Submission Summary:

What's been foundSeverity Level
Produces outbound traffic.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Threat CategoryDescription
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %System%\FE4496FC 4 bytes MD5: 0x9F86307A00325A28BA8179F593291790
SHA-1: 0x27DAD88631482FDA4301DF1D6FBF9278C94C0F1F
(not available)
2 %Windir%\Tasks\At1.job 360 bytes MD5: 0xC45073472F31A5C383E73E7C45627BEC
SHA-1: 0x93FFE471A548C452D5852C743C7D152562C76ACB
Troj/FakeJob-A [Sophos]
3 %Windir%\Tasks\At10.job 360 bytes MD5: 0xF36614482AE0749089FEFCA0B07D4C62
SHA-1: 0x42DB7529943CDA7CE15FAE38A05029E806CD3DFF
Troj/FakeJob-A [Sophos]
4 %Windir%\Tasks\At11.job 360 bytes MD5: 0x8259959E7D160E3369B808A6059A7556
SHA-1: 0xD4CB985F9C07E8FBD019E3782FE95F8D8FF5618F
Troj/FakeJob-A [Sophos]
5 %Windir%\Tasks\At12.job 360 bytes MD5: 0x4D3BACC6892650A11A465106F050D28B
SHA-1: 0x7A612087EB9C7A4BD0B66E5E6E53AF2C9D490258
Troj/FakeJob-A [Sophos]
6 %Windir%\Tasks\At13.job 360 bytes MD5: 0xFF2CF5E7241B62758D74C2BE5F3F65BB
SHA-1: 0x0DBECB3CF82B56ECB192D015FF9228C97693D47A
Troj/FakeJob-A [Sophos]
7 %Windir%\Tasks\At14.job 360 bytes MD5: 0x242C82E7EC07F60352C0F03333E6956F
SHA-1: 0x5FAA2E1AB1284549BA9CF179365FB26A1899DD7C
Troj/FakeJob-A [Sophos]
8 %Windir%\Tasks\At15.job 360 bytes MD5: 0x5312ABB872C74734F75DCEED9110B034
SHA-1: 0xDA272D24AF668CFFDF9BF7A72C00E7AD955DE395
Troj/FakeJob-A [Sophos]
9 %Windir%\Tasks\At16.job 360 bytes MD5: 0x568D9CE56D11D33979896CFE424CB9A9
SHA-1: 0xDD31CDA467CBCC1DD0B1D9B128FFD87AF8813B11
Troj/FakeJob-A [Sophos]
10 %Windir%\Tasks\At17.job 360 bytes MD5: 0xD64857AEA1241173020041C733754255
SHA-1: 0x80AE9C998BEE617129CED341952267CB5EFA0086
Troj/FakeJob-A [Sophos]
11 %Windir%\Tasks\At18.job 360 bytes MD5: 0x0945542F08FCC63B11C5636EF2AC6F21
SHA-1: 0x67BF163316163976B4119AF37AA05BD8115398C1
Troj/FakeJob-A [Sophos]
12 %Windir%\Tasks\At19.job 360 bytes MD5: 0x8AEC29753CACBAF958EA24AA264EF657
SHA-1: 0x758AF10FCE2D08E22B1D57370E284BB70FD48A17
Troj/FakeJob-A [Sophos]
13 %Windir%\Tasks\At2.job 360 bytes MD5: 0xA8083150AFBE1E0626991B74247D983E
SHA-1: 0x8E7680470FC65F2671DC0D094F7331A112782DC1
Troj/FakeJob-A [Sophos]
14 %Windir%\Tasks\At20.job 360 bytes MD5: 0xCA99AFF23690A16CBD52FA41A72A1485
SHA-1: 0xA6B65E1B5AB8355A6AB9032F55FDD7B50F521652
Troj/FakeJob-A [Sophos]
15 %Windir%\Tasks\At21.job 360 bytes MD5: 0x529134E808E191CBB3648E54081AEDCD
SHA-1: 0xEC650F55E2B14F96378E0CD369903D3DB1875DE6
Troj/FakeJob-A [Sophos]
16 %Windir%\Tasks\At22.job 360 bytes MD5: 0xC2185B894FA51B7DF41442FA807D06C5
SHA-1: 0x3177648AD0E7D8D38CC4FFDCCAF2B058A3B88012
Troj/FakeJob-A [Sophos]
17 %Windir%\Tasks\At23.job 360 bytes MD5: 0x3ADE6D4AA6CAE0C5C00A15318DCD88A7
SHA-1: 0x50AA7496F1022721994FCEA915F6DC8297DE7D34
Troj/FakeJob-A [Sophos]
18 %Windir%\Tasks\At24.job 360 bytes MD5: 0x8746553664989837DFCC659D96E13EC7
SHA-1: 0xC886BC4C586BE8CBF1EBEB8D3F7B7FF5A570C6E1
Troj/FakeJob-A [Sophos]
19 %Windir%\Tasks\At3.job 360 bytes MD5: 0xFADC731CE76E33CEFC883B55D31C2147
SHA-1: 0x3A72BD0721272DF6220AD1E5821F85D0DF765D10
Troj/FakeJob-A [Sophos]
20 %Windir%\Tasks\At4.job 360 bytes MD5: 0x83A36FD27EAE00C34CB5155DBF9D53B5
SHA-1: 0xD81E5DB4E82C271C5470DBDD93A492BA5CC97F88
Troj/FakeJob-A [Sophos]
21 %Windir%\Tasks\At5.job 360 bytes MD5: 0xDA9BA57463407519B61F2A0FE83C9E7A
SHA-1: 0x0A59162BD03E2F9990A5075ED5BC3D930C298A25
Troj/FakeJob-A [Sophos]
22 %Windir%\Tasks\At6.job 360 bytes MD5: 0x1BC6782B2B61B66306C0AD7FC028E74C
SHA-1: 0xFE128570BFF5A5497F90B9A4EDD8DA57CC32D21C
Troj/FakeJob-A [Sophos]
23 %Windir%\Tasks\At7.job 360 bytes MD5: 0xD86F3FC15C2CB4429280E24838DF099C
SHA-1: 0x81F2A00EFE555D6DA32E67E91DA774ACDF8666EE
Troj/FakeJob-A [Sophos]
24 %Windir%\Tasks\At8.job 360 bytes MD5: 0xD9E9D92A964A09F14006CB811CACA498
SHA-1: 0xAE084B8E4A5B9A766DCEB274C7DD75CF927B7190
Troj/FakeJob-A [Sophos]
25 %Windir%\Tasks\At9.job 360 bytes MD5: 0xE7F2D9C2F49A33AA5913BF24D14EE662
SHA-1: 0xC32D898021CFA208B89BE5D03318BA41EBF4ADD9
Troj/FakeJob-A [Sophos]
26 %Windir%\XXXXXXFE4496FC\svchsot.exe 236,032 bytes MD5: 0xD33651AEBB3E3B83AB49AE3860C3EA8B
SHA-1: 0x04279ED9EB13375C86230AD5E215964CAEE02B94
Backdoor.Win32.Agent.bwcb [Kaspersky Lab]
BackDoor-EMA.gen.e [McAfee]
Backdoor:Win32/Zegost.AD [Microsoft]
Backdoor.Win32.Zegost [Ikarus]

 

Memory Modifications

Process NameMain Module Size
svchso249,856 bytes
svchso249,856 bytes

 

Registry Modifications

 

Other details

China

Remote HostPort Number
531114980.3322.org2011

 

Outbound traffic (potentially malicious)

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.