Win32/Juasek [Threat Name] go to Threat
Win32/Juasek.C [Threat Variant Name]
| Category | trojan |
| Size | 139264 B |
| Detection created | Aug 16, 2017 |
| Detection database version | 15923 |
| Aliases | Trojan-Dropper.Win32.Agent.bjtcfl (Kaspersky) |
| Trojan.MulDrop7.37437 (Dr.Web) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan creates the following files:
- %system%\spksrvte.dll (114688 B, Win32/Juasek.C)
The trojan registers file as a system service.
Its filename is the following:
- WMNNet
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
- "WMNNet" = "WMNNet"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMNNet]
- "Description" = "Windows Manaement Network Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMNNet\Parameters]
- "ServiceDll" = "%system%\spksrvte.dll"
This way the trojan ensures that the file is executed on every system start.
The trojan may delete the following files:
- %system%\spksrvte.dll.bak
Information stealing
The trojan collects the following information:
- computer IP address
- computer name
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP, HTTP, SOCKS5 protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- send the list of disk devices and their type to a remote computer
- upload file list
- send the list of running processes to a remote computer
- send requested files
- terminate running processes
- create folders
- delete files