Onkods social engineering spam campaign continues (Mar 28, 2014)


The Dell SonicWall research team recently encountered a malicious spam e-mail. The sample contained in the email is another in the line of droppers known by the name Onkods. This malware family’s primary role is to gain execution on a victim’s machine in order to download and launch the next stage in the attack.

Infection Cycle

The file attached to the email pretends to be a JPG, with a filename that mimics the filename a digital camera would produce. The real extension of the file is SCR however, so if a user attempts to view it, it will execute and infect their system.

While the URL for the second stage binary is clearly visible in the contents of the binary, the malware does obfuscate the API functions it uses to download and launch the second stage.

The encrypted procedure names within the binary can be seen above.

This listing shows the encrypted procedure names in the context of the malware’s execution flow.

After running the obfuscated library names through the malware’s decryption routine, the intent of the sample becomes even more clear.

The second stage binary is then downloaded to the file name 78f6d86g4g.exe [Detected by GAV:Phorpiex.B_9 (Worm)], which then proceeds to download further binaries. These additional binaries were seen being executed in our analysis:

  • C:UsersAdminAppDataLocalTemp1241547105.exe [Detected by GAV:Injector.BAKZ (Trojan)]
  • C:UsersAdminAppDataLocalTemp2561927484.exe [Detected by GAV:Sdbot.JN (Trojan)]
  • C:UsersAdminM-2480286949245824winsvc.exe [Detected by GAV:Sdbot.JN (Trojan)]
  • C:UsersAdminM-89675864735623587winmgr.exe [Detected by GAV:Phorpiex.B_9 (Worm)]

The malware creates the following mutexes on the system:

  • spm10
  • trk24

The malware communicates with the following hosts:

  • a1961.g.akamai.net:80 (
  • api.wipmania.com:80 (
  • epiclanka.com:80 (
  • filebox.su:80 (
  • spmbox.ru:5050 (
  • trikbox.ru:5050 (
  • mx01.gmx.com:25 (

Overall the motive of this Trojan is to create additional bots to send spam and propagate further. The SonicWALL research team will continue to monitor this threat.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV:Onkods.Y (Trojan)
  • GAV:Kryptik.BLMB (Trojan)
  • GAV:Injector.BAKZ (Trojan)
  • GAV:SDbot.JN (Trojan)
  • GAV:Phoripex.B_9 (Worm)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.