Home / malware Trojan.Craspe
First posted on 03 April 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Craspe.
Explanation :
Once executed, the Trojan creates the following file:
%ProgramFiles%\Common Files\[BIOS STRING]\Audio Interface Device Manager\aiomgr.exe
Note: Where [BIOS STRING] is the first string in the following registry subkey:
HKEY_LOCAL_MACHINE\Hardware\Description\System\SystemBiosVersion
The Trojan also creates the following folder:
%System%\Tasks\[BIOS STRING]\Audio Interface Device Manager
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[BIOS STRING]\Audio Interface Device Manager" = "%ProgramFiles%\Common Files\[BIOS STRING]\Audio Interface Device Manager\aiomgr.exe 3071006457"
Next, the Trojan gathers the following information from the compromised computer:
List of running processesList of installed applicationsList of antivirus applications installedList of firewall applications installedList of all programs that run every time Windows startsTime of malware installationMalware versionComputer nameDomain nameUser Account Control (UAC) statusSystem architectureOperating system versionService pack installedDefault browserUser agentRegistered name and organization for the Windows operating systemGeolocation of compromised computer
The Trojan then sends the gathered information to the following remote location:
[http://]jpic.gov.sy/css/images/_cgi/inde[REMOVED]
The Trojan may also download and execute potentially malicious files on the compromised computer.Last update 03 April 2015
