Home / malwarePDF  

TrojanSpy:MSIL/Omaneat


First posted on 14 March 2017.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:MSIL/Omaneat.

Explanation :

Installation

This threat creates a copy of itself as a hidden file in %ProgramData%. We have seen it use the following file names:

  • %ProgramData% \client\client.exe
  • %ProgramData% \document\client.exe
  • %ProgramData% \notepad.exe
  • %APPDATA% \clienonitor.exe


It creates various encrypted registry entries for configuration. It also creates registry entries to that it runs every time your PC starts, for example:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Sets value: Client
With data: "cmd /c start Client " The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.

Payload

Collects sensitive information

This threat can collect your sensitive information without your consent. This can include:
  • The keys you press
  • The applications you open
  • Your web browsing history
  • Your credit card information
  • Your user names and passwords


It also takes screenshots, encrypts them, and saves them in the following folder:
  • %APPDATA% \roaming\monitor\screenshots\\


For example, C:\Users\Administrator\AppData\roaming\monitor\screenshots\03-09-2017\10.25 AM.

We have seen it take screenshots every 10 minutes, but it may vary based on the configuration.

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • apalumin[.]ddns[.]net using port 1338
  • samsonlove[.]ddns[.]net at TCP port 19319
  • 193[.]150[.]13[.]211 at TCP port 25418






Analysis by Jeong Mun

Last update 14 March 2017

 

TOP