Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\CLSID\{324D60B7-A0E4-45A7-9EA8-A00C315C0688}\Shell\Open\Command] '' = '%TEMP%\115.com\115com.exe'
Malicious functions:
Creates and executes the following:
- '%TEMP%\115.com\115com.exe'
Executes the following:
- '<SYSTEM32>\regsvr32.exe' /s "%TEMP%\115.com\np_115download_plugin.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%TEMP%\115.com\Shell.dll"
Modifies file system :
Creates the following files:
- %TEMP%\115.com\shell_x64.dll
- %TEMP%\115.com\sqlite3.dll
- %TEMP%\115.com\np_115download_plugin.dll
- %TEMP%\115.com\shell.dll
- %TEMP%\nsf3.tmp\System.dll
- %ALLUSERSPROFILE%\Application Data\115\DownLoads\ylmf.cfg
- %TEMP%\115.com\upload.dll
- %TEMP%\115.com\zlibwapi.dll
- %TEMP%\115.com\msvcr100.dll
- %TEMP%\115.com\5Player.exe
- %TEMP%\115.com\DownCore.dll
- %TEMP%\nsl2.tmp
- %TEMP%\115.com\115com.exe
- %TEMP%\115.com\down.wav
- %TEMP%\115.com\msvcp100.dll
- %TEMP%\115.com\UDownAgent.dll
- %TEMP%\115.com\UDownAgent_x64.dll
Network activity:
Connects to:
- 'pr#.#pi.115.com':80
TCP:
HTTP GET requests:
- pr#.#pi.115.com/appversion/api/?ac####################################################################################################
UDP:
- DNS ASK pr#.#pi.115.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'TrayNotifyWnd' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
