Home / malware Infostealer.Ragua
First posted on 21 August 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Ragua.
Explanation :
When the Trojan is created, it creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft_up
The Trojan creates the following folders:
%UserProfile%\Local Settings\Temp\RarSFX0 %UserProfile%\Application Data\Roaming\Bin\Descargas %UserProfile%\Application Data\Roaming\Bin\Encryp %UserProfile%\Application Data\Roaming\Bin\Geo %UserProfile%\Application Data\Roaming\Bin\HDD %UserProfile%\Application Data\Roaming\Bin\Jre6 %UserProfile%\Application Data\Roaming\java %UserProfile%\Application Data\Roaming\MicroDes
The Trojan creates the following files:
%UserProfile%\Local Settings\Temp\RarSFX0\bz2.pyd %UserProfile%\Local Settings\Temp\RarSFX0\caso.txt %UserProfile%\Local Settings\Temp\RarSFX0\Crypto.Cipher.AES.pyd %UserProfile%\Local Settings\Temp\RarSFX0\java.exe %UserProfile%\Local Settings\Temp\RarSFX0\JavaD.exe %UserProfile%\Local Settings\Temp\RarSFX0\JavaH.exe %UserProfile%\Local Settings\Temp\RarSFX0\Javak.exe %UserProfile%\Local Settings\Temp\RarSFX0\JavaS.exe %UserProfile%\Local Settings\Temp\RarSFX0\javaTM.exe %UserProfile%\Local Settings\Temp\RarSFX0\JavaUe.exe %UserProfile%\Local Settings\Temp\RarSFX0\PIL._imaging.pyd %UserProfile%\Local Settings\Temp\RarSFX0\PIL._imagingft.pyd %UserProfile%\Local Settings\Temp\RarSFX0\pyexpat.pyd %UserProfile%\Local Settings\Temp\RarSFX0\pyHook._cpyHook.pyd %UserProfile%\Local Settings\Temp\RarSFX0\python27.dll %UserProfile%\Local Settings\Temp\RarSFX0\pythoncom27.dll %UserProfile%\Local Settings\Temp\RarSFX0\pywintypes27.dll %UserProfile%\Local Settings\Temp\RarSFX0\ruta.txt %UserProfile%\Local Settings\Temp\RarSFX0\select.pyd %UserProfile%\Local Settings\Temp\RarSFX0\UJavap.exe %UserProfile%\Local Settings\Temp\RarSFX0\ver %UserProfile%\Local Settings\Temp\RarSFX0\vidcap.pyd %UserProfile%\Local Settings\Temp\RarSFX0\w9xpopen.exe %UserProfile%\Local Settings\Temp\RarSFX0\win32api.pyd %UserProfile%\Local Settings\Temp\RarSFX0\win32clipboard.pyd %UserProfile%\Local Settings\Temp\RarSFX0\win32file.pyd %UserProfile%\Local Settings\Temp\RarSFX0\win32gui.pyd %UserProfile%\Local Settings\Temp\RarSFX0\win32pdh.pyd %UserProfile%\Local Settings\Temp\RarSFX0\win32ui.pyd %UserProfile%\Local Settings\Temp\RarSFX0\_ctypes.pyd %UserProfile%\Local Settings\Temp\RarSFX0\_hashlib.pyd %UserProfile%\Local Settings\Temp\RarSFX0\_multiprocessing.pyd %UserProfile%\Local Settings\Temp\RarSFX0\_portaudio.pyd %UserProfile%\Local Settings\Temp\RarSFX0\_socket.pyd %UserProfile%\Local Settings\Temp\RarSFX0\_ssl.pyd %UserProfile%\Local Settings\Temp\RarSFX0\_win32sysloader.pyd %UserProfile%\Application Data\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.lnk %UserProfile%\Application Data\Roaming\Bin\Jre6\bz2.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\caso.txt %UserProfile%\Application Data\Roaming\Bin\Jre6\Crypto.Cipher.AES.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\date %UserProfile%\Application Data\Roaming\Bin\Jre6\java.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\JavaD.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\JavaH.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\Javak.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\JavaS.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\javaTM.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\JavaUe.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\ON.txt %UserProfile%\Application Data\Roaming\Bin\Jre6\PIL._imaging.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\PIL._imagingft.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\pyexpat.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\pyHook._cpyHook.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\python27.dll %UserProfile%\Application Data\Roaming\Bin\Jre6\pythoncom27.dll %UserProfile%\Application Data\Roaming\Bin\Jre6\pywintypes27.dll %UserProfile%\Application Data\Roaming\Bin\Jre6\ruta.txt %UserProfile%\Application Data\Roaming\Bin\Jre6\select.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\UJavap.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\ver %UserProfile%\Application Data\Roaming\Bin\Jre6\vidcap.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\w9xpopen.exe %UserProfile%\Application Data\Roaming\Bin\Jre6\win32api.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\win32clipboard.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\win32file.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\win32gui.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\win32pdh.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\win32ui.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\_ctypes.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\_hashlib.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\_multiprocessing.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\_portaudio.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\_socket.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\_ssl.pyd %UserProfile%\Application Data\Roaming\Bin\Jre6\_win32sysloader.pyd %UserProfile%\Application Data\Roaming\MicroDes\bz2.pyd %UserProfile%\Application Data\Roaming\MicroDes\caso.txt %UserProfile%\Application Data\Roaming\MicroDes\Crypto.Cipher.AES.pyd %UserProfile%\Application Data\Roaming\MicroDes\java.exe %UserProfile%\Application Data\Roaming\MicroDes\JavaD.exe %UserProfile%\Application Data\Roaming\MicroDes\JavaH.exe %UserProfile%\Application Data\Roaming\MicroDes\Javak.exe %UserProfile%\Application Data\Roaming\MicroDes\JavaS.exe %UserProfile%\Application Data\Roaming\MicroDes\javaTM.exe %UserProfile%\Application Data\Roaming\MicroDes\JavaUe.exe %UserProfile%\Application Data\Roaming\MicroDes\PIL._imaging.pyd %UserProfile%\Application Data\Roaming\MicroDes\PIL._imagingft.pyd %UserProfile%\Application Data\Roaming\MicroDes\pyexpat.pyd %UserProfile%\Application Data\Roaming\MicroDes\pyHook._cpyHook.pyd %UserProfile%\Application Data\Roaming\MicroDes\python27.dll %UserProfile%\Application Data\Roaming\MicroDes\pythoncom27.dll %UserProfile%\Application Data\Roaming\MicroDes\pywintypes27.dll %UserProfile%\Application Data\Roaming\MicroDes\ruta.txt %UserProfile%\Application Data\Roaming\MicroDes\select.pyd %UserProfile%\Application Data\Roaming\MicroDes\UJavap.exe %UserProfile%\Application Data\Roaming\MicroDes\ver %UserProfile%\Application Data\Roaming\MicroDes\vidcap.pyd %UserProfile%\Application Data\Roaming\MicroDes\w9xpopen.exe %UserProfile%\Application Data\Roaming\MicroDes\win32api.pyd %UserProfile%\Application Data\Roaming\MicroDes\win32clipboard.pyd %UserProfile%\Application Data\Roaming\MicroDes\win32file.pyd %UserProfile%\Application Data\Roaming\MicroDes\win32gui.pyd %UserProfile%\Application Data\Roaming\MicroDes\win32pdh.pyd %UserProfile%\Application Data\Roaming\MicroDes\win32ui.pyd %UserProfile%\Application Data\Roaming\MicroDes\_ctypes.pyd %UserProfile%\Application Data\Roaming\MicroDes\_hashlib.pyd %UserProfile%\Application Data\Roaming\MicroDes\_multiprocessing.pyd %UserProfile%\Application Data\Roaming\MicroDes\_portaudio.pyd %UserProfile%\Application Data\Roaming\MicroDes\_socket.pyd %UserProfile%\Application Data\Roaming\MicroDes\_ssl.pyd %UserProfile%\Application Data\Roaming\MicroDes\_win32sysloader.pyd %System%\Tasks\Microsoft_up
The Trojan may perform the following actions:
Log keystrokes Take screenshots Record video with an attached webcam Record audio with an attached microphone
The Trojan may contact the following server:
[http://]java.serveblog.netLast update 21 August 2014
