Home / malwarePDF  

Win32/Ghokswa


First posted on 11 October 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/Ghokswa.

Explanation :

Installation

This threat is usually installed by Trojan:Win32/Xadupi.

Chrome


This threat installs a modified version of Chrome in a similar way to how the real Google Chrome would be installed, but uses various folder names such as:

  • %ProgramFiles% \Bangone
  • %ProgramFiles% \Bigjane
  • %ProgramFiles% \Birdkiss
  • %ProgramFiles% \Birdmay
  • %ProgramFiles% \Cupblue
  • %ProgramFiles% \Eastfat
  • %ProgramFiles% \Eastness
  • %ProgramFiles% \Fishlamp
  • %ProgramFiles% \Footblue
  • %ProgramFiles% \ghokswa Browser
  • %ProgramFiles% \Goldlarry
  • %ProgramFiles% \Gotoe
  • %ProgramFiles% \Guntony
  • %ProgramFiles% \Hipbear
  • %ProgramFiles% \Hipfat
  • %ProgramFiles% \Hiprain
  • %ProgramFiles% \Jamben
  • %ProgramFiles% \Junetoe
  • %ProgramFiles% \Lefttoe
  • %ProgramFiles% \Monold
  • %ProgramFiles% \Nobean
  • %ProgramFiles% \Nosejane
  • %ProgramFiles% \Outlose
  • %ProgramFiles% \Seablue
  • %ProgramFiles% \Toolrain
  • %ProgramFiles% \vreXjvX
  • %ProgramFiles% \Yesdear
  • %ProgramFiles% \Zooface


Like the legitimate Google Chrome browser, it also stores data files under %LOCALAPPDATA% in a folder with a name that matches the one in %ProgramFiles%, for example:

%LOCALAPPDATA% \Gotoe

If the real Google Chrome is running at the time of installation, Ghokswa will terminate its processes. Ghokswa will also replace any existing Chrome shortcuts and file (for example, .htm, .html) or protocol (for example, HTTP, HTTPS) associations to point to its own modified Chrome browser.



Ghokswa also installs its own equivalents of Google Chrome's scheduled tasks, with names such as GotoeUpdateTaskMachineCore and GotoeUpdateTaskMachineUA.

Firefox

Ghokswa installs a modified version of Firefox in a similar way to how the real Mozilla Firefox would be installed, but into a different folder, for example, %ProgramFiles%\Firefox instead of %ProgramFiles%\Mozilla Firefox.

Like the legitimate Mozilla Firefox, it also stores data files under %LOCALAPPDATA%, for example, %LOCALAPPDATA%\Firefox\Firefox instead of %LOCALAPPDATA%\Mozilla\Firefox.

If the real Mozilla Firefox is running at the time of installation, Ghokswa will terminate its processes. Ghokswa will also replace any existing Firefox shortcuts and file (for example, .htm, .html) or protocol (for example, HTTP, HTTPS) associations to point to its own modified Firefox browser.

Ghokswa also installs two services, with filenames such as:
  • %ProgramFiles% \Firefox\bin\FirefoxCommand.exe
  • %ProgramFiles% \Firefox\bin\FirefoxUpdate.exe


Name
: FirefoxU
Display Name
: Update Service(FirefoxU)
Description
: Keeps your Firefox software up to date. If this service is disabled or stopped, your Firefox software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Firefox software using it.
Path to executable
: "C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe"
Startup type
: Automatic (Delayed Start)

Name
: CommandHandler
Display Name
: Command Service(CommandHandler)
Description
: Keeps your os running normally. If this service is disabled or stopped, your os may not work.
Path to executable
: "C:\Program Files (x86)\Firefox\bin\FirefoxCommand.exe"
Startup type
: Automatic (Delayed Start)

Payload

Replaces Google Chrome, hijacks settings


This threat replaces any existing Google Chrome shortcuts and associations to point to its modified Chrome browser. In doing so it can change search and home page settings without user consent. Ghokswa's modified version of Chrome also sends additional data to domains unrelated to those the user visits in the browser, such as cloud.chromlum.org, cs.chromlum.org, and cl.qbitka.com. Some of this data includes the Ghokswa Chrome settings for home page and search engine.

Replaces Mozilla Firefox, hijacks settings

This threat replaces any existing Mozilla Firefox shortcuts and associations to point to its modified Firefox browser. In doing so it can change search and home page settings without user consent.

Ghokswa also sends additional data to domains unrelated to those the user visits in the browser, such as cloud.firefox1.com, cloud.brobgser.com, and xa.firefox1.com.

Some of this data includes the Ghokswa Firefox settings for home page and search engine.

Receives remote instructions

Because Ghokswa's scheduled tasks and services connect to untrusted domains, they could be used to install additional, possibly unwanted, software.



Analysis by: Hamish O'Dea

Last update 11 October 2016

 

TOP

Malware :