Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Configurator' = '%APPDATA%\Microsoft 2011\Configurator.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\5BdmHkI8OZ.exe.exe
- <Drive name for removable media>:\autorun.inf.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\5BdmHkI8OZ.exe
Malicious functions:
Creates and executes the following:
- '%APPDATA%\SfCq-fMGb.exe' -g no -t 1 -o http://pi#.###pbit.net:8332 -u lsd@love.com_test -p miners
- '%APPDATA%\Microsoft 2011\Configurator.exe'
- '%APPDATA%\SfCq-fMGb.exe' (downloaded from the Internet)
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\server[1].exe
- %APPDATA%\21i-tJAI6.exe
- %APPDATA%\SfCq-fMGb.exe
- %APPDATA%\Microsoft 2011\Configurator.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\svchost[1].exe
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\autorun.inf.exe
- <Drive name for removable media>:\5BdmHkI8OZ.exe.exe
- %APPDATA%\Microsoft 2011\Configurator.exe
- <Drive name for removable media>:\5BdmHkI8OZ.exe
Network activity:
Connects to:
- 'ha#s.in':80
- 'dl.##opbox.com':80
- 'localhost':1035
TCP:
HTTP GET requests:
- ha#s.in/server.exe
- dl.##opbox.com/u/27790450/ufasoft/svchost.exe
UDP:
- DNS ASK ha#s.in
- DNS ASK dl.##opbox.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'