1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan Sponkirob Activity

System Infected: Trojan Sponkirob Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic related to Trojan.Sponkirob.

Additional Information

Trojan.Sponkirob is a Trojan horse that steals information and mines for cryptocurrencies on the compromised computer.

When the Trojan is executed, it creates the following files:
%AppData%\Chrome.exe
%AppData%\Tamir.SharpSsh.dll

Next, the Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ichrome" = "%UserProfile%\Application Data\chrome.exe"

The Trojan then creates the following mutex:
{EBC8D956-35C6-499D-B778-130A5DFA6195}

The Trojan then connects to the following remote location:
[http://]proteus-network.ml[REMOVED]

The Trojan then sends a fingerprint consisting of the following system information to its remote location:
Processor
BIOS
Disk
Motherboard
Video card
Network interface card
OS architecture

If this system information is unavailable, the Trojan sends the following default fingerprint:
{2D592824-48DE-49F8-8F96-A40B3904C794}

The Trojan may then gather account information from the following websites:
eBay
Otto
Amazon
Packstation
Netflix
Spotify
Zalando
Breuninger

The Trojan may then mine for cryptocurrencies on the compromised computer using the following mining tools:
CPUMiner
ZCashMiner
ScryptMiner
SHA256Miner

Affected

  • Windows

Response


  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube