Home / malware

PDF

PWS:Win32/Jomloon.E

First posted on 21 February 2019.
Source: Microsoft

Aliases :

PWS:Win32/Jomloon.E is also known as TR/Spy.Gen, Trojan-PSW.Win32.QQPass.aaea, Trojan-PWS.Win32.Jomloon.e.

Explanation :

PWS:Win32/Jomloon.E is a trojan that captures logon credentials for a popular online role playing game named "Dungeons and Fighters", aka DNFChina. InstallationWhen this trojan is run, it drops a DLL component into the Windows system folder. In the wild, this trojan was observed to install itself as one of the following names:  %windir%System32immd32.dll %windir%System32imm132.dll %windir%System32flashd32.dll The registry may be modified to run the trojan at each Windows start. In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooksSets value: "{68101905-D80F-5788-96F6-986A8186178A}"With data: "" In subkey: HKLMSOFTWAREClassesCLSID{68101905-D80F-5788-96F6-986A8186178A}InProcServer32Sets value: "(default)"With data: "" such as "flashd32.dll" Payload Captures game passwordPWS:Win32/Jomloon.E captures logon credentials for a popular online role playing game named "Dungeons and Fighters". The trojan monitors active processes for names related to the game and hijacks the URL parameters. The trojan author could use the captured credentials to transfer gamer statistics to the author's own gamer account.  Analysis by Jaime Wong

Last update 21 February 2019

 

TOP