Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Ruze' = 'regsvr32.exe /s %APPDATA%\Zyinob\luru.dll'
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\rundll32.exe' hzLzwqJ.dll,DllRegisterServer
Injects code into
the following system processes:
- %WINDIR%\syswow64\msiexec.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKLM>\Software\Microsoft\Internet Account Manager]
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Modifies file system
Creates the following files
- C:\msdownld.tmp\as0f3dbb.tmp\rsk.dll
- %TEMP%\itutpu.tmp
- %TEMP%\ararynn.tmp
- %TEMP%\umodoc.tmp
- %TEMP%\baliaws.tmp
- %TEMP%\pyqukize.tmp
- %TEMP%\okvimyw.tmp
- %TEMP%\sysyy.tmp
- %TEMP%\obleo.tmp
- %TEMP%\gise.tmp
- %TEMP%\finedulu.tmp
- %TEMP%\siacuhky.tmp
- %TEMP%\adpo.tmp
- %TEMP%\ebeqxa.tmp
- %TEMP%\kyfu.tmp
- %TEMP%\gyepa.tmp
- %TEMP%\zinuse.tmp
- %TEMP%\ubmuwu.tmp
- %TEMP%\opwuy.tmp
- %TEMP%\igmeec.tmp
- %APPDATA%\zyinob\luru.dll
- %APPDATA%\rewu\ahkyk.int
- %APPDATA%\ufos\uxoqas.qyno
- %APPDATA%\osbono\afeqmier.er
- %APPDATA%\hiamy\xeelw.reato
- %APPDATA%\apihh\erivlu.dyig
- %APPDATA%\ygenhi\asqe.qoto
- %TEMP%\ecepniv.tmp
- %TEMP%\kinadiy.tmp
- %TEMP%\uqva.tmp-shm
- %APPDATA%\xupy\ziabhai.de
- %TEMP%\obnyumom.tmp
- %TEMP%\ivnu.tmp
- %TEMP%\dufiva.tmp
- %TEMP%\yqitaxne.tmp
- %HOMEPATH%\documents\hzlzwqj.dll
- %TEMP%\uqva.tmp
- %APPDATA%\ufos\uxoqas.tmp
Deletes the following files
- C:\msdownld.tmp\as0f3dbb.tmp\rsk.dll
- %TEMP%\ebeqxa.tmp
- %TEMP%\adpo.tmp
- %TEMP%\siacuhky.tmp
- %TEMP%\finedulu.tmp
- %TEMP%\gise.tmp
- %TEMP%\ecepniv.tmp
- %TEMP%\obleo.tmp
- %TEMP%\okvimyw.tmp
- %TEMP%\pyqukize.tmp
- %TEMP%\baliaws.tmp
- %TEMP%\umodoc.tmp
- %TEMP%\ararynn.tmp
- %TEMP%\kyfu.tmp
- %TEMP%\itutpu.tmp
- %TEMP%\gyepa.tmp
- %TEMP%\ubmuwu.tmp
- %TEMP%\opwuy.tmp
- %TEMP%\igmeec.tmp
- %TEMP%\yqitaxne.tmp
- %TEMP%\dufiva.tmp
- %TEMP%\ivnu.tmp
- %TEMP%\obnyumom.tmp
- %TEMP%\uqva.tmp
- %TEMP%\uqva.tmp-shm
- %TEMP%\sysyy.tmp
- %TEMP%\kinadiy.tmp
- %TEMP%\zinuse.tmp
- %APPDATA%\ufos\uxoqas.tmp
Moves the following files
- from %APPDATA%\ufos\uxoqas.qyno to %APPDATA%\ufos\uxoqas.tmp
Network activity
Connects to
- 'mi###anttra.at':443
TCP
- 'en###artner.at':443
UDP
- DNS ASK en###artner.at
- DNS ASK st####.rapidssl.com
- DNS ASK mi###anttra.at
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\rundll32.exe' hzLzwqJ.dll,DllRegisterServer' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ipconfig /all' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net config workstation' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net view /all' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c net view /all /domain' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\msiexec.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ipconfig /all
- '%WINDIR%\syswow64\ipconfig.exe' /all
- '%WINDIR%\syswow64\cmd.exe' /c net config workstation
- '%WINDIR%\syswow64\net.exe' config workstation
- '%WINDIR%\syswow64\net1.exe' config workstation
- '%WINDIR%\syswow64\cmd.exe' /c net view /all
- '%WINDIR%\syswow64\net.exe' view /all
- '%WINDIR%\syswow64\cmd.exe' /c net view /all /domain
- '%WINDIR%\syswow64\net.exe' view /all /domain
