Examples of Troj/Wonton-ABG include:
Example 1
File Information
- Size
- 83K
- SHA-1
- d0976ccd8e1e39fd3117d7999464fa5c909bf57a
- MD5
- 86e26c28eefdcdd60706a70efd25d72b
- CRC-32
- 90bcc811
- File type
- PK ZIP archive
- First seen
- 2017-07-26
Example 2
File Information
- Size
- 164K
- SHA-1
- 159e81d3313e4158507ad44f1d6be372417b5cbe
- MD5
- 20469372a75b11da4041040925e0a6dd
- CRC-32
- c941b1b3
- File type
- Windows executable
- First seen
- 2015-08-19
Other vendor detection
- Avira
- TR/Crypt.Xpack.juktd
Runtime Analysis
Modified Files
- C:\Documents and Settings\LocalService\Local Settings\History
- Set the hidden and system flags
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
- Set the hidden and system flags
Registry Keys Created
- HKLM\SYSTEM\CurrentControlSet\Services\cryptcert
- Description
- Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
- HKLM\SYSTEM\CurrentControlSet\Services\cryptcert\Enum
- NextInstance
- 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\cryptcert\Security
- Security
- □□□@□□□□□□□□□□□□□□@□□□□□□□□□□□ □□□□□□□□□□□ □□@□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□@□□□□□□□□@□□□□□ □□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□ □□□□□□□□□□□□□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□□□□0□□□□□□□□□□□□□□□□□ □□□□□□□□□□□□□□□□□ □□□□□
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□[□□.□`□□0□□□□□□□□□□□□□□□□□□□□□□□□□□
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- DefaultConnectionSettings
- <□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□□@□□□□□□□□□□□□[□□.□`□□0□□□□□□□□□□□□□□□□□□□□□□□□□□
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
- Directory
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
- HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
- Name
- cryptcert.exe
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
- CachePath
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
- CachePath
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- SavedLegacySettings
- 3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
- CachePath
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- History
- C:\Documents and Settings\LocalService\Local Settings\History
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- SavedLegacySettings
- 3c 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- History
- C:\Documents and Settings\LocalService\Local Settings\History
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
- CachePath
- C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1
Processes Created
- c:\windows\system32\cryptcert.exe
IP Connections
- 164.132.50.32:8080
- 74.208.17.10:8080