Win32/Braces [Threat Name] go to Threat

Win32/Braces.A [Threat Variant Name]

Category trojan
Size 123392 B
Detection created Aug 14, 2018
Detection database version 17882
Aliases Trojan.Barlaiy.4 (Dr.Web)
  TR/Braces.svton (Avira)
Short description

Win32/Braces.A serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan is usually a part of other malware.

Information stealing

Win32/Braces.A is a trojan that steals sensitive information.


The trojan collects the following information:

  • user name
  • computer name
  • computer IP address
  • locale
  • CPU information
  • memory status
  • size of hard disk drive
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The TCP, HTTP protocol is used in the communication.


The network communication with remote computer/server is encrypted.


It may perform the following actions:

  • run executable files
  • start/stop services
  • delete files
  • delete Registry entries
  • create Registry entries

The trojan may create and run a new thread with its own program code within any running process.


The trojan can detect presence of debuggers and other analytical tools.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • tcpview.exe
  • Procmon.exe
  • Procmon64.exe

The trojan quits immediately if any of the following applications is detected:

  • FileMon
  • Regmon
  • WireShark
  • Kernel debugger
  • ProcmonDebugLogger

The trojan quits immediately if any of the following folders/files is detected:

  • \­\­.\­NTICE
  • \­\­.\­Regmon
  • \­\­.\­FileMon
  • \­\­.\­ProcmonDebugLogger

The trojan hides windows of running processes which contain any of the following strings in their title:

  • ACPUASM
  • AOPOASM
  • AOPUASM
  • ACPOASM
  • WinDbgFrameClass

The trojan may create the following files:

  • %allusersprofile%\­BaPeny\­FqBax\­FqBaxiz\­JgNw

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­BkHu]
    • "BkHu" = %hexvalue1%
  • [HKEY_CURRENT_USER\­SOFTWARE\­BkHu]
    • "BkHu" = %hexvalue1%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­TuRixu]
    • %name% = %hexvalue2%
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­TuRixu]
    • %name% = %hexvalue2%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­HiRknq]
    • "LyDgx" = %hexvalue3%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "SecureProtocols" = 4294967295
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%name%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%name%" = "%malwarefilepath%"

A string with variable content is used instead of %name% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.