Win32/Crossza [Threat Name] go to Threat

Win32/Crossza.A [Threat Variant Name]

Category trojan
Size 269824 B
Detection created Oct 25, 2018
Detection database version 18274
Aliases Trojan:Win32/Skeeyah.A!bit (Microsoft)
  Trojan-Spy.Win32.Zbot.zgqm (Kaspersky)
Short description

Win32/Crossza.A is a trojan which tries to download other malware from the Internet.

Installation

The trojan may create the following files:

  • %allusersprofile%\­Application Data\­DXDriver.dll (78848 B, Win32/Crossza.A)
  • %temp%\­cryptui.dll (158720 B, Win32/Crossza.A)
  • %allusersprofile%\­Application Data\­~D7%variable1%_tmp_XDSFA_XVGVGGH.dmp (158720 B, Win32/Crossza.A)
  • %temp%\­CertMgr.Exe (70992 B)

The trojan creates the following file:

  • %startup%\­Internet Explorer.lnk

The file is a shortcut to a following file:

  • %SystemRoot%\­System32\­rundll32.exe "%allusersprofile%\­Application Data\­DXDriver.dll",Flush {DFSWLMOJ-DSWD-XXDK-WQIS-XCKDKKSDLMKJ}

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Adobe Update" = "%SystemRoot%\­System32\­rundll32.exe "%allusersprofile%\­Application Data\­DXDriver.dll",Flush {DFSWLMOJ-DSWD-XXDK-WQIS-XCKDKKSDLMKJ}"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Rundll32.exe" = "%SystemRoot%\­System32\­rundll32.exe "%allusersprofile%\­Application Data\­DXDriver.dll",Flush {DFSWLMOJ-DSWD-XXDK-WQIS-XCKDKKSDLMKJ}"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows Google Service]
    • "START_DLL" = "%allusersprofile%\­Application Data\­~D7%variable%_tmp_XDSFA_XVGVGGH.dmp"
    • "REG_1" = "****==7f7e7d007f007e4f0072377f2b7f2b7f2f7f427f177f0b007f007f007f007f007f007f7f7e7d=="
    • "REG_2" = "****==7f7e7d007f007e4f0072377f2b7f2b7f2f7f427f177f0b007f007f007f007f007f007f7f7e7d=="
    • "REG_3" = "****==7f7e7d007f007e4f0072377f2b7f2b7f2f7f427f177f0b007f007f007f007f007f007f7f7e7d=="
    • "REG_4" = "####==7f7e7d004b170b0b0f4550504e474f514e4a4f514d4d49514e475032161c0d100c10190b502816111b10080c500d1a18160c0b1a0d510f170f007e4f0072377f2b7f2b7f2f7f427f177f0b007f007f007f007f007f007f7f7e7d=="
    • "REG_5" = "####==7f7e7d007f007e4f0072377f2b7f2b7f2f7f427f177f0b007f007f007f007f007f007f7f7e7d=="
    • "REG_6" = "####==7f7e7d007f007e4f0072377f2b7f2b7f2f7f427f177f0b007f007f007f007f007f007f7f7e7d=="
    • "GID" = "MTgxMDA5VDAy="
    • "GPWD" = "MTgxMDA5VDAy="
    • "SYSDATE" = 01 01 01 01 01 ...
    • "SLPTIME" = 5000

A string with variable content is used instead of %variable% .

Information stealing

The trojan collects the following information:

  • computer name
  • MAC address
  • operating system version
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used.

Payload information

The trojan may attempt to download files from the Internet.


The file is stored in the following location:

  • %common_appdata%\­_Google_Cloud.TMP

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows Google Service]
    • "SEC_COMP" = "%common_appdata%\­_Google_Cloud.TMP"

The file is then executed.

Other information

The trojan behaves differently if it detects a running process containing one of the following strings in its name:

  • avgui.exe
  • avastSvc.exe
  • bka.exe
  • BkavSystemService.exe
  • nis.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • bka.exe

The trojan may execute the following commands:

  • %systemroot%\­System32\­Rundll32.exe "%allusersprofile%\­Application Data\­DXDriver.dll",Flush {DFSWLMOJ-DSWD-XXDK-WQIS-XCKDKKSDLMKJ}
  • cmd.exe /c del /a /f "%malware_filepath%"

After the installation is complete, the trojan deletes the original executable file.

Please enable Javascript to ensure correct displaying of this content and refresh this page.