Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\rundll32.exe "%TEMP%\ins1.tmp",zubwdnzeg install worker
Modifies file system :
Creates the following files:
- %TEMP%\ins1.tmp
Deletes itself.
Network activity:
Connects to:
- 'ho###er.cz.cc':80
TCP:
HTTP GET requests:
- ho###er.cz.cc/chwNdwCpAVGzXMHsD6CqmBy+KBpEYKABG9ENXlBR7/wJxHoQUSm8jDeMa/gs/AKprb+plsQIU6EhEf19FlIOAiekiUhi6VwP3DPzQXaZLFjAww==
- ho###er.cz.cc/iBKDqDePj/nQQ8J1fPgHPmlJZCoDuSVV/6r6jaZozdcNbysYeBgnp/sUUnTF0MGTK98p4dvV9kO/CeXaIKZey7D8us3Jll6D53xBifhkCLtbjRTTtKnkWGfwfhxQtw9bH6LGhxGSNGJayIibWBky2rnOQ9S8cr3yDvAsfqnVT8nsI2v+C04lUpg7iLqvfOh555IXD12KKWg=
UDP:
- DNS ASK ho###er.cz.cc
- '<Private IP address>':1036
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
