Avira Virenlabor

‹ zurück

TR/BitCoinMiner.ME.1

Zusammenfassung
  • Name
    TR/BitCoinMiner.ME.1
  • Entdeckt am
    09.12.2017
  • VDF Version
    7.14.37.152 (2017-12-09 09:16)
Vollständige Beschreibung

Bei der Bezeichnung 'TR' handelt es sich um ein Trojanisches Pferd, dass in der Lage ist, ihre Daten auszuspähen, Ihre Privatsphäre zu verletzen und nicht erwünschte Änderungen am System vornehmen kann.

  • VDF
    7.14.37.152 (2017-12-09 09:16)
  • Netzwerkaktivität
    Array
  • Prozesse
    Array
  • Dateien
    Die folgenden Dateien werden erstellt:
    • %TEMPDIR%\cudart32_65.dll
    • %WINDIR%\debug\lsmose.exe
    Die folgenden Dateien werden geändert:
    • %TEMPDIR%\cudart32_65.dll
    • %WINDIR%\debug\lsmose.exe
    Die folgenden Treiber werden geladen:
    • %WINDIR%\Globalization\Sorting\sortdefault.nls
    • %TEMPDIR%\%executed_sample%
    • \??\C:
    • %TEMPDIR%\80EB2F5C
    • %TEMPDIR%\cudart32_65.dll
    • %WINDIR%\debug\lsmose.exe
    Die folgenden Dateien werden ausgeführt:
    • %WINDIR%\Globalization\Sorting\sortdefault.nls
    • %TEMPDIR%\%executed_sample%
    • \??\C:
    • %TEMPDIR%\80EB2F5C
    • %TEMPDIR%\cudart32_65.dll
    • %WINDIR%\debug\lsmose.exe
  • Registry
    Folgende Registryeinträge werden hinzugefügt:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters ("Hostname": "")
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters ("Domain": "")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("EnableFileTracing": "0")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("EnableConsoleTracing": "0")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("FileTracingMask": "4294901760")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("ConsoleTracingMask": "4294901760")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("MaxFileSize": "1048576")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("FileDirectory": "%windir%\tracing")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ("DefaultConnectionSettings": "<INVALID POINTER>")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ("DefaultConnectionSettings": "F `Lq #3QO!  #3QO! 8(8( @e0.` `PH 40 ]b")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB} ("WpadDecisionReason": "1")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB} ("WpadDecisionTime": "`Lq")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB} ("WpadDecision": "3")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB} ("WpadNetworkName": "Network")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB}
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00 ("WpadDecisionReason": "1")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00 ("WpadDecisionTime": "`Lq")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00 ("WpadDecision": "3")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB}\0a-00-27-00-00-00
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad ("WpadLastNetwork": "{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB}")
    Folgende Registryeinträge werden geändert:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters ("Hostname": "")
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters ("Domain": "")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("EnableFileTracing": "0")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("EnableConsoleTracing": "0")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("FileTracingMask": "4294901760")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("ConsoleTracingMask": "4294901760")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("MaxFileSize": "1048576")
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\%executed_sample_name%_RASMANCS ("FileDirectory": "%windir%\tracing")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ("DefaultConnectionSettings": "<INVALID POINTER>")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ("DefaultConnectionSettings": "F `Lq #3QO!  #3QO! 8(8( @e0.` `PH 40 ]b")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB} ("WpadDecisionReason": "1")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB} ("WpadDecisionTime": "`Lq")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB} ("WpadDecision": "3")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB} ("WpadNetworkName": "Network")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB}
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00 ("WpadDecisionReason": "1")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00 ("WpadDecisionTime": "`Lq")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00 ("WpadDecision": "3")
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB}\0a-00-27-00-00-00
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad ("WpadLastNetwork": "{A9C7A8AA-FA05-4B0C-BF08-962D58BC6FFB}")
  • Alias
    Avast: Win32:Malware-gen
    Dr. Web: Trojan.BtcMine.1596
    ESET: a variant of Win32/Packed.EnigmaProtector.J potentially unwanted application
    G Data: Application.BitCoinMiner.XY
    Microsoft: Trojan:Win32/Smominru.A