MSIL/Fbtaken [Threat Name] go to Threat

MSIL/Fbtaken.B [Threat Variant Name]

Category trojan
Size 147968 B
Detection created Nov 07, 2016
Signature database version 14404
Aliases Trojan:Win32/Skeeyah.A!rfn (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan does not create any copies of itself.


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %malwarefilepath%

The trojan executes the following command:

  • schtasks /Create /SC MINUTE /TN\­"fbapp\­" /MO 5 /TR\­"\­"%malwarefilepath%\­"\­" /F /RL HIGHEST
Information stealing

The trojan collects the following information:

  • cookies
  • country code
  • malware version

The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • "like" posts on social networks
  • share posts on social networks
  • create posts on social networks
  • steal social network account credentials

The following social networking sites are affected:

  • Facebook

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­HDPlayer\­VictimId]

The trojan keeps various information in the following files:

  • ids.csv
  • location.csv
  • cookies.csv

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.