Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\yjzdfyyonn.bat" "
Searches for windows to
detect analytical utilities:
- ClassName: 'PROCEXPL' WindowName: ''
- ClassName: 'OLLYDBG' WindowName: ''
detect programs and games:
- ClassName: 'GDKWINDOWTOPLEVEL' WindowName: ''
Modifies file system:
Creates the following files:
- %TEMP%\Cab9.tmp
- %TEMP%\Cab7.tmp
- %TEMP%\Cab5.tmp
- %TEMP%\yjzdfyyonn.bat
- %TEMP%\CabD.tmp
- %TEMP%\CabB.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
- %TEMP%\Cab3.tmp
- %TEMP%\Cab1.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Deletes the following files:
- %TEMP%\Cab9.tmp
- %TEMP%\CabB.tmp
- %TEMP%\CabD.tmp
- %TEMP%\Cab7.tmp
- %TEMP%\Cab1.tmp
- %TEMP%\Cab3.tmp
- %TEMP%\Cab5.tmp
Deletes itself.
Network activity:
Connects to:
- 'www.download.windowsupdate.com':80
- 'ca#####.digicert.com':80
- 'wp#d':80
TCP:
HTTP GET requests:
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
- http://11#.#11.111.1/wpad.dat via wp#d
- http://ca#####.digicert.com/DigiCertAssuredIDRootCA.crt
UDP:
- DNS ASK www.download.windowsupdate.com
- DNS ASK ca#####.digicert.com
- DNS ASK wp#d
Miscellaneous:
Searches for the following windows:
- ClassName: 'PORTMONCLASS' WindowName: ''