TROJ_RODECAP.SM

The TROJ_RODECAP.SM Trojan is part of a dangerous malware attack. ESG security researchers have received reports of TROJ_RODECAP.SM attacks with a feature that has caught the attention of PC security researchers. Using spoofing to trick inexperienced computer users is a common tactic used by various types of malware threats and online scams. However, the TROJ_RODECAP.SM scam uses a technique known as header spoofing that has made TROJ_RODECAP.SM particularly effective at scamming inexperienced computer users. This is a technique that allows criminals to hide their attack, making it appear as if the attack is coming from a trusted source rather than from a malicious IP address. Security researchers consider that TROJ_RODECAP.SM is a severe threat to a computer's security that should be removed immediately with the help of a reliable, fully updated anti-malware application.

What is the Objective of a TROJ_RODECAP.SM Attack?

Header spoofing refers to a technique that makes it seem as if a URL belongs to a particular domain in order to hide the fact that it is connected with a malicious domain instead. While other spoofing techniques may modify the victim's operating system and files in their scam, the TROJ_RODECAP.SM attack involves a spoofing technique that modifies the network packet, adding a domain to the request header. Essentially, the TROJ_RODECAP.SM spoofing technique occurs before the server sends data once the malware infection has established a connection with the server. TROJ_RODECAP.SM connects to a malicious domain in Russia despite the fact that TROJ_RODECAP.SM makes it appear as if TROJ_RODECAP.SM establishes a connection with Google. TROJ_RODECAP.SM's spoofing may be used to trick network administrators and has been observed in other infections, including various high profile Trojans and remote access tools.

The Tricks Used by TROJ_RODECAP.SM to Infect a Computer

To prevent attacks involving the TROJ_RODECAP.SM, it is essential to use a reliable anti-malware application that is fully updated. It is also essential to avoid unsafe online content that may expose your computer to malware. Some examples of this type of content include websites containing malicious advertisements, file sharing networks, Web pages containing bogus pornographic material or promoting known scams such as online casinos or pharmacies. One typical way in which TROJ_RODECAP.SM infects a computer is through the use of fake video codecs or media players which are required to view fake online videos. Fortunately, TROJ_RODECAP.SM attacks can be removed by keeping your security software fully up to date and being smart when browsing the Web.

Analysis Report

General information

Family Name:	Trojan.Lamer.CB
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 606575d399a2e5f260759fb2a1da9890 SHA1: c446ff39f3e649460af1cddc019b6fc6f6c9efa8 SHA256: DCBAFBD2BF75CF5675116CC7A3C3FE1B606B37550327D6BF80004D21A900B968 File Size: 46.59 KB, 46592 bytes

MD5: 9c482012e784e498c3a0b413c1749b1f SHA1: 29d2af4d7ab0d86280961054f73e19ca0a2328af SHA256: C4241D89C133229FD3013183E69A0C2A99CA7A421339ABFF27241E82E56E9079 File Size: 1.35 MB, 1347269 bytes

MD5: f8eba48004dbd3a1b77450e41d8ee954 SHA1: 67356b6218bae199e2f16967103f75e6e61f262f SHA256: 6E0F60D4DCDBB268F483320593CC8A32F7BA0E6446175AEBCFBF11E0256161FA File Size: 171.52 KB, 171520 bytes

MD5: c91cabc3b22bb4cc1287a3dc3c3943b9 SHA1: e258a6f78b3007d3a852409b210f29eefa7bca0f SHA256: 59A076A48E4DE7D35BF906240C4A386C218BBCF66631CB1A85DCB77ADD3F231F File Size: 21.50 KB, 21504 bytes

MD5: ed79ad25f793fa3188e31b18ccf8c5a1 SHA1: a3c5d4a0570593bf980719049d4d9f876d6e7ffb SHA256: B29B5B81C3B6ABACBB88C3E3C15D0ECAD403E123CACA79D74BF663CB63052E42 File Size: 22.02 KB, 22016 bytes

Show More

MD5: 6bdc05d55237a9785baadd371c6763f8 SHA1: 16b258fb7c4de962f76d73b51ea1a131ed4af45d SHA256: 004428FB11F24647291C4475052B59242C7A04FAAB9A598A3169D2B0A9355821 File Size: 22.02 KB, 22016 bytes

MD5: 31c890d7cfd3830a8d211e39a0c4bb38 SHA1: 0d6d7c77798aa9cce680c4eebb374a5bb4a6b50b SHA256: A77EC3392EC587C3FF6920D73217BB149B1624E250D3C1AE8ABD21847A489B3F File Size: 73.73 KB, 73728 bytes

MD5: 1befdb06a9b68d3cd820159e662ccf2f SHA1: 3f23e23c44aa01aedbd341d19a9feb79656d8c18 SHA256: 4EFE122EECF9A44402206454CDC7875CBCA731583EDA5277FC79294554660A41 File Size: 59.39 KB, 59392 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has been packed
• File is 32-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

Show More

• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	A New Sierra installer for old Sierra games
Company Name	navitotal.com The Sierra Help Pages
File Description	A third party installer. UnLock Garmin Map Image
File Version	2,0,0,0 1.0.0 1,6,0,4 1,0,0,0
Internal Name	Garmin UnLocker Alternative
Legal Copyright	navitotal.com Octa/ERS_ © The Sierra Help Pages
Legal Trademarks	SHP is a trademark of The Sierra Help Pages
Product Name	Garmin UnLocker Alternative New Sierra Installer
Product Version	2.0.0.0 1,6,0,4 1,0,0,0

File Traits

• 2+ executable sections
• HighEntropy
• No Version Info
• packed
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	164
Potentially Malicious Blocks:	0
Whitelisted Blocks:	164
Unknown Blocks:	0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• HackKMS.TC
• Lamer.CA
• Lamer.CB
• Lamer.E
• St0rm.A

Show More

• Wpakill.A

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
c:\1085.tmp\start.cmd	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\39c9.tmp\gmt.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\39c9.tmp\gua.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\39c9.tmp\unlock map directory.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\3dff.tmp\alterar id anydesk (adm).cmd	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\542b.tmp\savetxt.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\a88f.tmp\numerador de mp3.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bba4.tmp\ask4pdf.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data

Show More

c:\users\user\appdata\local\temp\erro.vbs	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\files.txt	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse573a.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsu574a.tmp\aero.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu574a.tmp\custom.ini	Synchronize,Write Data
c:\users\user\appdata\local\temp\nsu574a.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu574a.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsu574a.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu574a.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgib5ed.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgib5ed.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgib988.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgib988.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgiba15.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgiba15.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgiba84.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgiba84.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgibae2.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgibae2.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tmp4352$.tmp	Generic Write,Read Attributes,Delete
c:\users\user\flashapplog.txt	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	⡈僷ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	沕馆盏ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey

Show More

HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	쨥ꈘ蕅ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	籯퐦觏ǜ	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\advanced inf setup\ie complist::ie.hkcuzoneinfo		RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Process Shell Execute	CreateProcess ShellExecuteEx WriteConsole
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant Show More ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile UNKNOWN
Process Terminate	TerminateProcess
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

"\3DFF.tmp\Alterar ID Anydesk (ADM).cmd"

"\39C9.tmp\UnLock Map Directory.bat" c:\users\user\downloads\

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" DIR /b /A-d "*.IMG" "

C:\WINDOWS\system32\find.exe FIND "" /v /n /c

open \542B.tmp\saveTxt.bat

Show More

WriteConsole:

WriteConsole: c:\users\user\do

WriteConsole: c:

WriteConsole: cd..

open \1085.tmp\start.cmd

WriteConsole: The system canno

open \BBA4.tmp\ask4pdf.bat

WriteConsole: echo

WriteConsole: f

WriteConsole: |

WriteConsole: copy

WriteConsole: /Y "cocop.dat"

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" echo f"

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" copy /Y "cocop.dat" "C:\ProgramData\Iceni\Infix\6\cocop.dat" "

WriteConsole: y

WriteConsole: del

WriteConsole: /f "cocop.dat"

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" echo y"

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" del /f "cocop.dat""

WriteConsole: Could Not Find c

WriteConsole: /Y "Infix.dat"

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" copy /Y "Infix.dat" "C:\ProgramData\Iceni\Infix\6\Infix.dat" "

open \A88F.tmp\Numerador de MP3.bat

C:\Users\Ajevybox\AppData\Local\Temp\erro.vbs ERRO.vbs