Home / malware Trojan.Rokamal
First posted on 22 April 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Rokamal.
Explanation :
Once executed, the Trojan creates the following files:
%UserProfile%\Application Data\msconfig.ini%ProgramFiles%\Startup\Google.com.url%UserProfile%\Application Data\[9 RANDOM DIGITS].exe%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe%Temp%\[4 RANDOM DIGITS]%UserProfile%\Application Data\Install\Host.exe
The Trojan then creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows COM Host" = "%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe -rundll32 /SYSTEM32 \%System%\taskmgr.exe\" \"%ProgramFiles%\Microsoft\Windows\""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"NetWire" = "%UserProfile%\Application Data\Install\Host.exe"
It also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Microsoft\Sysinternals\"PROCID" = "5728"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{[36 RANDOM CHARACTERS]}\"StubPath" = ""%UserProfile%\Application Data\Install\Host.eXe""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{[36 RANDOM CHARACTERS]}\"StubPath" = "\%UserProfile%\Application Data\Install\Host.eXe\"""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Spybotsd.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comhost.exe\"DisableExceptionChainValidation" = ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\"REG_DWORD" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\"Start" = "4"
The Trojan may then perform the following actions on the compromised computer:
Steal email credentials from Microsoft OutlookLog keystrokesOpen a command shellPerform distributed denial-of-service (DDoS) attacksTurn the compromised computer into a Web proxyMine cryptocurrency
The Trojan may also steal passwords from the following Internet browsers:
Internet ExplorerOperaChromeFirefoxLast update 22 April 2014
