FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.Scavenger.2

Added to the Dr.Web virus database: 2025-04-09

Virus description added:

sha1:

  • 9f5d1dbb2cd31b2af97e14b8781ea035a4869194 (tmp6FC15.dll)

Description

A malicious program written in C++ and a component of the Trojan.Scavenger family. It represents a dynamic library whose main purpose is to download the next infection stages, Trojan.Scavenger.3 and Trojan.Scavenger.4, and prepare them for launch. For this, Trojan.Scavenger.2 puts them into the directories of apps susceptible to DLL Search Order Hijacking vulnerabilities. These stages run automatically when the corresponding programs are launched.

Operating routine

Launching

Depending on the attack vector scenario, Trojan.Scavenger.2 can be either the next infection stage downloaded by the Trojan.Scavenger.1 malicious app or its starting point. In the former case, Trojan.Scavenger.1 downloads this malware as the file %TEMP%\tmp6FC15.dll and then launches it. In the latter case, the trojan is distributed under the guise of ASI files for installing PC game modes. When a victim follows the attackers’ instructions and copies the trojan file into the game directory, it automatically runs when the game is launched.

Checking the running environment

When launched, Trojan.Scavenger.2 preliminarily performs an environment check, which is standard for the entire family. If it detects signs that it is being launched in a virtual environment or debug mode, it stops working.

Downloading the payload

Like most components of the family, before directly proceeding to download the payload from the C2 sever, Trojan.Scavenger.2 checks the encryption key for secure data exchange. To do so, it uses the algorithm discussed in the description for the corresponding trojan family. After successfully verifying the encryption key on the server, the malicious app downloads the next infection stages. For this, requests with the following routes are made:

  • /pl — receiving the target files list;

  • /pdl — receiving the payload body;

  • /pdp — these are paths for searching the target directories to place the downloaded files into them.

The request containing the route /pl

This request has the following parameters:

  • Parameters that are standard for the Trojan.Scavenger family;

  • The parameter _ = -.

In response to this request, the C2 server sends a list of payloads, parameters for determining which target directory these files will be copied to, and the files’ final names. This response is encrypted with the XXTEA algorithm; after decryption, it looks like this:

[{"enabled": true, "identifier": "shiny", "drop_name": "version.dll", "next_to_match": "notification_helper.exe", "next_to_extra_nav": "\\..\\..\\", "next_to_extra_nav_confirmation": "anifest.xml"}, {"enabled": true, "identifier": "exodus", "drop_name": "profapi.dll", "next_to_match": "\\Exodus.exe", "next_to_extra_nav": "\\..", "next_to_extra_nav_confirmation": "v8_context_snapshot.bin"}]

, где

  • enable — to create requests /pdl and /pdp for downloading the payload;

  • identifyre — the parameter for the request /pdl;

  • drop_name — the name under which the target file will be saved after being downloaded;

  • next_to_match — the match during the directory parsing;

  • next_to_extra_nav — the parameters for searching which target directory to save the downloaded file to (for example, for the path C:\Program Files (x86)\Microsoft\Edge\Application\136.0.3240.64\notification_helper.exe" - \..\.. the resulting path will be C:\Program Files (x86)\Microsoft\Edge\Application);

  • next_to_extra_nav_confirmation — part of the file’s name to confirm that this file is located in the correct directory.

The request containing the route /pdl

This request has the following parameters:

  • Parameters that are standard for the Trojan.Scavenger family;

  • p — the type of downloaded component.

Trojan.Scavenger.2 downloads two additional stages to further infect the computer:

  • p = shiny — Trojan.Scavenger.3;

  • p = exodus — Trojan.Scavenger.4.

After decoding base64, the payload is encrypted with an XOR operation containing the string F**kOff (we deliberately hid some of the symbols).

The request containing the route /pdp

This request has the following parameters:

  • Parameters that are standard for the Trojan.Scavenger family;

  • _ = -.

In response to this request, the C2 server sends an array of directory names to be parsed. This response is encrypted with the XXTEA algorithm; after decryption it looks like this:

["C:\\Program Files", "C:\\Program Files (x86)", "%LOCALAPPDATA%", "%APPDATA%"]
File system parsing

After receiving the response corresponding to the request containing the route /pdp, the trojan starts crawling target directories to locate the ones the downloaded payload will be copied to. The search is performed according to rules sent by the C2 server in response to the request containing the route /pl.

First, Trojan.Scavenger.2 searches for the file with the name sent in the parameter next_to_match. Next, it forms a path to the target directory, using the rules next_to_extra_nav. After that, it verifies the directory in accordance with the parameters from the field next_to_extra_nav_confirmation. For this, it searches for a file by its full name (for instance, v8_context_snapshot.bin) or a portion of it (for example, the substring anifest.xml which is present in the names of Manifest files of different browsers).

More about Trojan.Scavenger.1
More about Trojan.Scavenger.3
More about Trojan.Scavenger.4
News about the trojan
Indicators of compromise

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play