Win32/TrojanDownloader.Delf.QPN [Threat Name] go to Threat
Win32/TrojanDownloader.Delf.QPN [Threat Variant Name]
| Category | trojan |
| Size | 340992 B |
| Aliases | Trojan.Win32.Swisyn.bqiy (Kaspersky) |
| Downloader.a!cc.trojan (McAfee) |
Short description
Win32/TrojanDownloader.Delf.QPN is a trojan that uses the hardware resources of the infected computer for mining the Bitcoin digital currency.
Installation
When executed, the trojan copies itself into the following location:
- %windir%\update.5.0\svchost.exe
The trojan registers itself as a system service using the following name:
- srvbtcclient
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\btcclient]
- "close" = "%variable1%"
- "ver" = "1.59"
- "mainer_cmd" = "%variable2%"
- [HKEY_LOCAL_MACHINE\SOFTWARE\systeminfog]
- "ip_list" = %variable3%
- "ip_list_time" = %variable4%
The %variable1% is one of the following strings:
- 0
- 1
A string with variable content is used instead of %variable2-4% .
Payload information
The trojan uses the hardware resources of the infected computer for mining the Bitcoin digital currency.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
It uses its own P2P network for communication.
The trojan contains a list of (1244) IP addresses.
The trojan contains a list of (2) URLs.
The JSON-RPC protocol is used in the communication.
The trojan opens a random TCP port.
The trojan tries to download and execute several files from the Internet.
These are stored in the following locations:
- %temp%\%variable5%_myunrar2.exe
- %windir%\unrar.exe
- %windir%\phoenix.rar (5589370 B)
- %windir%\phoenix\kernels\phatk\BFIPatcher.py (5224 B)
- %windir%\phoenix\kernels\phatk\kernel.cl (10366 B)
- %windir%\phoenix\kernels\phatk\__init__.py (16922 B)
- %windir%\phoenix\kernels\poclbm\BFIPatcher.py (5224 B)
- %windir%\phoenix\kernels\poclbm\kernel.cl (30821 B)
- %windir%\phoenix\kernels\poclbm\__init__.py (17266 B)
- %windir%\phoenix\phoenix.exe (6962815 B)
- %windir%\ufa.rar (182617 B)
- %windir%\ufa\ufa.exe (743936 B)
- %windir%\rpcminer.rar (1075284 B)
- %windir%\rpcminer\bitcoinminercuda_10.cubin (49392 B)
- %windir%\rpcminer\bitcoinminercuda_11.cubin (49392 B)
- %windir%\rpcminer\bitcoinminercuda_20.cubin (43272 B)
- %windir%\rpcminer\bitcoinmineropencl.cl (9971 B)
- %windir%\rpcminer\cudart32_32_16.dll (384616 B)
- %windir%\rpcminer\curllib.dll (194048 B)
- %windir%\rpcminer\libeay32.dll (1016832 B)
- %windir%\rpcminer\libsasl.dll (65536 B)
- %windir%\rpcminer\openldap.dll (110592 B)
- %windir%\rpcminer\rpcminer-4way.exe (294912 B)
- %windir%\rpcminer\rpcminer-cpu.exe (241664 B)
- %windir%\rpcminer\rpcminer-cuda.exe (249856 B)
- %windir%\rpcminer\rpcminer-opencl.exe (241664 B)
- %windir%\rpcminer\ssleay32.dll (200192 B)
A string with variable content is used instead of %variable5% .