{"id":21792,"date":"2024-06-27T14:31:45","date_gmt":"2024-06-27T14:31:45","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=21792"},"modified":"2024-06-27T17:06:40","modified_gmt":"2024-06-27T17:06:40","slug":"trojan-win32-tnega-msr","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/trojan-win32-tnega-msr\/","title":{"rendered":"Trojan:Win32\/Tnega!MSR"},"content":{"rendered":"

Trojan:Win32\/Tnega!MSR is a malicious program<\/strong> that functions to deliver other malware. It uses numerous anti-detection tricks and is often distributed as mods and cheats for popular games. Such threats are capable of delivering spyware, ransomware and pretty much any other malware.<\/p>\n

Trojan:Win32\/Tnega!MSR Overview<\/h2>\n

Trojan:Win32\/Tnega!MSR is a Microsoft Defender detection that refers to malware that acts as a downloader<\/a>. As the name suggests, such malware’s main task is to deliver additional malicious components<\/strong> to the infected device, i.e., payload. It may also include extra features like collecting system information or other basic details.<\/p>\n

\"Trojan:Win32\/Tnega!MSR
Trojan:Win32\/Tnega!MSR detection window<\/figcaption><\/figure>\n

Main spreading ways for Tnega trojan are modified versions of games<\/a>, cheats, or game add-ons. Since such tools always require antivirus software to be disabled, such a disguise creates ideal conditions for malware to run in the system. In addition to this, Tnega has a protection mechanism against antivirus detection and analysis. Everything is standard here – various techniques like code encryption, polymorphism, obfuscation, and checking for the presence of virtual environments. These techniques make it difficult to be detected and analyzed by antivirus programs and malware analyzers.<\/p>\n

Technical Analysis<\/h2>\n

For a more detailed breakdown, I chose a sample<\/a> that spreads as some kind of a mod for Roblox. As the detection is not specific to a malware family, there can be variations from one sample to another, but the general course of action will remain the same. Let’s break down some of the key behaviors and actions observed.<\/p>\n

\"Electron
Electron app<\/figcaption><\/figure>\n

Once launched, the malware performs some checks to determine if the application is running in a virtual environment or sandbox<\/strong>. A rather common check, but it is still effective in weeding out artificial environments. To do this, it checks the following registry values:<\/p>\n

HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__
\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\SystemBiosVersion
\nHKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\VideoBiosVersion<\/code><\/p>\n

These keys display the BIOS version, which is particularly hard to spoof when it comes to basic virtual machines. Such a check gives much more precise results than more classic ones, that view video driver information and the list of installed applications.<\/p>\n

Persistence<\/h3>\n

To gain persistence, Trojan:Win32\/Tnega!MSR uses Task Scheduler to run its executable file. This allows it to run periodically or on a schedule with elevated privileges. Registering a task as .NET code contains functionality that can also be used to launch other malicious programs.<\/p>\n

After tinkering with the Task Scheduler, the malware’s executable file is injected into other system processes, allowing it to execute with elevated privileges in the context of these processes. It uses the WerFault.exe process<\/strong> with parameters -u -p -s .<\/p>\n

C:\\Windows\\SysWOW64\\WerFault.exe -u -p 1036 -s 1912
\nC:\\Windows\\SysWOW64\\WerFault.exe -u -p 1200 -s 1908
\nC:\\Windows\\SysWOW64\\WerFault.exe -u -p 1256 -s 1908<\/code><\/p>\n

This is only a few of the commands where Tnega abuses WerFault functionality. During the runtime testing, it interacted with the error reporting module for 9 times, which corresponds to the number of files it has downloaded from the C2. So yes, each one of these is about to run malware with max privileges.<\/p>\n

C2 Connection<\/h3>\n

The malware communicates with C2 servers<\/a> via HTTP to blend in with legitimate traffic. DNS resolutions are made to domains such as query.prod.cms.rt.microsoft.com<\/strong>. IP traffic is observed on specific ports like TCP 80, TCP 443, and UDP 137<\/strong>.<\/p>\n

TCP 104.80.89.50:80
\nTCP 13.107.4.50:80
\nTCP 131.253.33.203:80
\nUDP 192.168.0.1:137
\nUDP 192.168.0.55:137<\/code><\/p>\n

Payload<\/h3>\n

Next, Trojan:Win32\/Tnega!MSR performs its primary function of dropping the payload. It writes files to the disc in various directories \u2013 C:\\Users\\\\Downloads, C:\\Users\\user\\Desktop and C:\\Users\\user\\AppData\\Roaming. The files typically arrive in the form of a .dmp file, meaning that malware further injects them into the memory of a legit process.<\/p>\n

\"Payload<\/p>\n

How To Remove Trojan:Win32\/Tnega!MSR?<\/h2>\n

To remove Trojan:Win32\/Tnega!MSR, it is best to use an advanced anti-malware tool. GridinSoft Anti-Malware is the optimal option. Since some users have encountered problems<\/a> with Tnega removal using default Windows tools, a third-party solution is designed to remedy this situation. Moreover, using GridinSoft Anti-Malware does not require you to disable Windows Defender. So, they can work in pairs, complementing each other.<\/p>\n\"GridinSoft\n

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.<\/p>\n

Download Anti-Malware<\/a><\/div>\n

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click \"Advanced mode\" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.<\/p>\n\"Scan\n

Click \"Clean Now\" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.<\/p>\n\"Removal\n","protected":false},"excerpt":{"rendered":"

Trojan:Win32\/Tnega!MSR is a malicious program that functions to deliver other malware. It uses numerous anti-detection tricks and is often distributed as mods and cheats for popular games. Such threats are capable of delivering spyware, ransomware and pretty much any other malware. Trojan:Win32\/Tnega!MSR Overview Trojan:Win32\/Tnega!MSR is a Microsoft Defender detection that refers to malware that acts […]<\/p>\n","protected":false},"author":7,"featured_media":21829,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17,4],"tags":[1197,28,223],"class_list":{"0":"post-21792","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"category-tips-tricks","9":"tag-dropper","10":"tag-malware","11":"tag-windows-defender"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/04\/GS_Blog_banner_Trojan_Win32_TnegaMSR.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/21792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=21792"}],"version-history":[{"count":16,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/21792\/revisions"}],"predecessor-version":[{"id":23135,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/21792\/revisions\/23135"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/21829"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=21792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=21792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=21792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}