Tuesday, August 5, 2014

Trojan: Wonton

VT Information about a malicious sample:

MD5e564d95cff4e3c7c14b8a149de41935a
SHA-1f9c256c5b2ae937a9b04d73ac88aaa782b8770dc
SHA-25657bab53ddf5ba525343218c78de26064d0e6b9a3cd739ebbe0ba2358ea2b7394
ssdeep12288:jN5mEjuyhoWgXk6Eqyli7B0d6hHBZ0FAb12:jNIEjuyhoWgXk6W07B0d6hHBqFAZ2
imphash a49926a7e80581b917867c2bd8cfdf8f
Size416.5 KB (426496 bytes)
TypeWin32 EXE
MagicPE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrIDWin32 Executable MS Visual C++ (generic) (64.5%) Win32 Dynamic Link Library (generic) (13.6%) Win32 Executable (generic) (9.3%) Clipper DOS Executable (4.1%) Generic Win/DOS Executable (4.1%)


 This malware through an error message when you execute:
But if you observe the changes in the system through process explorer and process monitoring tools, you will find some process with random character as process name which points to the %Application data%. This is obviously wired. And give one hundred percent confirmation to the user that we are executed a malware. If you use inctrl, it will log all the changes made in the files, folders and registries.                                              


Leading Antivirus such as Sophos detecting these set of malwares with the name :                                        

Troj/Wonton-FE



And Eset-Nod32 detect the same malwares with the name:

a variant of Win32/Agent.VNC



sophos write up
The above snap says what sophos says about the behavior of the samples. Sophos is pretty good AV.

Stay protected. Enjoy the cyber world.

Post made by 
at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...