Win32/Enchanim [Threat Name] go to Threat
Win32/Enchanim.B [Threat Variant Name]
| Category | trojan |
| Size | 118784 B |
| Aliases | Trojan.Win32.Inject.upgu (Kaspersky) |
Short description
Win32/Enchanim.B is a trojan which tries to download other malware from the Internet.
Installation
The trojan does not create any copies of itself.
The trojan is usually a part of other malware.
The trojan may create copies of the following files (source, destination):
- %system%\ActionQueue.dll, %temp%\%variable1%
- %system%\advapi32.dll, %temp%\%variable2%
A string with variable content is used instead of %variable1-2% .
The trojan can modify the following files:
- %temp%\%variable1% (Win32/Patched.ID)
- %temp%\%variable2% (Win32/Patched.ID)
The trojan may create copies of the following files (source, destination):
- %temp%\%variable1%, %system%\sysprep\ActionQueue.dll
The trojan may execute the following commands:
- %system%\sysprep\sysprep.exe
- cmd.exe /c %malwarefilepath%
The trojan creates and runs a new thread with its own program code within the following processes:
- svchost.exe
- csrss.exe
- lsass.exe
- explorer.exe
The trojan quits immediately if the executable filename is one of the following:
- C:\TEST\sample.exe
The trojan quits immediately if any of the following applications is detected:
- VirtualBox
- Rapport
- SysAnalyzer
Information stealing
The trojan collects the following information:
- operating system version
- list of running processes
Other information
The trojan contains a URL address. It tries to download a file from the address.
The file is then decrypted and executed. The HTTP protocol is used.
The trojan keeps various information in the following Registry keys:
- [HKEY_CLASSES_ROOT\%sid%\SOFTWARE\Classes\CLSID\{%variable%}\5]
- [HKEY_CLASSES_ROOT\%sid%\SOFTWARE\Classes\CLSID\{%variable%}\6]
- [HKEY_CLASSES_ROOT\%sid%\SOFTWARE\Classes\CLSID\{%variable%}\7]
- [HKEY_CLASSES_ROOT\%sid%\SOFTWARE\Classes\CLSID\{%variable%}\9]
A string with variable content is used instead of %variable% .