Troj/Agent-AXYT

Category: Viruses and Spyware Protection available since:13 Jan 2018 14:47:19 (GMT)
Type: Trojan Last Updated:13 Jan 2018 14:47:19 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Agent-AXYT exhibits the following characteristics:

File Information

Size
1.7M
SHA-1
aa4aa0189140670c618348f1baad877b8eca04a4
MD5
7d05ab95cfe93d84bc5db006c789a47f
CRC-32
1f40cd45
File type
Windows executable
First seen
2018-01-01

Runtime Analysis

Dropped Files
  • C:\WINDOWS\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
    Size
    27K
    SHA-1
    d6c761942dcb32190f924ea7490acc38865f7300
    MD5
    63602f11993c01a4b36f42187a797128
    CRC-32
    71e8335f
    File type
    Windows executable
    First seen
    2017-12-30
  • C:\WINDOWS\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\system.management.automation.dll
  • C:\WINDOWS\Temp\foxcon.exe
    Size
    16K
    SHA-1
    48418d83ac372c1398753f7a766076750a03a725
    MD5
    7b07728b813d26228f10f6cdb7ac8471
    CRC-32
    e2309240
    File type
    Windows executable
    First seen
    2018-01-02
  • C:\WINDOWS\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
    Size
    80K
    SHA-1
    c1bc90be6a4beb67fb7b195707798106114ec332
    MD5
    51bf85f3bf56e628b52d61614192359d
    CRC-32
    f1b66d90
    File type
    Windows executable
    First seen
    2017-12-31
  • C:\Documents and Settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  • C:\WINDOWS\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\foxcon.exe
    Size
    16K
    SHA-1
    48418d83ac372c1398753f7a766076750a03a725
    MD5
    7b07728b813d26228f10f6cdb7ac8471
    CRC-32
    e2309240
    File type
    Windows executable
    First seen
    2018-01-02
  • C:\WINDOWS\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\Newtonsoft.Json.dll
    Size
    487K
    SHA-1
    81cd6b87a9f7b4a174138312986d682f464067f4
    MD5
    0c33e2f116aaa66d0012a8376d82ce29
    CRC-32
    cf3dab76
    File type
    Windows executable
    First seen
    2017-07-06
  • C:\WINDOWS\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\Newtonsoft.Json.xml
    Size
    559K
    SHA-1
    c94bdbe2f9fceb3b0ec4d5d989afebd5f745db28
    MD5
    92f39bc46894dc4a7a8cc8bdf53ce21a
    CRC-32
    3581c010
    File type
    Extensible Markup Language (XML)
    First seen
    2017-07-06
Modified Files
  • C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
    • Set the hidden and system flags
  • C:\Documents and Settings\LocalService\Local Settings\History
    • Set the hidden and system flags
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Services\whcpagn\Security
    Security
    □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
  • HKEY_USERS\.DEFAULT\Software\Microsoft\GDIPlus
    FontCachePath
    C:\Documents and Settings\LocalService\Local Settings\Application Data
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    Foxcon Service Control
    C:\WINDOWS\TEMP\foxcon.exe
  • HKEY_USERS\S-1-5-18\Software\FoxCond
    {1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E}
    C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA
    0x00000000
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\whcpagn
    ObjectName
    LocalSystem
  • HKLM\SYSTEM\CurrentControlSet\Services\whcpagn\Enum
    NextInstance
    0x00000001
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run
    Foxcon Service Control
    C:\WINDOWS\TEMP\foxcon.exe
  • HKEY_USERS\S-1-5-18\Software\Microsoft\GDIPlus
    FontCachePath
    C:\Documents and Settings\LocalService\Local Settings\Application Data
  • HKCU\Software\FoxCond
    {1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E}
    C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
  • HKEY_USERS\.DEFAULT\Software\FoxCond
    {1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E}
    C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    EnableLUA
    0x00000000
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    Directory
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    History
    C:\Documents and Settings\LocalService\Local Settings\History
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    CachePath
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
Processes Created
  • c:\windows\temp\foxcon.exe
  • c:\windows\temp\{1945bbs40-8571-3da1-bb29-hydra7a13a1e}\services.exe
  • c:\windows\temp\{1945bbs40-8571-3da1-bb29-hydra7a13a1e}\starter.exe
HTTP Requests
  • http://172.16.0.2/wpad.dat
IP Connections
  • 188.225.34.245:3000
DNS Requests
  • wpad