Home / malware Trojan:Win32/Boaxxe.E
First posted on 04 April 2019.
Source: MicrosoftAliases :
Trojan:Win32/Boaxxe.E is also known as Trojan-Dropper.Win32.Boaxxe.bg, Trojan.DR.Boaxxe.DNG, Clicker.ADNM, Win32/TrojanClicker.Delf.NHC, Trj/Boaxxe.Q, WORM_DOWNAD.GJX.
Explanation :
Payload Drops and installs other malware Trojan:Win32/Boaxxe.E drops a DLL file with a random file name in the Windows system folder. The dropped file is detected as Trojan:Win32/Boaxxe.F and is registered as a Browser Helper Object (BHO). For example, for the dropped file 'dwjvzib.dll', the CLSID used to register it as a BHO is the following: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{5B6FD59E-CAD7-41D3-98B8-51ACCA596EF8} Trojan:Win32/Boaxxe.E also creates a scheduled task to install its dropped file every day at a specific time. The task contains the following command: rundll32.exe
.dll, DllMain - It also installs its dropped file as a service. For example, the dropped file 'dwjvzib.dll' may have the service name 'Mouse Class Monitor': Adds value: "ServiceDll"
With data: "dwjvzib.dll"
To subkey: HKLMSYSTEMControlSetServicesmqxblzgdParameters Adds value: "ImagePath"
With data: "%SystemRoot%System32svchost.exe -k netsvcs"
Adds value: "Description"
With data: "Monitor for Mouse Class"
Adds value: "DisplayName"
With data: "Mouse Class Monitor"
To subkey: HKLMSYSTEMControlSetServicesmqxblzgd Trojan:Win32/Boaxxe.E also ensures that its dropped file is loaded to the 'Winlogon' process by creating a registry subkey and entries, for example: Adds value: "DLLName"
With data: "dwjvzib.dll"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyovmpvnzn Analysis by Marian RaduLast update 04 April 2019
