Home / malwarePDF  

Backdoor:Win32/Floxif


First posted on 21 September 2017.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Floxif.

Explanation :

This detection is related to the "trojanized" version of a third-party utility known as "CCleaner".

Installation


The threat is run whenever the trojanized version of CCleaner is run.

When run, the threat may store some binary information to the registry key HKLM\SOFTWARE\Piriform\Agomo:

Payload

Collects and steals information

When run, the malicious DLL payload embedded inside the binary may collect the following information:

  • Computer name
  • Computer DNS domain
  • Computer IP address
  • Installed and running processes


This information is encrypted and sent to the follow command and control (C2) address via a POST method:
  • 216.126.225.148


Alternatively, it dynamically generates a C2 host address from the infected machine's current year and month settings.

Downloads and runs additional code

The threat can also receive a binary shellcode from its C2 server and run it. At the time of analysis the C2 server was not responding so we are unable to confirm what the binary shellcode includes.

Additional information

SHA1: C705C0B0210EBDA6A3301C6CA9C6091B2EE11D5B





Analysis by Jireh Sanico

Last update 21 September 2017

 

TOP