Home / malware Backdoor.Joanap
First posted on 26 September 2015.
Source: SymantecAliases :
There are no other names known for Backdoor.Joanap.
Explanation :
When the Trojan is executed, it creates the following files: %System%\scardprv.dll%System%\wcssvc.dll%System%\mssscardprv.ax
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\Security\"Security" = "[HEXADECIMAL VALUE]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\Parameters\"ServiceDll" = "%System%\scardprv.dll"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\"Type" = "20"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\"ImagePath" = "%System%\svchost.exe -k SCardPrv"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\"ErrorControl" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardPrv\"DisplayName" = "SmartCard Protector"
Next, the Trojan opens a port and listens for further commands. The port number is specified in a configuration file called "mssscardprv.ax". The Trojan then connects to the following IP addresses: 60.251.197.122 62.87.153.243 62.135.122.53 62.150.4.42 63.131.248.197 63.149.164.98 64.71.162.61 66.210.47.247 69.15.198.186 72.156.127.210 75.145.139.249 78.38.221.4 80.191.114.136 81.83.10.138 81.130.210.66 83.211.229.42 92.47.141.99 92.253.102.217 93.62.0.22 94.28.57.110 96.39.78.157 110.164.115.177 118.70.143.38 118.102.187.188 119.15.245.179 122.55.13.34 168.144.197.98 189.114.147.186 196.44.250.231 201.222.66.25Last update 26 September 2015
