Win32/Ghokswa

Installation

This threat is usually installed by Trojan:Win32/Xadupi.

Chrome

This threat installs a modified version of Chrome in a similar way to how the real Google Chrome would be installed, but uses various folder names such as:

• %ProgramFiles%\Bangone
• %ProgramFiles%\Bigjane
• %ProgramFiles%\Birdkiss
• %ProgramFiles%\Birdmay
• %ProgramFiles%\Cupblue
• %ProgramFiles%\Eastfat
• %ProgramFiles%\Eastness
• %ProgramFiles%\Fishlamp
• %ProgramFiles%\Footblue
• %ProgramFiles%\ghokswa Browser
• %ProgramFiles%\Goldlarry
• %ProgramFiles%\Gotoe
• %ProgramFiles%\Guntony
• %ProgramFiles%\Hipbear
• %ProgramFiles%\Hipfat
• %ProgramFiles%\Hiprain
• %ProgramFiles%\Jamben
• %ProgramFiles%\Junetoe
• %ProgramFiles%\Lefttoe
• %ProgramFiles%\Monold
• %ProgramFiles%\Nobean
• %ProgramFiles%\Nosejane
• %ProgramFiles%\Outlose
• %ProgramFiles%\Seablue
• %ProgramFiles%\Toolrain
• %ProgramFiles%\vreXjvX
• %ProgramFiles%\Yesdear
• %ProgramFiles%\Zooface

Like the legitimate Google Chrome browser, it also stores data files under %LOCALAPPDATA% in a folder with a name that matches the one in %ProgramFiles%, for example:

%LOCALAPPDATA%\Gotoe

If the real Google Chrome is running at the time of installation, Ghokswa will terminate its processes. Ghokswa will also replace any existing Chrome shortcuts and file (for example, .htm, .html) or protocol (for example, HTTP, HTTPS) associations to point to its own modified Chrome browser.

Ghokswa also installs its own equivalents of Google Chrome's scheduled tasks, with names such as GotoeUpdateTaskMachineCore and GotoeUpdateTaskMachineUA.

Firefox

Ghokswa installs a modified version of Firefox in a similar way to how the real Mozilla Firefox would be installed, but into a different folder, for example, %ProgramFiles%\Firefox instead of %ProgramFiles%\Mozilla Firefox.

Like the legitimate Mozilla Firefox, it also stores data files under %LOCALAPPDATA%, for example, %LOCALAPPDATA%\Firefox\Firefox instead of %LOCALAPPDATA%\Mozilla\Firefox.

If the real Mozilla Firefox is running at the time of installation, Ghokswa will terminate its processes. Ghokswa will also replace any existing Firefox shortcuts and file (for example, .htm, .html) or protocol (for example, HTTP, HTTPS) associations to point to its own modified Firefox browser.

Ghokswa also installs two services, with filenames such as:

• %ProgramFiles%\Firefox\bin\FirefoxCommand.exe
• %ProgramFiles%\Firefox\bin\FirefoxUpdate.exe

Name: FirefoxU
Display Name: Update Service(FirefoxU)
Description: Keeps your Firefox software up to date. If this service is disabled or stopped, your Firefox software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Firefox software using it.
Path to executable: "C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe"
Startup type: Automatic (Delayed Start)

Name: CommandHandler
Display Name: Command Service(CommandHandler)
Description: Keeps your os running normally. If this service is disabled or stopped, your os may not work.
Path to executable: "C:\Program Files (x86)\Firefox\bin\FirefoxCommand.exe"
Startup type: Automatic (Delayed Start)

Payload

Replaces Google Chrome, hijacks settings

Replaces Mozilla Firefox, hijacks settings

This threat replaces any existing Mozilla Firefox shortcuts and associations to point to its modified Firefox browser. In doing so it can change search and home page settings without user consent.

Ghokswa also sends additional data to domains unrelated to those the user visits in the browser, such as cloud.firefox1.com, cloud.brobgser.com, and xa.firefox1.com.

Some of this data includes the Ghokswa Firefox settings for home page and search engine.

Receives remote instructions

Because Ghokswa's scheduled tasks and services connect to untrusted domains, they could be used to install additional, possibly unwanted, software.