TrojanSpy.Win32.LOKI.TIOIBYQC

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy creates the following folders:

• %User Temp%\shipped\vbscript
• %User Temp%\generic\em
• %System Root%\Users
• %User Temp%\generic
• %User Temp%\shipped
• %User Temp%\_images
• %AppDataLocal%\{username}
• %User Profile%\AppData

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Trojan Spy modifies the following file(s):

• %Windows%\win.ini

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Dropping Routine

This Trojan Spy drops the following files:

• %User Temp%\babes.dll
• %User Temp%\_images\iconv.m4
• %User Temp%\_images\vsslnui.dll
• %User Temp%\shipped\vbscript\am.ctb
• %User Temp%\generic\em\x-minolta-mrw.xml
• %User Temp%\Purpose
• %User Temp%\generic\em\libX11-xcb.so.1
• %User Temp%\shipped\vbscript\240-8,8.gif
• %User Temp%\_images\freq.h
• %User Temp%\shipped\vbscript\mathml+xml.xml
• %User Temp%\shipped\vbscript\RapiConfig.exe
• %User Temp%\_images\iso88592.pyc
• %User Temp%\shipped\vbscript\SecUtil.exe
• %User Temp%\shipped\vbscript\dexplore.exe
• %User Temp%\generic\em\makecert.exe
• %User Temp%\_images\bnx2x-e1-7.2.51.0
• %User Temp%\_images\htmlTable.xml
• %User Temp%\_images\Component-Cube04-Orange.svg
• %User Temp%\_images\libusb-1.0-0amd64.list
• %User Temp%\generic\em\Parse-DebianChangelog-Pod.mo
• %User Temp%\_images\8.opends60.dll
• %User Temp%\shipped\vbscript\enukbexcel2003.hxc
• %User Temp%\shipped\vbscript\sqladd10alinks.hxk
• %User Temp%\_images\combar.gif
• %User Temp%\_images\pos0.gif
• %User Temp%\shipped\vbscript\pagepanenosel.xml
• %User Temp%\_images\lregdll.dll

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan Spy connects to the following possibly malicious URL:

• http://{BLOCKED}o.top
• http://{BLOCKED}r.top
• http://{BLOCKED}e.top
• http://{BLOCKED}s.top
• http://{BLOCKED}dona.top
• http://{BLOCKED}orin.top
• http://{BLOCKED}d.top
• http://{BLOCKED}sfg.com

This report is generated via an automated analysis system.