Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\1.tmp.exe' /u http://www.br####download.com/index.php /ta /ci 14991 /i OperaWW
- '%TEMP%\1.tmp.exe' /t /i SnapDoNew /u http://www.br####download.com/index.php /ci 16582
- '%TEMP%\1.tmp.exe' /t /i OperaWW /u http://www.br####download.com/index.php /ci 14991
- '%TEMP%\1.tmp.exe' (downloaded from the Internet)
Modifies file system:
Creates the following files:
- %TEMP%\1.tmp.exe
Network activity:
Connects to:
- 'localhost':1041
- 'os##oft.com':80
- 'ip##pi.com':80
- 'www.go#####analytics.com':80
TCP:
HTTP GET requests:
- http://os##oft.com/download/bundles.xml?11##################################
- http://os##oft.com/download2/Bundle.exe
- http://ip##pi.com/xml
HTTP POST requests:
- http://www.go#####analytics.com/collect
UDP:
- DNS ASK os##oft.com
- DNS ASK www.go#####analytics.com
- DNS ASK ip##pi.com
