MSIL/Immirat [Threat Name] go to Threat
MSIL/Immirat.C [Threat Variant Name]
| Category | trojan |
| Size | 364544 B |
| Aliases | TR/Dropper.MSIL.221741 (Avira) |
| Trojan.DownLoader17.43074 (Dr.Web) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %appdata%\ggdllhost.exe
- %commonappdata%\ggdllhost.exe
- %temp%\%malwarefilename%
The trojan schedules a task that causes the following file to be executed on every system start:
- %commonappdata%\ggdllhost.exe
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- "EnableLUA" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableTaskMgr" = 1
Information stealing
The trojan collects the following information:
- computer name
- user name
- external IP address of the network device
- operating system version
- information about the operating system and system settings
- MAC address
- computer IP address
- memory status
- list of running processes
- login passwords for certain applications/services
- data from the clipboard
- list of files/folders on a specific drive
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan creates the following files:
- %temp%\z%variable1%.xml (1626 B)
- %appdata%\Imminent\PID.dat
- %appdata%\Imminent\Logs\%variable2%
A string with variable content is used instead of %variable1-2% .
The trojan may execute the following commands:
- cmd.exe /c echo [zoneTransfer]ZoneID = 2 > %malwarefilepath%:ZONE.identifier & exit
- schtasks.exe /Create /TN "Update\GarenaPlusUpdate" /XML "%temp%\z%variable1%.xml"
The trojan quits immediately if any of the following applications is detected:
- Sandboxie
- Fiddler
- WPE PRO
- Wireshark
The trojan can create and run a new thread with its own program code within the following processes:
- vbc.exe
- RegAsm.exe
- AppLaunch.exe
- %windir%\svchost.exe
- %system%\notepad.exe
- %malwarefilepath%
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- upload files to a remote computer
- display a dialog window
- capture webcam video/voice
- perform Bitcoin mining
- shut down/restart the computer
- execute shell commands
- capture screenshots
- log keystrokes
- send gathered information
- various Registry operations
- various file system operations
- set up a proxy server
- simulate user's input (clicks, taps)
- set clipboard data
- terminate running processes
- manipulate application windows