Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Classes\jd\shell\open\command] '' = '"%TEMP%\RarSFX0\MiPony.exe" "/url:%1"'
- [<HKLM>\SOFTWARE\Classes\jdlist\shell\open\command] '' = '"%TEMP%\RarSFX0\MiPony.exe" "/url:%1"'
- [<HKLM>\SOFTWARE\Classes\mpybrowser\shell\open\command] '' = '"%TEMP%\RarSFX0\MiPony.exe" "/url:%1"'
- [<HKLM>\SOFTWARE\Classes\mipony\shell\open\command] '' = '"%TEMP%\RarSFX0\MiPony.exe" "/url:%1"'
- [<HKLM>\SOFTWARE\Classes\mipony-ext\shell\open\command] '' = '"%TEMP%\RarSFX0\MiPony.exe""%1"'
- [<HKLM>\SOFTWARE\Classes\dlc\shell\open\command] '' = '"%TEMP%\RarSFX0\MiPony.exe" "/url:%1"'
Malicious functions:
Executes the following:
- '%TEMP%\RarSFX0\MiPony.exe'
Modifies file system:
Creates the following files:
- %TEMP%\RarSFX0\Language\mipony_zh-TW.xml
- %TEMP%\RarSFX0\Language\mipony_zh-HK.xml
- %TEMP%\RarSFX0\Language\mipony_zh-CHS.xml
- %TEMP%\RarSFX0\MiPony.exe
- %TEMP%\RarSFX0\HtmlAgilityPack.dll
- %TEMP%\RarSFX0\uninst.exe
- %TEMP%\RarSFX0\tes\tesseract.exe
- %TEMP%\RarSFX0\Language\mipony_vi.xml
- %TEMP%\RarSFX0\Language\mipony_ro-RO.xml
- %TEMP%\RarSFX0\Language\mipony_pt-PT.xml
- %TEMP%\RarSFX0\Language\mipony_pt-BR.xml
- %TEMP%\RarSFX0\Language\mipony_ru-RU.xml
- %TEMP%\RarSFX0\Language\mipony_tr-TR.xml
- %TEMP%\RarSFX0\Language\mipony_sr-Cyrl-CS.xml
- %TEMP%\RarSFX0\Language\mipony_sk-SK.xml
- %TEMP%\RarSFX0\tes\leptonlib.dll
- %TEMP%\RarSFX0\tes\tessdata\configs\lowletters
- %TEMP%\RarSFX0\tes\tessdata\configs\lowdigits
- %TEMP%\RarSFX0\tes\tessdata\configs\lettersdigits
- %TEMP%\RarSFX0\tes\tessdata\eng.traineddata
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\U98D4X8H\start[1].0&f=1
- %APPDATA%\Mipony\mipony.xml
- %HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\wpad[1].cache
- %TEMP%\RarSFX0\tes\tessdata\configs\letters
- %TEMP%\RarSFX0\unrar64.dll
- %TEMP%\RarSFX0\unrar.dll
- %TEMP%\RarSFX0\Mono.Nat.dll
- %TEMP%\RarSFX0\sig.bin
- %TEMP%\RarSFX0\tes\tessdata\configs\digits
- %TEMP%\RarSFX0\tes\tessdata\configs\capsdigits
- %TEMP%\RarSFX0\tes\tessdata\configs\capletters
- %TEMP%\RarSFX0\Language\mipony_el.xml
- %TEMP%\RarSFX0\Language\mipony_de-DE.xml
- %TEMP%\RarSFX0\Language\mipony_da-DK.xml
- %TEMP%\RarSFX0\Language\mipony_en-US.xml
- %TEMP%\RarSFX0\Language\mipony_es-MX.xml
- %TEMP%\RarSFX0\Language\mipony_es-ES.xml
- %TEMP%\RarSFX0\Language\mipony_es-AR.xml
- %TEMP%\RarSFX0\Language\mipony_cs-CZ.xml
- %TEMP%\RarSFX0\Language\mipony_bg-BG.xml
- %TEMP%\RarSFX0\Language\mipony_ar-EG.xml
- %TEMP%\RarSFX0\Browser\IEContext.htm
- %TEMP%\RarSFX0\Language\mipony_bn-IN.xml
- %TEMP%\RarSFX0\Language\mipony_ca.xml
- %TEMP%\RarSFX0\Language\mipony_ca-VA.xml
- %TEMP%\RarSFX0\Language\mipony_bs-Latn-BA.xml
- %TEMP%\RarSFX0\Language\mipony_eu-ES.xml
- %TEMP%\RarSFX0\Language\mipony_ko-KR.xml
- %TEMP%\RarSFX0\Language\mipony_km-KH.xml
- %TEMP%\RarSFX0\Language\mipony_ja-JP.xml
- %TEMP%\RarSFX0\Language\mipony_lt-LT.xml
- %TEMP%\RarSFX0\Language\mipony_pl-PL.xml
- %TEMP%\RarSFX0\Language\mipony_nl-NL.xml
- %TEMP%\RarSFX0\Language\mipony_mr-IN.xml
- %TEMP%\RarSFX0\Language\mipony_it-IT.xml
- %TEMP%\RarSFX0\Language\mipony_gl-ES.xml
- %TEMP%\RarSFX0\Language\mipony_fr-FR.xml
- %TEMP%\RarSFX0\Language\mipony_fa-IR.xml
- %TEMP%\RarSFX0\Language\mipony_he-IL.xml
- %TEMP%\RarSFX0\Language\mipony_id-ID.xml
- %TEMP%\RarSFX0\Language\mipony_hu-HU.xml
- %TEMP%\RarSFX0\Language\mipony_hr-HR.xml
Network activity:
Connects to:
- 'localhost':1041
- 'www.mi##ny.net':80
- 'wp#d':80
TCP:
HTTP GET requests:
- http://www.mi##ny.net/start/?v=#########
- http://www.mi##ny.net/checksigversion/?v=############
- http://11#.#11.111.1/wpad.dat via wp#d
- http://www.mi##ny.net/checkversion/?v=#############
UDP:
- DNS ASK www.mi##ny.net
- DNS ASK wp#d
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
