Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\firefox default browser agent 555de560bac50596
- %WINDIR%\tasks\explorgu.job
Modifies master boot record (MBR).
Malicious functions
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
- ClassName: 'GBDYLLO', WindowName: ''
- ClassName: 'pediy06', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
Modifies file system
Creates the following files
- %APPDATA%\dgbhvfj
- %LOCALAPPDATA%\mail box stat view\unins000.dat
- %LOCALAPPDATA%\mail box stat view\is-hjb8t.tmp
- %LOCALAPPDATA%\mail box stat view\is-7a48u.tmp
- %LOCALAPPDATA%\mail box stat view\is-rt1dq.tmp
- %LOCALAPPDATA%\mail box stat view\is-u1kne.tmp
- %LOCALAPPDATA%\mail box stat view\is-fpbjd.tmp
- %LOCALAPPDATA%\mail box stat view\is-986rl.tmp
- %LOCALAPPDATA%\mail box stat view\is-3969b.tmp
- %LOCALAPPDATA%\mail box stat view\is-irsv4.tmp
- %TEMP%\is-ufihh.tmp\_isetup\_iscrypt.dll
- %TEMP%\is-ufihh.tmp\_isetup\_isdecmp.dll
- %TEMP%\is-ufihh.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-ufihh.tmp\_isetup\_setup64.tmp
- %TEMP%\f913.exe
- %TEMP%\is-ff5le.tmp\f377.tmp
- %TEMP%\f377.exe
- %TEMP%\e524.exe
- %TEMP%\00c07260dc\explorgu.exe
- %ALLUSERSPROFILE%\microsoft\crypto\rsa\s-1-5-18\d42cc0c3858a58db2db37658219e6400_d4602615-9d50-4880-be41-678935e93eaa
- %TEMP%\a047.exe
- %TEMP%\8a37.exe
- %TEMP%\5ee2.dll
- %TEMP%\5550.exe
- %LOCALAPPDATA%\mail box stat view\mailboxstatview.exe
- %TEMP%\14ee.exe
Sets the 'hidden' attribute to the following files
- %APPDATA%\dgbhvfj
Deletes the following files
- %WINDIR%\tasks\explorgu.job
- %LOCALAPPDATA%\mail box stat view\libgcc_s_dw2-1.dll
- %TEMP%\5ee2.dll
Moves the following files
- from %LOCALAPPDATA%\mail box stat view\is-irsv4.tmp to %LOCALAPPDATA%\mail box stat view\unins000.exe
- from %LOCALAPPDATA%\mail box stat view\is-3969b.tmp to %LOCALAPPDATA%\mail box stat view\libgcc_s_dw2-1.dll
- from %LOCALAPPDATA%\mail box stat view\is-fpbjd.tmp to %LOCALAPPDATA%\mail box stat view\libogg-0.dll
- from %LOCALAPPDATA%\mail box stat view\is-u1kne.tmp to %LOCALAPPDATA%\mail box stat view\libvorbis-0.dll
- from %LOCALAPPDATA%\mail box stat view\is-rt1dq.tmp to %LOCALAPPDATA%\mail box stat view\libwinpthread-1.dll
- from %LOCALAPPDATA%\mail box stat view\is-7a48u.tmp to %LOCALAPPDATA%\mail box stat view\libbz2-1.dll
- from %LOCALAPPDATA%\mail box stat view\is-hjb8t.tmp to %LOCALAPPDATA%\mail box stat view\mailboxstatview.exe
Substitutes the following files
- %LOCALAPPDATA%\mail box stat view\libgcc_s_dw2-1.dll
Deletes itself.
Network activity
Connects to
- 'se####ation17io.io':80
- '18#.#15.113.45':80
- 'tr##c.com':80
- '18#.#72.128.19':80
- 'ni###.bestsup.su':80
TCP
HTTP GET requests
- http://18#.#15.113.45/mine/amert.exe
- http://tr##c.com/check/index.php
- http://18#.#72.128.19/288c47bbc1871b439df19ff4df68f07776.exe
- http://ni###.bestsup.su/data/pdf/may.exe
HTTP POST requests
- http://se####ation17io.io/index.php
UDP
- DNS ASK se####ation17io.io
- DNS ASK tr##c.com
- DNS ASK ni###.bestsup.su
Miscellaneous
Searches for the following windows
- ClassName: '18467-41' WindowName: ''
- ClassName: 'zd0a59_Flash342FixClass_zd0a59' WindowName: ''
Creates and executes the following
- '%TEMP%\5550.exe'
- '%TEMP%\f377.exe'
- '%APPDATA%\dgbhvfj'
- '%TEMP%\14ee.exe'
- '%TEMP%\f913.exe'
- '%TEMP%\e524.exe'
- '%LOCALAPPDATA%\mail box stat view\mailboxstatview.exe' -i
- '%TEMP%\00c07260dc\explorgu.exe'
- '%TEMP%\a047.exe'
- '%TEMP%\8a37.exe'
- '%LOCALAPPDATA%\mail box stat view\mailboxstatview.exe' -s
- '%TEMP%\is-ff5le.tmp\f377.tmp' /SL5="$F025A,1649107,56832,%TEMP%\F377.exe"
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\Temp\Task.bat" "' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Compress-Archive -Path '%TEMP%\_Files_\' -DestinationPath '%TEMP%\238866942124_Desktop.zip' -CompressionLevel Optimal' (with hidden window)
- '<SYSTEM32>\netsh.exe' wlan show profiles' (with hidden window)
- '%WINDIR%\rss\csrss.exe' ' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes"' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /delete /tn ScheduledUpdate /f' (with hidden window)
- '%TEMP%\00c07260dc\explorgu.exe' ' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' %APPDATA%\006700e5a2ab05\clip64.dll, Main' (with hidden window)
- '%TEMP%\1000863001\random.exe' ' (with hidden window)
- '%TEMP%\csrss\injector\injector.exe' taskmgr.exe %TEMP%\csrss\injector\NtQuerySystemInformationHook.dll' (with hidden window)
- '%APPDATA%\dgbhvfj' ' (with hidden window)
- '%TEMP%\1000861001\installsetup_three.exe' ' (with hidden window)
- '%WINDIR%\syswow64\rundll32.exe' %APPDATA%\006700e5a2ab05\cred64.dll, Main' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /CREATE /SC ONLOGON /RL HIGHEST /TR "%WINDIR%\rss\csrss.exe" /TN csrss /F' (with hidden window)
- '%TEMP%\csrss\patch.exe' ' (with hidden window)
Executes the following
- '<SYSTEM32>\regsvr32.exe' /s %TEMP%\5EE2.dll
- '<SYSTEM32>\taskeng.exe' {E2D46B12-7EBB-4982-B883-DAE05C58E8CC} S-1-5-21-1238866942-1249195528-555854008-1000:uuffdsepd\user:Interactive:[1]
- '%WINDIR%\syswow64\rundll32.exe' %APPDATA%\006700e5a2ab05\cred64.dll, Main
- '<SYSTEM32>\rundll32.exe' %APPDATA%\006700e5a2ab05\cred64.dll, Main
- '%WINDIR%\syswow64\rundll32.exe' %APPDATA%\006700e5a2ab05\clip64.dll, Main
- '<SYSTEM32>\netsh.exe' wlan show profiles
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Compress-Archive -Path '%TEMP%\_Files_\' -DestinationPath '%TEMP%\238866942124_Desktop.zip' -CompressionLevel Optimal
- '%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\Temp\Task.bat" "
- '%WINDIR%\syswow64\chcp.com' 1251
- '%WINDIR%\syswow64\schtasks.exe' /create /tn "MalayamaraUpdate" /tr "'%TEMP%\Updater.exe'" /sc minute /mo 30 /F
- '<SYSTEM32>\cmd.exe' /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="%WINDIR%\rss\csrss.exe" enable=yes"
- '<SYSTEM32>\schtasks.exe' /CREATE /SC ONLOGON /RL HIGHEST /TR "%WINDIR%\rss\csrss.exe" /TN csrss /F
- '<SYSTEM32>\schtasks.exe' /delete /tn ScheduledUpdate /f
