Home / malware

PDF

TrojanSpy:Win32/Banker.SJ

First posted on 05 April 2019.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Banker.SJ is also known as W32/SuspPack.M.gen!Eldorado, Trojan.Win32.Delf.aibt, Trojan horse Dropper.Generic3.KML, Trojan.Siggen2.11219, Trojan-Banker.Win32.Banker, Trojan.Win32.Generic.pak!cobra, TSPY_BANCOS.SSD.

Explanation :

TrojanSpy:Win32/Banker.SJ is a member of Win32/Banker family, that disables antivirus and security software. Installation TrojanSpy:Win32/Banker.SJ modifies the following registry entry to ensure that its copy executes at each Windows start:   In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Sets value: "explorer" With data:  The trojan also makes the following registry modification after reboot:  In subkey: HKLMCurrentControlSetControlSession Manager Sets value: "BootExecute" From data: "autocheck autochk *" With data: "autocheck autochk * Partizan" Note: The original data is restored after reboot.  TrojanSpy:Win32/Banker.SJ may create the following files on the affected computer:  %SystemDrive%ackup.reg %SystemDrive%cleanup.bat %SystemDrive% cleanup.exe %SystemDrive% zip.exe %SystemDrive% avenger.txt drivers.sys driverswsnp.sys %TEMP%KB998866.log %TEMP%KB961355.log %TEMP%KB967866.log %TEMP%KB964421.log %TEMP%subinacl.exe %TEMP%gbieh.exe %TEMP%KB923121.log %TEMP%KB992702.txt %TEMP%KB923321.log   As part of its installation process, TrojanSpy:Win32/Banker.SJ may move the following files:   %ProgramFiles%Scpad to %SystemDrive%AvengerScpad*.dll driversgbpkm.sys to %SystemDrive%Avengergbpkm.sys   Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP, Vista, and 7 is C:WindowsSystem32. Payload Installs other programs TrojanSpy:Win32/Banker.SJ attempts to delete files installed by banks for protection against fraud.  TrojanSpy:Win32/Banker.SJ installs a program called 'Avenger' that has been observed deleting certain files that relate to specific online banking and antivirus software.   The file %TEMP%KB992702.txt contains a list of processes, registry keys, files and folders that the 'Avenger' program is instructed to remove. For example, it includes the following instructions:  Drivers to delete: GbpKm GbpSv NOD32krn avast! Antivirus avast! Web Scanner AVG Free WatchDog avg9emc avg8emc avg7emc   Registry keys to delete: HKLMSYSTEMCurrentControlSetServicesGbpKm HKLMSYSTEMControlSet001ServicesGbpKm HKLMSYSTEMControlSet001EnumRootLEGACY_GBPKM000 HKLMSYSTEMCurrentControlSetServicesNOD32krn HKLMSYSTEMCurrentControlSetServicesNOD32krn HKLMSYSTEMCurrentControlSetServicesavg9emc HKLMSYSTEMCurrentControlSetServicesavg9wd HKLMSYSTEMCurrentControlSetServicesavast! Antivirus HKLMSYSTEMCurrentControlSetServicesavast! Web Scanner   Files to delete: %windir%system32driversgbpkm.sys %ProgramFiles%GbPluginGbpSv.exe %ProgramFiles%Eset
od32krn.exe %ProgramFiles%Eset
od32kui.exe %ProgramFiles%Alwil SoftwareAvast4ashServ.exe %ProgramFiles%Alwil SoftwareAvast4ashWebSv.exe %ProgramFiles%Alwil SoftwareAvast5AvastSvc.exe %ProgramFiles%AVGAVG9avgwdsvc.exe %ProgramFiles%AVGAVG8avgwdsvc.exe %ProgramFiles%AVGAVG7avgwdsvc.exe   Folders to delete: %ProgramFiles%Scpad   Deletes files TrojanSpy:Win32/Banker.SJ attempts to delete the following files:  driversgbpkm.sys %windir%Downloaded Program Files %ProgramFiles%GbPlugin %program files%Scpad Additional information In the wild, we have observed TrojanSpy:Win32/Banker.SJ being installed with the following malware:   TrojanSpy:Win32/Banker.SK TrojanDownloader:Win32/Delf.NF   Analysis by Michael Johnson

Last update 05 April 2019

 

TOP