- 01:51:56 23.07.2020 (x86 version)
- 01:49:20 20.05.2020 (x64 version)
- bbb29d96809bcd4c0e75df8f08f3e9dbc817f584 (x86 version)
- 091866cac1bef518dbb6d114b3636fbad144b49a (x64 version)
Trojan.DownLoader34.31724 is a shellcode loader written in C++. It works both in 32-bit and 64-bit Microsoft Windows operating systems.
The C&C server address is hardcoded in trojan’s body and is plain text: https://newsfor[.]newss[.]nl.
Using the CoCreateGuid function, the program generates a GUID (Globally Unique Identifier), which is then used as the identifier of the infected device.
It then sends a GET request to the C&C server with the User-Agent: "WinHTTP Example/1.0" HTTP header to https://newsfor[.]newss[.]nl/
- <uuid> — previously created uuid,
- 0 — the sequence number of the request,
- 4 — a number, hardcoded in the trojan’s body.
In response to this GET request, the trojan waits for the shellcode delivery, and then sends another GET request. If the first DWORD in the response is equal to 1, it then executes the previously received shellcode.
The result of the shellcode execution is sent by a POST request to the same URL that is used for GET requests.