Trojan.Ferret

Security researchers have received reports of widespread DDoS attacks that seem to be associated with a new threat capable of launching devastating DDoS attacks on specific targets. PC security analysts have named this threat Trojan.Ferret and have noted that Trojan.Ferret has several features that make Trojan.Ferret particularly destructive. Trojan.Ferret is a severe threat infection that poses a serious threat both to websites affected by the DDoS attack and to businesses and people that rely on the stability of these websites.

Unraveling Trojan.Ferret

Trojan.Ferret was first detected and identified by malware researchers in Russia. Trojan.Ferret is a DDoS bot used to overload specific servers with requests using advanced techniques that are designed to prevent the targets from defending themselves. Trojan.Ferret is developed in Delphi and was probably written by criminals located in the Russian federation. Trojan.Ferret has anti-debugging features that may prevent researchers from launching Trojan.Ferret in a virtual machine, may modify its own code and uses UPX packing and process hollowing to make itself more difficult to detect, study and remove. Trojan.Ferret also uses advanced obfuscation techniques to disguise its strings and code from individuals attempting to conduct a study of Trojan.Ferret's features and structure. Trojan.Ferret may be used to launch DDoS attacks using several protocols, including HTTP, TCP and UDP floods. At the present, malware researchers are currently studying Trojan.Ferret and have only identified a handful of its command and control servers.

Protecting Yourself and Your Website from Trojan.Ferret Attacks

If you administrate a Web page, then DDoS bots like Trojan.Ferret present a significant threat to your bottom line. There are several ways in which you can protect your website from threat attacks involving Trojan.Ferret, that usually involve expanding your resources to make it too expensive, or time consuming to continue a prolonged attack and tracing the source of attacks in order to fight back. There are numerous services that offer protection from DDoS attacks. In fact, Google offers Web masters a free service known as Google Shield, which leverages Google's enormous resources to help website administrators that have to deal with attacks like those carried out by Trojan.Ferret.

Analysis Report

General information

Family Name:	Trojan.Ulise.Z
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: cd56ef1fd97ebf60d10d39b223eb1a80 SHA1: da8eb4a81231f878342cb3f6ac8b80640b0fba71 SHA256: 4A3D7E70F6FF7CC6A095AA866FEE134A5D267E4814C60C52C0E62BA115EC0AB2 File Size: 7.74 MB, 7744880 bytes

MD5: 9b180036ec59c245e2f9e65afb334367 SHA1: 9c7ecddb3b455a6e49a7bcf350c850c413356a9a SHA256: DACAD338B17B697F54C57139B9DE266E6B9C75CFCBFD23CEBCEAEC237CB1A176 File Size: 3.83 MB, 3828840 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed

Show More

• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	StringFileInfo: U.S. English
Company Name	AnyDesk Software GmbH WinZip Computing, Inc.
File Description	AnyDesk WinZip Executable
File Version	13.0 (32-bit) 8.0.12
Internal Name	WINZIP32.EXE
Legal Copyright	(C) 2022 AnyDesk Software GmbH Copyright (c) WinZip Computing, Inc. 1991-2000 - All Rights Reserved
Legal Trademarks	WinZip is a registered trademark of WinZip Computing, Inc
Original Filename	WINZIP32.EXE
Product Name	AnyDesk WinZip
Product Version	8.0 (3106) 8.0
W Z32. D L L	13,999
W Z I N E T32. D L L	3,999
W Z V I N F O. D L L	1,999

File Traits

• big overlay
• BINinO
• HighEntropy
• MZ (In Overlay)
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	190
Potentially Malicious Blocks:	12
Whitelisted Blocks:	178
Unknown Blocks:	0

Visual Map

x x x x x 0 x x 0 x x x x x 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\temp\zb2025111653246710.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zb2025116105132594.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zbe2025111653246710.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zbe2025116105132594.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ze2025111653246710.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ze2025116105132594.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zx2025111653246710.xml	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zx2025116105132594.xml	Generic Write,Read Attributes
c:\users\user\appdata\roaming\maintenance\apps\maintenance.exe	Generic Write,Read Attributes
c:\users\user\downloads\9c7ecddb3b455a6e49a7bcf350c850c413356a9a_0003828840	Synchronize,Write Data

Show More

c:\users\user\downloads\da8eb4a81231f878342cb3f6ac8b80640b0fba71_0007744880

Synchronize,Write Data

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	傟伋ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	悥債伋ǜ	RegNtPreCreateKey

Show More

HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	⾧烽嚺ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	榼焗嚺ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
User Data Access	GetComputerName GetUserName GetUserObjectInformation
Process Shell Execute	CreateProcess ShellExecute WriteConsole
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant Show More ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile UNKNOWN
Anti Debug	IsDebuggerPresent
Process Terminate	TerminateProcess
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

open C:\Users\Jkogoevh\AppData\Local\Temp\zbe2025116105132594.bat

open C:\Users\Jkogoevh\AppData\Local\Temp\zb2025116105132594.bat

C:\WINDOWS\system32\schtasks.exe Schtasks.Exe /delete /tn "Maintenance" /f

WriteConsole: Access is denied

C:\WINDOWS\system32\schtasks.exe Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Jkogoevh\AppData\Local\Temp\zx2025116105132594.xml"

Show More

WriteConsole: Access is denied

C:\WINDOWS\system32\chcp.com chcp 1251

WriteConsole: Active code page

WriteConsole: 1 file(s

C:\WINDOWS\system32\timeout.exe timeout /t 3 /nobreak

WriteConsole: Waiting for 3

WriteConsole: seconds, press

WriteConsole: 0832

WriteConsole: 0831

WriteConsole: 0830

WriteConsole:

WriteConsole: The batch file c

open C:\Users\Isnqszxu\AppData\Local\Temp\zbe2025111653246710.bat

open C:\Users\Isnqszxu\AppData\Local\Temp\zb2025111653246710.bat

C:\WINDOWS\system32\schtasks.exe Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Isnqszxu\AppData\Local\Temp\zx2025111653246710.xml"