Home / malware Trojan.Crisis
First posted on 11 July 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Crisis.
Explanation :
Once executed, the Trojan may create the following files:
[LOG PATH]\[HEXADECIMAL VALUE]LOGF[HEXADECIMAL VALUE].log[LOG PATH]\OUTF[HEXADECIMAL VALUE].log
Note: [LOG PATH] may vary depending on the file system in use.
The Trojan may then create the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsofct\Windows\CurrentVersion\Run\"rundll32.exe" = "[PATH TO THREAT]\[THREAT NAME]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsofct\Windows\CurrentVersion\RunOnce\"rundll32.exe" = "[PATH TO THREAT]\[THREAT NAME]"
Next, the Trojan opens a back door on the compromised computer and gathers the following information to send to a remote attacker:
System information such as processor type, RAM information, disk information etc.Confidential information from web browsers such as stored user names and passwords, browsing history etc.Cryptocurrency wallet dataPasswords for various programs such as MSN, GTalk, email clients etc.Data from social media accounts such as contacts and messagesData saved to the clipboard
The Trojan may also perform the following actions:
Use the microphone and webcam to record audio and videoParse directories and read filesRecord phone calls made using SkypeMonitor mouse movementsHide itself in the system
The Trojan may store the stolen information in the following locations:
[LOG PATH]\[HEXADECIMAL VALUE]LOGF[HEXADECIMAL VALUE].log[LOG PATH]\OUTF[HEXADECIMAL VALUE].log
Note: [LOG PATH] may vary depending on the file system in use.Last update 11 July 2015
