Home / malwarePDF  

Trojan:Win32/Necurs.A


First posted on 05 September 2019.
Source: Microsoft

Aliases :

Trojan:Win32/Necurs.A is also known as Win32/TojanDownloader.Necurs.B, Trojan-Dropper.Win32.Necurs.va.

Explanation :

Installation

This threat drops the following file:

%windir% installer{GUID}syshost.exe

{GUID} is a random 16-digit hexadecimal number.

It installs the file as a service with the display name "Syshost.exe" and the group name "Boot Bus Extender". Installing itself as a service lets it to run every time Windows starts.

It also creates the following named pipe and events to make sure that only one instance of itself is running at any particular time:

named pipe \.NtSecureSys event GlobalNitrGB event LocalNitrGB

This threat injects code into all running processes. It does this to hide its behavior from antivirus software.

It connects to the following domains to check if your PC is connected to the Internet, and to get the current date and time. These websites are not affiliated with the malware in any way:

facebook.com microsoft.com Payload

Connects to certain servers

This threat connects to the following servers every 20 seconds to send and receive messages:

0.pool.ntp.org 1.pool.ntp.org

At the time of publishing, these servers were unavailable.

Analysis by Ferdinand Plazo

Last update 05 September 2019

 

TOP