Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\FlashPlayer.lnk
Malicious functions:
Creates and executes the following:
- '%TEMP%\RarSFX0\Svchost.exe' -o stratum+tcp://xmr.pool.minergate.com:45560 -u xbs1mg@gmail.com -p x -t 2
- '<SYSTEM32>\wscript.exe' "%TEMP%\RarSFX0\1.vbs"
Executes the following:
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\RarSFX0\1.bat" "
Injects code into
the following user processes:
- Svchost.exe
Modifies file system:
Creates the following files:
- %TEMP%\RarSFX0\1.bat
- %TEMP%\RarSFX0\file.data
- %TEMP%\RarSFX0\1.VBS
- %TEMP%\RarSFX0\Svchost.exe
Sets the 'hidden' attribute to the following files:
- %TEMP%\RarSFX0\1.VBS
Deletes the following files:
- %TEMP%\RarSFX0\file.data
- %TEMP%\RarSFX0\Svchost.exe
- %TEMP%\RarSFX0\1.bat
- %TEMP%\RarSFX0\1.VBS
Network activity:
Connects to:
- 'xm#.###l.minergate.com':45560
UDP:
- DNS ASK xm#.###l.minergate.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''