Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\rundll32.exe ""%TEMP%\ins1.tmp"",zubwdnzeg install worker
Modifies file system :
Creates the following files:
- %TEMP%\ins1.tmp
Deletes itself.
Network activity:
Connects to:
- 'so###scin.cz.cc':80
TCP:
HTTP GET requests:
- so###scin.cz.cc/wlgFIlwgblYk5I0B1uQlp0QOyPFGstWdGxclSELFX+XC1rU2f9fQ8SZFSQvHJG2JbjaAT3EEBTeqAifY8LiCrn0BWwkq5pSe04svBLn2DBpRxw==
- so###scin.cz.cc/laSutKUALgxNQI6z5n8IJR37uP04o/ji2JPvOc5WAHiejiw2XbtEUL8d7Oaw1znwOWOJzZdV2R6rpVnduZ9IhN6r0zGh8QWTavKPb4DIlmHyjMZKKMHeWRgMBBTWuKmBdYuKPHzh0V1kbFufjS+TUhom/QRuJeLlhaJof1APCnX7iEvhluzD8KLcVM8vucNcDYAoV6TNCXs=
UDP:
- DNS ASK so###scin.cz.cc
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
