Win32/Gataka

Win32/Gataka Description

Type: Trojan

Win32/Gataka is a banking Trojan that affects German banks, Dutch banks and a US newspaper. Win32/Gataka eases bogus bank transfers. Win32/Gataka has the same architecture as SpyEye in that a few plugins can be downloaded to add more functionality. Win32/Gataka is developed in C++ and is overly verbose in both the debug strings in its binaries and the amount of logging information that is transmitted back to the C&C. When activated, Win32/Gataka first inserts itself into the process called 'explorer.exe' and then continues on its installation. Win32/Gataka inserts all running processes and hooks the particular APIs 'CreateProces' and 'CreateProcessAsUser' for controlling process spawning. Before deleting the original dropper, Win32/Gataka will first copy it to a file in the Application Data folder following a predefined random behavior. In order to be persistent, Win32/Gataka adds a value to the specific registry key, pointing to the executable that was set in the Application Data folder. Win32/Gataka then proceeds to encrypt the original executable using a XOR key and saves it in the Application Data folder. The path to this encrypted file is kept in the specific registry key value, which is also XOR encrypted. When installed, Win32/Gataka will attempt to connect to the command-and-control (C&C) server by starting 'iexplore.exe', inserting it with a malevolent code and then sending encrypted POST requests.

Aliases

15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Panda Application/BoontyGames
Ikarus APPL
Antiy-AVL Backdoor/Win32.Agent.gen
AntiVir APPL/BoontyGames
eSafe Win32.APPLBoontyGame
F-Prot W32/MalwareS.BHQT
McAfee Artemis!91E6D6D3D98B
Panda Trj/CI.A
AVG Worm/Generic2.BFTB
Ikarus Trojan-Dropper.Win32.Dapato
Antiy-AVL Trojan/Win32.Jorik.gen
AntiVir TR/Kazy.49970
BitDefender Gen:Variant.Kazy.49970
Kaspersky Trojan.Win32.Jorik.Lethic.dp
Avast MSIL:Dropper-RR [Drp]

Technical Information

Screenshots & Other Imagery

SpyHunter Detects & Remove Win32/Gataka

File System Details

Win32/Gataka creates the following file(s):
Expand All | Collapse All
# File Name MD5 Detection Count
1 JAF_Suite_Setup_1[1].0.0.exe a78b1a5f773a917cc646e7b80968994e 33
2 Boonty.exe 91e6d6d3d98bb3628be4e1162e9b33eb 4
3 FE61.exe 62728cb88ac42bd5d520cf05982ea9e9 2
4 file.exe 55c1296cdacbc7fe125628bc17677f9e 2
5 readme (1).exe 07b57a8fd33e0942e08fa449e3920264 0
More files

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.
By Domesticus in Trojans
Threat Scorecard
Threat Level: 90 % (High)
Infected Computers: 74
First Seen: June 29, 2012
Last Seen: January 8, 2021
OS(es) Affected: Windows