Home Malware Programs Trojans Trojan.Rokamal

Trojan.Rokamal

Posted: April 24, 2014

Threat Metric

Threat Level: 10/10
Infected PCs: 5
First Seen: April 25, 2014
Last Seen: July 1, 2019
OS(es) Affected: Windows

Trojan.Rokamal is a Trojan that steals personal information from the affected computer. Trojan.Rokamal also opens a back door and may use the infected computer to mine cryptocurrency and launch distributed denial-of-service (DDoS) attacks. Once executed, Trojan.Rokamal creates potentially malicious files. Trojan.Rokamal then creates the registry entries so that it can load automatically every time Windows starts. Trojan.Rokamal also creates numerous other registry entries. Trojan.Rokamal may then carry out the potentially malicious actions on the attacked PC such as steal email credentials from Microsoft Outlook, open a command shell, log keystrokes and turn the targeted PC into a Web proxy. Trojan.Rokamal may also steal passwords from the Web browsers such as Internet Explorer, Opera, Google Chrome and Mozilla Firefox.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%ProgramFiles%\Startup\Google.com.url File name: %ProgramFiles%\Startup\Google.com.url
Mime Type: unknown/url
Group: Malware file
%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe File name: %SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\msconfig.ini File name: %UserProfile%\Application Data\msconfig.ini
Mime Type: unknown/ini
Group: Malware file
%UserProfile%\Application Data\[9 RANDOM DIGITS].exe File name: %UserProfile%\Application Data\[9 RANDOM DIGITS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%UserProfile%\Application Data\Install\Host.exe File name: %UserProfile%\Application Data\Install\Host.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%Temp%\[4 RANDOM DIGITS] File name: %Temp%\[4 RANDOM DIGITS]
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Microsoft\Sysinternals\"PROCID" = "5728"HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\"REG_DWORD" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\"Start" = "4"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{[36 RANDOM CHARACTERS]}\"StubPath" = "%UserProfile%\Application Data\Install\Host.eXe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{[36 RANDOM CHARACTERS]}\"StubPath" = "\%UserProfile%\Application Data\Install\Host.eXe\"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Spybotsd.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comhost.exe\"DisableExceptionChainValidation" = ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\"Debugger" = "nsjw.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows COM Host" = "%SystemDrive%\{$[16 RANDOM DIGITS]$}\comhost.exe -rundll32 /SYSTEM32 \%System%\taskmgr.exe\" \"%ProgramFiles%\Microsoft\Windows\""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"NetWire" = "%UserProfile%\Application Data\Install\Host.exe"
Loading...