Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%APPDATA%\svchost .exe'
Malicious functions:
Executes the following:
- '%APPDATA%\csrss .exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\4.tmp\5.bat" "%TEMP%\taskmgr.exe""
- '%TEMP%\4.tmp\Microsoft32.exe' -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 46U8AypkRH8cnJgqe1Ex3UVwGpWKt1pBLGnpZHpqimLzApmKt16nX7ZBDpbowo8u23Tco7woWWGksTQSyFzEbg5w49Tji47 -p x
- '%TEMP%\1.tmp\Microsoft32.exe' -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 46U8AypkRH8cnJgqe1Ex3UVwGpWKt1pBLGnpZHpqimLzApmKt16nX7ZBDpbowo8u23Tco7woWWGksTQSyFzEbg5w49Tji47 -p x
- '%TEMP%\taskmgr.exe'
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\2.bat" "%TEMP%\taskmgr.exe""
- '%APPDATA%\svchost .exe'
Modifies file system:
Creates the following files:
- %TEMP%\1.tmp\1473585919_log.txt
- %APPDATA%\csrss .exe
- %TEMP%\4.tmp\5.bat
- %TEMP%\4.tmp\1473585930_log.txt
- %TEMP%\4.tmp\Microsoft32.exe
- %TEMP%\taskmgr.exe
- %APPDATA%\svchost .exe
- %TEMP%\zOGr.Yb
- %TEMP%\1.tmp\Microsoft32.exe
- %TEMP%\1.tmp\2.bat
Network activity:
Connects to:
- 'xm#.##ypto-pool.fr':3333
UDP:
- DNS ASK xm#.##ypto-pool.fr
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
