Submission Summary:

What's been foundSeverity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Threat CategoryDescription
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\3m9cahc.exe
[file and pathname of the sample #1]
171,008 bytes MD5: 0x47D3CE2E275A1C9876E86C2953A0844E
SHA-1: 0xEAD862600035740DFFB4F611797698AF3EB3ABB8
W32.Gammima.AG [Symantec] [Kaspersky Lab]
PWS-Gamania [McAfee]
Mal/HckASPk-A [Sophos]
PWS:Win32/Frethog.gen!H [Microsoft]
Trojan-GameThief.Win32.Magania [Ikarus]
Win32/Autorun.worm.171008.F [AhnLab]
2 c:\autorun.inf 61 bytes MD5: 0xDF4F9EBC0F1659ACD651F0575C200BFD
SHA-1: 0xDEF6EA1F10DA01B76C55A4D2E9D3726299239AFF
Troj/Taterf-D [Sophos]
3 %System%\twking0.dll
107,008 bytes MD5: 0x30D87EC7BF3F7A379CE0D0F5640BF8C9
SHA-1: 0xB6822F7632E635FCF4251CA04BACB586CA2560F8
Trojan.Gen [Symantec] [Kaspersky Lab]
Generic.dx!vap [McAfee]
Mal/HckASPk-A [Sophos]
Trojan-GameThief.Win32.Magania [Ikarus]
Win-Trojan/Malware.107008.AD [AhnLab]


Memory Modifications

Process NameProcess FilenameMain Module Size
iexplore.exe%ProgramFiles%\Internet Explorer\iexplore.exe102,400 bytes
[filename of the sample #1][file and pathname of the sample #1]593,920 bytes
twking.exe%System%\twking.exe593,920 bytes
3m9cahc.exec:\3m9cahc.exe593,920 bytes

Module NameModule FilenameAddress Space Details
twking0.dll%System%\twking0.dllProcess name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x2110000 - 0x219D000


Registry Modifications


Other details

URL to be downloadedFilename for the downloaded bits\at1.rar



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2018 ThreatExpert. All rights reserved.