Threat Database Trojans Trojan.Injector.XGA

Trojan.Injector.XGA

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Injector.XGA
Signature status: No Signature

Known Samples

MD5: f03a0e704dd192a83f7040d5b5abeb04
SHA1: 5e0a7bd0cfad88c12e0bc8e40edb66fef1141ea3
SHA256: E18DAB46E833181E602D25970380AF3B78F64465BBA3F85D48459BBC27AE0EDF
File Size: 91.65 KB, 91648 bytes
MD5: d11ae0905796b4cb602299d133f9b915
SHA1: 826eeada56f9e813ce5ffbe135fdb72d4bcf61b0
SHA256: A82A395182DB0C85BC8DB28F7CFD8E2AC70CD452751A4751FC47FA28A2833A8B
File Size: 90.62 KB, 90624 bytes
MD5: 02086955a56a20d793a0e71697604154
SHA1: 5a3db198affd77badac767614c652b99aaede4d2
SHA256: 9DE2B5451B12A6A89FD6C8265D0764186FCE4C5CF5B2ED99C85F224E497A0AE5
File Size: 280.06 KB, 280064 bytes
MD5: bceff6faa9d8344509841d9776e6dc00
SHA1: 337fc13915a0eaadbb7254d409f25b75fc52f9d9
SHA256: B78FCC0CFE774E6E793856DBBBD5E45E57EDA66F745E19DE2EB730472303903A
File Size: 253.44 KB, 253440 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • 网际枪炮HelloCS.org
  • 长春龙翔
File Description
  • ADB端口占用清理小工具
  • CS语音转换器
File Version
  • 3. 0. 1. 0
  • 0. 0. 0. 0
Legal Copyright
  • 网际枪炮HelloCS.org
  • 长春龙翔
Product Name
  • ADB占用清理
  • CS语音转换器
Product Version
  • 3. 0. 1. 0
  • 0. 0. 0. 0

File Traits

  • 2+ executable sections
  • No Version Info
  • x86

Block Information

Total Blocks: 495
Potentially Malicious Blocks: 4
Whitelisted Blocks: 491
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 x x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Trojan.Downloader.Gen.GF

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\5267cf7.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\5267cf7.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\544f43a.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\544f43a.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\6088d5a.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\6088d5a.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\711b878.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\711b878.bat Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\rfc1156agent\currentversion\parameters::trappolltimemillisecs RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry
  • win32u.dll!NtGdiGetFontData
  • win32u.dll!NtGdiGetGlyphIndicesW
  • win32u.dll!NtGdiGetOutlineTextMetricsInternalW
  • win32u.dll!NtGdiGetRandomRgn
  • win32u.dll!NtGdiGetRealizationInfo
  • win32u.dll!NtGdiGetTextFaceW
  • win32u.dll!NtGdiGetTextMetricsW
  • win32u.dll!NtGdiGetWidthTable
  • win32u.dll!NtGdiHfontCreate
  • win32u.dll!NtGdiIntersectClipRect
  • win32u.dll!NtGdiQueryFontAssocInfo
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal
  • win32u.dll!NtGdiSetLayout
  • win32u.dll!NtGdiStretchDIBitsInternal

61 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
Network Winsock2
  • WSAStartup
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

cmd.exe /c ""C:\Users\Qqpvwgzw\AppData\Local\Temp\6088D5A.bat" "c:\users\user\downloads\5e0a7bd0cfad88c12e0bc8e40edb66fef1141ea3_0000091648""
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: IF
WriteConsole: EXIST "C:\Progra
Show More
WriteConsole: (
WriteConsole: Copy
WriteConsole: "c:\Users\user\
WriteConsole: )
WriteConsole: Else
WriteConsole: (
WriteConsole: Copy
WriteConsole: "c:\Users\user\
WriteConsole: )
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: taskkill
WriteConsole: /F /IM drwebscd
WriteConsole:
C:\WINDOWS\system32\taskkill.exe taskkill /F /IM drwebscd.exe
WriteConsole: ERROR: CoInitial
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: regsvr32.exe
WriteConsole: /u /s "c:\Users
WriteConsole:
C:\WINDOWS\system32\regsvr32.exe regsvr32.exe /u /s "c:\Users\user\downloads\\program files\DrWeb\drwsxtn.dll"
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelkey "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelkey "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelkey "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelkey "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelval "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelkey "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelkey "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelkey "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelkey "HKCU
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: regdelval "HKLM
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\n
WriteConsole: execmd del "~$f
WriteConsole:
WriteConsole: The system canno
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: "program files\d
WriteConsole: /remove
WriteConsole:
WriteConsole: The system canno
cmd.exe /c ""C:\Users\Skltzijt\AppData\Local\Temp\544F43A.bat" "c:\users\user\downloads\826eeada56f9e813ce5ffbe135fdb72d4bcf61b0_0000090624""
C:\WINDOWS\system32\net.exe net use Z: /persistent:yes \\accserver\account
WriteConsole: Access is denied
WriteConsole: 'expressi' is no
C:\WINDOWS\system32\net.exe net use Z: /delete
cmd.exe /c ""C:\Users\Rkgzqghz\AppData\Local\Temp\5267CF7.bat" "c:\users\user\downloads\5a3db198affd77badac767614c652b99aaede4d2_0000280064""
C:\WINDOWS\system32\NETSTAT.EXE netstat -ano
C:\WINDOWS\system32\findstr.exe findstr "5037"
cmd.exe /c ""C:\Users\Ytunurbm\AppData\Local\Temp\711B878.BAT" "c:\users\user\downloads\337fc13915a0eaadbb7254d409f25b75fc52f9d9_0000253440""

Trending

Most Viewed

Loading...