Multi-License Discount Quote

Change Region

English
Threat Database Worms Mogoogwi

Mogoogwi

By GoldSparrow in Worms

Threat Scorecard

Popularity Rank: 12,416
Threat Level: 50 % (Medium)
Infected Computers: 132
First Seen: March 20, 2015
Last Seen: June 8, 2026
OS(es) Affected: Windows

Mogoogwi is a cyber threat that falls into the category of worms and Mogoogwi can spread among computer by copying itself to removable devices, shared folders and spam emails. Worms such as Mogoogwi can be used to infected computer networks and collect information from numerous PCs as well as facilitate the incursion of other malware. You might be interested to know that the Mogoogwi worm is a standalone program that may appear with a random name and can employ an icon representing a video, image or text file. Mogoogwi can enter your system when you click on links in spam emails, and you download and open corrupted files. Also, an infected USB drive may carry the Mogoogwi payload and compromise the security of all PCs it connects to. However, users can avoid spam emails and install a renowned anti-malware solution as well as control what thumb drives they connect to their machine.

Analysis Report

General information

Family Name: Worm.Socks.A
Signature status: No Signature

Known Samples

MD5: 4e60ef6e972153937e33efe73c16736d
SHA1: 1e6f4b19653417a1771049076d06be9347f85bcc
SHA256: 0002B3B7C27C5D91320A2A07B92B9EE3AAA4ED0F9AF3A3834D908A6AA44E3A52
File Size: 1.10 MB, 1103077 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • 2+ executable sections
  • big overlay
  • HighEntropy
  • MPRESS
  • MPRESS Win32
  • Native MPRESS x86
  • No Version Info
  • packed
  • x86

Block Information

Total Blocks: 2
Potentially Malicious Blocks: 0
Whitelisted Blocks: 2
Unknown Blocks: 0

Visual Map

0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • AutoHotkey.A
  • Bitcoinminer.R
  • MPRESS Packer
  • Strictor.A

Files Modified

File Attributes
c:\stop Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\ftp33.dll Generic Write,Read Attributes
c:\users\user\local settings\application data\cftmon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\local settings\application data\cftmon.exe Generic Write,Read Attributes
c:\users\user\~31324.tmp Synchronize,Write Data
c:\windows\syswow64\drivers\spools.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\syswow64\drivers\spools.exe Generic Write,Read Attributes
Show More
c:\windows\syswow64\ftp33.dll Generic Write,Read Attributes
c:\windows\syswow64\~3224.tmp Synchronize,Write Data

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\windows nt\currentversion\winlogon::shell Explorer.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\winlogon::uihost logonui.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\winlogon::userinit C:\WINDOWS\system32\userinit.exe, RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 뎪拘ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::ntuser C:\WINDOWS\system32\drivers\spools.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::autoload C:\Users\Zrrafuru\Local Settings\Application Data\cftmon.exe RegNtPreCreateKey
HKLM\system\controlset001\services\schedule::imagepath C:\WINDOWS\system32\drivers\spools.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::ntuser C:\WINDOWS\system32\drivers\spools.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::autoload C:\Users\Zrrafuru\Local Settings\Application Data\cftmon.exe RegNtPreCreateKey
HKLM\software\classes\exefile\shell\open\command:: "%1" %* RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\run::ntuser C:\WINDOWS\system32\drivers\spools.exe RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Network Winsock2
  • WSAStartup
Network Winsock
  • bind
  • socket
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcOpenSenderProcess
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
Show More
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Network Wininet
  • InternetOpen

Shell Command Execution

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
c:\users\user\downloads\1e6f4b19653417a1771049076d06be9347f85bcc_0001103077
c:\users\user\downloads\1e6f4b19653417a1771049076d06be9347f85bcc_0001103077
c:\users\user\downloads\1e6f4b19653417a1771049076d06be9347f85bcc_0001103077
c:\users\user\downloads\1e6f4b19653417a1771049076d06be9347f85bcc_0001103077

Trending

Most Viewed

Loading...