Home / malware Trojan.Backoff
First posted on 02 August 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Backoff.
Explanation :
When the Trojan is executed, it creates the following files:
%AppData%\OracleJava\javaw.exe%AppData%\nsskrnl%AppData%\Local.dat%AppData%\OracleJava\Log.txt
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows NT Service" = "%AppData%\OracleJava\javaw.exe"
The Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"identifier" = "[7 RANDOM CHARACTERS]"
The Trojan accepts the following commands:
Update: update TrojanTerminate: kill thread and processUninstall: uninstall TrojanDownload and Run: download then execute fileUpload KeyLogs: upload log file
The Trojan steals the following information from a compromised computer:
Computer nameUser nameWindows versionTrack data (data stored on payment card magnetic strips)
The Trojan logs keystrokes to the following file:
%AppData%\OracleJava\Log.txt
The Trojan creates an encrypted copy of itself in the following file:
%AppData%\nsskrnl
The Trojan saves stolen track data to the following file:
%AppData%\Local.dat
The Trojan may connect to the following remote locations:
[http://]msframeworkx64.com/windows/updche[REMOVED][http://]msframeworkx86.com/windows/updche[REMOVED][http://]msframeworkx86.ru/windows/updche[REMOVED]
The Trojan may inject itself into processes to look for POS data or to make sure the Trojan is constantly running.Last update 02 August 2014
