Threat Database Trojans Trojan.MSIL.FakeMS.F

Trojan.MSIL.FakeMS.F

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 17,471
Threat Level: 80 % (High)
Infected Computers: 34
First Seen: November 9, 2021
Last Seen: September 8, 2025
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.FakeMS.F
Signature status: Root Not Trusted

Known Samples

MD5: c4c3924ea7227465b46e762ffb56646f
SHA1: 4ad8b3c3c9c86b8d9fa3c92338c55c830d94e5f1
SHA256: 449D5454F2FEA66390DDC8101E96DC561D587F47ECB7F144E41B2D9EBC56A852
File Size: 7.29 MB, 7285448 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Digital Signatures

Signer Root Status
SecureW2 DigiCert Assured ID Root CA Root Not Trusted
SecureW2 DigiCert Assured ID Root CA Root Not Trusted

File Traits

  • .NET
  • Installer Version
  • x86

Files Modified

File Attributes
c:\users\user\appdata\local\temp\logo.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\logo.png Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf4bbb.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsv4bcc.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsv4bcc.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsv4bcc.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\securew2.cloudconfig Generic Write,Read Attributes
c:\users\user\appdata\local\temp\securew2.cloudconfig Synchronize,Write Attributes
c:\users\user\appdata\local\temp\securew2_enterprise_client.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\securew2_enterprise_client.exe Synchronize,Write Attributes
Show More
c:\users\user\appdata\local\temp\securew2_joinnow.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\securew2_joinnow.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\vpn-setup-v1.6.exe Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\tracing\securew2joinnow::enablefiletracing  RegNtPreCreateKey
HKLM\software\microsoft\tracing\securew2joinnow::filetracingmask  RegNtPreCreateKey
HKLM\software\microsoft\tracing\securew2joinnow::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\securew2joinnow::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\securew2joinnow::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\securew2joinnow::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\securew2joinnow::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\securew2joinnow::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\securew2joinnow::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Mkbfetng\AppData\Local\Temp\nsv4BCC.tmp\ RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
Show More
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Network Wininet
  • InternetOpen
Network Urlomon
  • URLDownloadToFile
Encryption Used
  • BCryptOpenAlgorithmProvider

Shell Command Execution

C:\Users\Mkbfetng\AppData\Local\Temp\SecureW2_JoinNow.exe -install

Trending

Most Viewed

Loading...