Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\rundll32.exe "%TEMP%\ins1.tmp",vfajljqyjdqxti install
Modifies file system :
Creates the following files:
- %TEMP%\ins1.tmp
Deletes itself.
Network activity:
Connects to:
- 'kc###os.co.be':80
TCP:
HTTP GET requests:
- kc###os.co.be/nXigQCQXirLdsdw29rnspBWP7xC+M4fUHI93RbcU1O/3ND+rY7J0+4RLi8a2d5aFya9PZ3CAEexbjd/EY7Ogtg3T+H6rUIrB6YUnSi0R4Opt+Q==
- kc###os.co.be/UlyEaDDsBYi2F7k5ECREX4STC1kWnljxWc4jF2aQVDRF+wNbiCYB4tbndb4YOnW6KHkoDDmIBsnx73kYEgeRANgap8Q1OF6/kxGjYl1d41hTD9woDIIVKUQRo7FARx+i3Jvdfz/c3+ryirQqo6iUe88UHHpplaSk+ofs3xvn6/T5DdVtrCH/d/TA4MH5rxOaVz5+hInvS+g=
UDP:
- DNS ASK kc###os.co.be
- '<Private IP address>':1036
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
