Data stealing trojan described as a JPG file (December 31, 2015)


The Dell SonicWall Threats Research team has received reports of a data stealing Trojan described as a JPG file. Upon execution, the trojan steals information from the system and also capable of downloading more malware.

Infection Cycle:

The Trojan has the following description:

There are few tools available such as Resource Tuner which can be used to change the properties of an executable such as:

  • Company Name
  • Copyright Notice
  • Product Name
  • Product Description
  • File Version
  • Product Version

It copies itself at the following location as explorer.exe to hide itself as a windows process.

  • C:Documents and SettingsAdminApplication Dataexplorer.exe detected as GAV:Kryptik.EGO_2 (Trojan)
  • It also modifies autorun entries by adding itself at:

  • C:Documents and SettingsAdminStart MenuProgramsStartup6b297773d8200eb005c582cd40418052.exe
  • It also modifies the firewall policy to add itself to the authorized applications

  • HKLMsystemcurrentcontrolsetservicessharedaccessparametersfirewallpolicystandardprofileauthorizedapplicationslistc:documents and settingsadminapplication dataexplorer.exe

    On analysis, the malware contains the following strings which are used to encrypt and decrypt the user information:

    The malware contacts the following domain:

    Once the CnC server is connected, it steals the following information and sends it to the server at port 5584.

    The system information is base64 encoded when sending to the server.

    • V0lORE9XU18xMDA0MERDNw== : decodes to WINDOWS_10040DC7
    • UHJvZ3JhbSBNYW5hZ2VyAA== : decodes to Program Manager�
    • V0lORE9XUw0KbG92ZTIwMTQuZGRucy5uZXQ6NTU4NA0KQXBwRGF0YQ0KZXhwbG9yZXIuZXhlDQpUcnVlDQpUcnVlDQpGYWxzZQ0KRmFsc2U=: decodes to WINDOWS AppData explorer.exe True True False False

    Overall, this Trojan is capable of sending sensitive information out to a remote server.We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source.

    Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

    • GAV:Kryptik.EGO_2 (Trojan)

    Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.