Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\HD-Audio 9.3.8.981.lnk
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\wscript.exe' "C:\JVOIl16.tmp\ozO.vbs"
Executes the following:
- 'C:\JVOIl16.tmp\taskhostky.exe' -second
- '<SYSTEM32>\attrib.exe' +h C:\JVOIl16.tmp
Searches for windows to
detect analytical utilities:
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
Modifies file system:
Creates the following files:
- %APPDATA%\RUT_settings\Logs\rms_log_2017-07.html
- C:\JVOIl16.tmp\ozO.vbs
- C:\JVOIl16.tmp\taskhostky.exe
Network activity:
Connects to:
- 'ru##ls.com':563
- 'ru##ls.com':5655
- 'ru##ls.com':80
TCP:
HTTP GET requests:
- http://ru##ls.com/utils/inet_id_notify.php?te####
UDP:
- DNS ASK se####.rutils.com
- DNS ASK ru##ls.com
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: 'Windows Security Alert'
- ClassName: '18467-41' WindowName: ''
- ClassName: '' WindowName: 'Iiiaauaiea nenoaiu aaciianiinoe Windows'
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
