Security home


Home / malwarePDF  


First posted on 24 June 2017.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/CrashOverride.A.

Explanation :


Connects to a remote host

We have seen this threat connect to any of the following remote hosts (C2 server/ToR nodes):


It connects to a remote host to:
  • Send information about the hardware profile, malware version
  • Execute arbitrary commands and files
  • Download files
  • Copy files
  • Start or stop a service

Creates the following mutex

We have seen this threat create the following mutex: “\Sessions\1\Windows\ApiPortection”

Manipulates power control system without your consent

It also uses four different types of payloads that are used to control switches and circuit breakers at an electric power control system. To achieve this goal, it implements the following protocols:
  • IEC101
  • IEC104
  • IEC61850

Wipes data

It also has a data wiper component named haslo.dat which can:
  • Delete registry keys and files (this can render the system unusable)
  • Overwrite files

Analysis by: Andrei Saygo

Last update 24 June 2017



Malware :