Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /t /im hssupgd.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im cmw_srv.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im HSSCP.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im hssfixme.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im HSSTrayService.exe
- '<SYSTEM32>\taskkill.exe' /f /t /im hsswd.exe
Modifies file system
Creates the following files
- %WINDIR%\syswow64\.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\startup.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\unblock-rules.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\unr.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\user-unblock-rules.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\wlnet_st.$$a
- %ALLUSERSPROFILE%\hotspot shield\logs\cmw_srv_20160514.$$a
- %ALLUSERSPROFILE%\hotspot shield\logs\hsswd_20160514.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\hsspx\hsspx.$$a
- %ALLUSERSPROFILE%\hotspot shield\logs\hydra_20160514.$$a
- %ALLUSERSPROFILE%\hotspot shield\rep\apr.$$a
- %ALLUSERSPROFILE%\hotspot shield\rep\events.$$a
- %ALLUSERSPROFILE%\hotspot shield\rep\hsr.$$a
- %ALLUSERSPROFILE%\hotspot shield\rep\inr.$$a
- %ALLUSERSPROFILE%\hotspot shield\rep\udr.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\ntf_prefs.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\mal-web-stat.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\mal-app-stat.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\hss_data\settings.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\hss_data\installer.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\hss_data\el.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\hsswd\hsswd.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\hssstate.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\hsspx\proxy.$$a
- %ALLUSERSPROFILE%\hotspot shield\logs\hssupgd_20160514.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\firstrun_update.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\firstrun.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\ffpr.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\fbw-info-direct.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\dnr.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\crashrpt.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\amhs_st.$$a
- %ALLUSERSPROFILE%\hotspot shield\rep\unrdr.$$a
- %TEMP%\4dykkxh1.bat
Deletes the following files
- %TEMP%\4dykkxh1.bat
- %WINDIR%\syswow64\.exe
Moves the following files
- from %ALLUSERSPROFILE%\hotspot shield\config\amhs_st.$$a to %ALLUSERSPROFILE%\hotspot shield\config\amhs_st.cfg
- from %ALLUSERSPROFILE%\hotspot shield\rep\udr.$$a to %ALLUSERSPROFILE%\hotspot shield\rep\udr.cfg
- from %ALLUSERSPROFILE%\hotspot shield\rep\inr.$$a to %ALLUSERSPROFILE%\hotspot shield\rep\inr.cfg
- from %ALLUSERSPROFILE%\hotspot shield\rep\hsr.$$a to %ALLUSERSPROFILE%\hotspot shield\rep\hsr.cfg
- from %ALLUSERSPROFILE%\hotspot shield\rep\events.$$a to %ALLUSERSPROFILE%\hotspot shield\rep\events.db
- from %ALLUSERSPROFILE%\hotspot shield\rep\apr.$$a to %ALLUSERSPROFILE%\hotspot shield\rep\apr.cfg
- from %ALLUSERSPROFILE%\hotspot shield\logs\hydra_20160514.$$a to %ALLUSERSPROFILE%\hotspot shield\logs\hydra_20160514.log
- from %ALLUSERSPROFILE%\hotspot shield\logs\hsswd_20160514.$$a to %ALLUSERSPROFILE%\hotspot shield\logs\hsswd_20160514.log
- from %ALLUSERSPROFILE%\hotspot shield\logs\hssupgd_20160514.$$a to %ALLUSERSPROFILE%\hotspot shield\logs\hssupgd_20160514.log
- from %ALLUSERSPROFILE%\hotspot shield\logs\cmw_srv_20160514.$$a to %ALLUSERSPROFILE%\hotspot shield\logs\cmw_srv_20160514.log
- from %ALLUSERSPROFILE%\hotspot shield\config\wlnet_st.$$a to %ALLUSERSPROFILE%\hotspot shield\config\wlnet_st.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\user-unblock-rules.$$a to %ALLUSERSPROFILE%\hotspot shield\config\user-unblock-rules.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\unr.$$a to %ALLUSERSPROFILE%\hotspot shield\config\unr.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\unblock-rules.$$a to %ALLUSERSPROFILE%\hotspot shield\config\unblock-rules.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\startup.$$a to %ALLUSERSPROFILE%\hotspot shield\config\startup.cfg
- from %ALLUSERSPROFILE%\hotspot shield\rep\unrdr.$$a to %ALLUSERSPROFILE%\hotspot shield\rep\unrdr.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\ntf_prefs.$$a to %ALLUSERSPROFILE%\hotspot shield\config\ntf_prefs.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\mal-app-stat.$$a to %ALLUSERSPROFILE%\hotspot shield\config\mal-app-stat.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\hss_data\settings.$$a to %ALLUSERSPROFILE%\hotspot shield\config\hss_data\settings
- from %ALLUSERSPROFILE%\hotspot shield\config\hss_data\installer.$$a to %ALLUSERSPROFILE%\hotspot shield\config\hss_data\installer
- from %ALLUSERSPROFILE%\hotspot shield\config\hss_data\el.$$a to %ALLUSERSPROFILE%\hotspot shield\config\hss_data\el
- from %ALLUSERSPROFILE%\hotspot shield\config\hsswd\hsswd.$$a to %ALLUSERSPROFILE%\hotspot shield\config\hsswd\hsswd.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\hssstate.$$a to %ALLUSERSPROFILE%\hotspot shield\config\hssstate.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\hsspx\proxy.$$a to %ALLUSERSPROFILE%\hotspot shield\config\hsspx\proxy.pac
- from %ALLUSERSPROFILE%\hotspot shield\config\hsspx\hsspx.$$a to %ALLUSERSPROFILE%\hotspot shield\config\hsspx\hsspx.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\firstrun_update.$$a to %ALLUSERSPROFILE%\hotspot shield\config\firstrun_update
- from %ALLUSERSPROFILE%\hotspot shield\config\firstrun.$$a to %ALLUSERSPROFILE%\hotspot shield\config\firstrun
- from %ALLUSERSPROFILE%\hotspot shield\config\ffpr.$$a to %ALLUSERSPROFILE%\hotspot shield\config\ffpr
- from %ALLUSERSPROFILE%\hotspot shield\config\fbw-info-direct.$$a to %ALLUSERSPROFILE%\hotspot shield\config\fbw-info-direct.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\dnr.$$a to %ALLUSERSPROFILE%\hotspot shield\config\dnr.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\crashrpt.$$a to %ALLUSERSPROFILE%\hotspot shield\config\crashrpt.cfg
- from %ALLUSERSPROFILE%\hotspot shield\config\mal-web-stat.$$a to %ALLUSERSPROFILE%\hotspot shield\config\mal-web-stat.cfg
- from %WINDIR%\syswow64\.$$a to %WINDIR%\syswow64\.exe
Substitutes the following files
- %ALLUSERSPROFILE%\hotspot shield\config\firstrun.$$a
- %ALLUSERSPROFILE%\hotspot shield\config\firstrun_update.$$a
Modifies the HOSTS file.
Miscellaneous
Searches for the following windows
- ClassName: 'InstItClass' WindowName: ''
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\4DYKKXH1.bat" "<SYSTEM32>\.exe""' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\4DYKKXH1.bat" "<SYSTEM32>\.exe""
- '<SYSTEM32>\find.exe' /C /I "www.hsselite.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "hsselite.com>" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "delivery.anchorfree.us/land.php" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "rpt.anchorfree.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "a433.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "anchorfree.us" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "www.mefeedia.com>" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "www.anchorfree.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "www.mefeedia.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "box.anchorfree.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "techbrowsing.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "rss2search.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "anchorfree.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "ttoskippline.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\attrib.exe' -r <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "http://www.hsselite.com/trial/step2.php" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "techbrowsing.com/away.php" <DRIVERS>\etc\hosts
