Trojan Downloader – Win32/Jadtre.A

TrojanDownloader:Win32/Jadtre.A is a trojan that downloads and executes arbitrary files. It also prevents certain processes from executing normally.

Threat behavior

TrojanDownloader:Win32/Jadtre.A is a trojan that downloads and executes arbitrary files. It also prevents certain processes from executing normally.
Installation
TrojanDownloader:Win32/Jadtre.A is dropped and installed as a replaced system service DLL by TrojanDropper:Win32/Jadtre.B.
Payload
Downloads and executes arbitrary files
TrojanDownloader:Win32/Jadtre.A contacts remote hosts to download and execute files of the attackers’s choice on the affected system. In the wild, TrojanDownloader:Win32/Jadtre.A has been observed contacting the following domain for this purpose:
  • ipdown.poloi999.cn
At the time of this writing, the downloaded files are detected as Worm:Win32/Viking.NA and TrojanSpy:Win32/Hitpop.gen!C.




Hijacks image file execution options
TrojanDownloader:Win32/Jadtre.A modifies the registry to hijack the Image File Execution Options for cetain processes to prevent normal execution:
Adds value: “Debugger
With data: “ntsd-d
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process>
where <process> could be any one of the following:
360hotfix.exe
360rpt.exe
360safe.exe
360safebox.exe
360tray.exe
agentsvr.exe
apvxdwin.exe
ast.exe
avcenter.exe
avengine.exe
avgnt.exe
avguard.exe
avltmain.exe
avp32.exe
avtask.exe
bdagent.exe
bdwizreg.exe
boxmod.exe
ccapp.exe
ccenter.exe
ccevtmgr.exe
ccregvfy.exe
ccsetmgr.exe
cqw32.exe
DrvAnti.exe
egui.exe
ekrn.exe
frameworkservice.exe
frwstub.exe
guardfield.exe
iparmor.exe
kaccore.exe
kasmain.exe
kav32.exe
kavstart.exe
kavsvc.exe
kavsvcui.exe
kislnchr.exe
kmailmon.exe
knownsvr.exe
kpfw32.exe
kpfwsvc.exe
kregex.exe
kvfw.exe
kvmonxp.exe
kvmonxp.kxp
kvol.exe
kvprescan.exe
kvsrvxp.exe
kvwsc.exe
kvxp.kxp
kwatch.exe
livesrv.exe
mcagent.exe
mcdash.exe
mcdetect.exe
mcshield.exe
mctskshd.exe
mcvsescn.exe
mcvsshld.exe
mghtml.exe
naprdmgr.exe
navapsvc.exe
navapw32.exe
navw32.exe
nmain.exe
nod32.exe
nod32krn.exe
nod32kui.exe
npfmntor.exe
oasclnt.exe
pavsrv51.exe
pfw.exe
psctrls.exe
psimreal.exe
psimsvc.exe
qqdoctormain.exe
ras.exe
ravmon.exe
ravmond.exe
ravstub.exe
ravtask.exe
rfwcfg.exe
rfwmain.exe
rfwproxy.exe
rfwsrv.exe
rsagent.exe
rsmain.exe
rsnetsvr.exe
rssafety.exe
rstray.exe
safebank.exe
safeboxtray.exe
scan32.exe
scanfrm.exe
sched.exe
seccenter.exe
secnotifier.exe
SetupLD.exe
shstat.exe
smartup.exe
sndsrvc.exe
spbbcsvc.exe
symlcsvc.exe
tbmon.exe
uihost.exe
ulibcfg.exe
updaterui.exe
uplive.exe
vcr32.exe
vcrmon.exe
vptray.exe
vsserv.exe
vstskmgr.exe
vstskmgr.exe
webproxy.exe
xcommsvr.exe
xnlscn.exe
Most of these processes are associated with antivirus and security products.




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: