Threat behavior
Trojan:Win32/Gitwen.A is a trojan that connects to a remote server to send information about the infected computer. It can also receive certain commands from the same server.
Installation
Upon execution, Trojan:Win32/Gitwen.A creates the following mutex:
Trojan:Win32/Gitwen.A drops itself as the following file:
- %ProgramFiles%\Common Files\console.exe
It creates the following registry entry so that it automatically runs every time the computer starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Common"
With data: "%ProgramFiles%\Common Files\console.exe"
Trojan:Win32/Gitwen.A also creates the following file:
Payload
Connects to a remote server
Trojan:Win32/Gitwen.A connects to the following server to send specific information:
It attempts to send the following information about about the computer in which it is currently running:
- IP Address
- Windows version
- System volume serial number
Trojan:Win32/Gitwen.A can also receive messages from the server to perform the following actions:
- Uninstall itself from the infected computer
- Upload a file from the infected computer
- Requests the malware to terminate itself
Analysis by Daniel Radu
Prevention
