsUpdate.zip" "%ProgramFiles(x86)%\Naverisk\Agent\Packages\WindowsUpdatePackage\WindowsUpdate"
'%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\winvnc.exe' -service
'%ProgramFiles(x86)%\naverisk\agent\packages\remotecontrolpackage\winvnc.exe' -service_run

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c cacls "%ALLUSERSPROFILE%\Naverisk\TrayClient\TrayClient.cfg*" /E /G "Users":f
'%WINDIR%\syswow64\cacls.exe' "%ALLUSERSPROFILE%\Naverisk\TrayClient\TrayClient.cfg*" /E /G "Users":f
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall show global
'%WINDIR%\syswow64\netsh.exe' advfirewall show global
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall show currentprofile
'%WINDIR%\syswow64\netsh.exe' advfirewall show currentprofile
'%WINDIR%\syswow64\cmd.exe' /c ""%ProgramFiles(x86)%\Naverisk\Agent\Packages\RemoteControlPackage\killvnc.bat" "

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial