Technical Information
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\csrss.exe
Modifies file system
Substitutes the following files
- %ProgramFiles%\UNP\Logs\UpdateNotificationPipeline.001.etl
Network activity
TCP
HTTP GET requests
- http://fo###.#oogleapis.com/css?fa###########
- http://4.##.#logspot.com/-sqAfifpR3hE/UOaCPbxd_rI/AAAAAAAAAUg/6RjCDpWALp0/s72-c/blogger_logo.jpeg
- http://1.##.#logspot.com/-fWm4yPfLYnk/UFdK_u45kII/AAAAAAAAAKo/AlzMtffOEC8/s1600/tabs-bg.png
- http://2.##.#logspot.com/-0cbsb11jQ1Q/UFdLlH2EMfI/AAAAAAAAAK0/uEbaRz1wnmc/s320/widgettitle-bg.png
- http://4.##.#logspot.com/-QAkrwIxH1SQ/UBS_P6gCfEI/AAAAAAAAH_g/Vr2IzeW4gco/s1600/featured-next.png
- http://3.##.#logspot.com/-_EulLIY0yG0/UBS_WHXodmI/AAAAAAAAH_s/SN1OC1HeGD0/s1600/featured-prev.png
- http://4.##.#logspot.com/-iLU3Wtvq8eM/UFdHONeaXbI/AAAAAAAAAJs/vWRasgrFxdk/s1600/menu-secondary-bg.png
- http://3.##.#logspot.com/-GdRIZ2NoWe8/UFdXjG6RnKI/AAAAAAAAALg/WKghOrC2Qoo/s1600/search.png
- http://www.li###ithin.com/pixel.png
- http://www.li###ithin.com/widget.js
- http://fo###.gstatic.com/s/oswald/v35/TK3_WkUHHAIjg75cFRf3bXL8LICs1_FvsUZiYQ.eot
- http://4.##.#logspot.com/-5SVGzAFlGgc/UFdHvAeOPPI/AAAAAAAAAJ4/yIPRIA6MnNY/s1600/menu-primary-bg.png
- http://ft##mes.com/themedemo/wp-content/themes/SuperTech/images/background.jpg
- http://www.in####edebate.com/js/bloggerTemplateLinkWrapper.php?ac###################################
- http://4.##.#logspot.com/-J2BzBB6rZ0M/UV0WulyT2qI/AAAAAAAAAek/RDuKdaupGxo/s72-c/hoic.png
- http://2.##.#logspot.com/-J-eYjiWmyzE/UFdZ24wJLNI/AAAAAAAAAMA/ByWGwWjEacw/s1600/3.jpg
- http://1.##.#logspot.com/-ATY3r2oeDa0/UFdZ7UiiVlI/AAAAAAAAAMM/H7AIOVrtK-Q/s1600/4.jpg
- http://2.##.#logspot.com/-q20DiQt4jZY/UFdZx7v1pxI/AAAAAAAAAL0/RqeONWAMaSk/s1600/2.jpg
- http://4.##.#logspot.com/-271VDq4VvIo/UBS8Gm53CTI/AAAAAAAAH8g/LjVfHDfwuSc/s1600/rss.png
- http://1.##.#logspot.com/-FWXAiDrBggg/UBS8AZe1ptI/AAAAAAAAH8U/Ai_chR0EYA4/s1600/linkedin.png
- http://3.##.#logspot.com/-c-b6BQsvlJM/UBS8LoaG6lI/AAAAAAAAH8s/tQxHLT1VOxs/s1600/email.png
- http://3.##.#logspot.com/-v6jHux4hV_0/UBS76T7fJGI/AAAAAAAAH8I/SVOSmiJ7iXw/s1600/gplus.png
- http://2.##.#logspot.com/-WjVpog9ze0M/UBS70bze1-I/AAAAAAAAH78/084r7i7cIhs/s1600/facebook.png
- http://3.##.#logspot.com/-IxiZizy3GsI/UBS7tW2zaGI/AAAAAAAAH7w/od3-xRR43Is/s1600/twitter.png
- http://bn###.#ooglecode.com/files/jquery.lazyload.js
- http://aj##.#oogleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
- http://apis.google.com/js/plusone.js
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?af##############
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?66##############
- http://1.##.#logspot.com/-yCMLSxx0fxQ/UFdZ_XECN_I/AAAAAAAAAMY/6azP5A6ZM9Y/s1600/5.jpg
- http://2.##.#logspot.com/-OB6S9wxURTg/T50fVyYDIdI/AAAAAAAADMc/Vd9RdRfTGWw/s72-c/Pune+Urban+Bank+Hacked.png
UDP
- DNS ASK fo###.#oogleapis.com
- DNS ASK st####.a-ads.com
- DNS ASK dl.delivery.mp.microsoft.com
- DNS ASK maps.windows.com
- DNS ASK go.##clasrv.com
- DNS ASK a.###cksor.net
- DNS ASK ad.##ads.com
- DNS ASK fo###.gstatic.com
- DNS ASK li###ithin.com
- DNS ASK share.microsoft.com
- DNS ASK settings-win.data.microsoft.com
- DNS ASK pa#####.#ooglesyndication.com
- DNS ASK ho####gvictory.com
- DNS ASK ft##mes.com
- DNS ASK in####edebate.com
- DNS ASK re#####es.blogblog.com
- DNS ASK s3.##stimg.org
- DNS ASK 4.##.#logspot.com
- DNS ASK 1.##.#logspot.com
- DNS ASK 2.##.#logspot.com
- DNS ASK 3.##.#logspot.com
- DNS ASK bn###.#ooglecode.com
- DNS ASK apis.google.com
- DNS ASK go.microsoft.com
- DNS ASK aj##.#oogleapis.com
- DNS ASK bl##ger.com
- DNS ASK go.##bisla.com
- DNS ASK ar#.msn.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Executes the following
- '%ProgramFiles(x86)%\internet explorer\ielowutil.exe' -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
- '<SYSTEM32>\devicecensus.exe' UserCxt
- '<SYSTEM32>\svchost.exe' -k netsvcs -p
