Trojan.MulDrop4.60762

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = 'jgcpkewymfzgtrvfiyfc.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrxlyjelxkkq' = 'ywthdyrujdygutyjnemkh.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'neubqeqmuhvwdv' = 'vogpgwkishxajddj.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'qizhxmzwftikslk' = 'jgcpkewymfzgtrvfiyfc.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'cwpzrixwhxoscxyff' = '%TEMP%\wsnztmderjciurudfua.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'vogpgwkishxajddj' = '%TEMP%\vogpgwkishxajddj.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'vogpgwkishxajddj' = '%TEMP%\cwpzrixwhxoscxyff.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'viuxisaswf' = '%TEMP%\cwpzrixwhxoscxyff.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = '%TEMP%\cwpzrixwhxoscxyff.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = '%TEMP%\vogpgwkishxajddj.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = 'wsnztmderjciurudfua.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = 'vogpgwkishxajddj.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrxlyjelxkkq' = 'vogpgwkishxajddj.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'qizhxmzwftikslk' = 'wsnztmderjciurudfua.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'cwpzrixwhxoscxyff' = '%TEMP%\lgalewmmyphmxtvdes.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'vogpgwkishxajddj' = '%TEMP%\lgalewmmyphmxtvdes.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'viuxisaswf' = '%TEMP%\vogpgwkishxajddj.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = '%TEMP%\vogpgwkishxajddj.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = '%TEMP%\wsnztmderjciurudfua.exe .'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = '%TEMP%\lgalewmmyphmxtvdes.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrxlyjelxkkq' = 'wsnztmderjciurudfua.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = 'ywthdyrujdygutyjnemkh.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'cwpzrixwhxoscxyff' = '%TEMP%\cwpzrixwhxoscxyff.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = 'jgcpkewymfzgtrvfiyfc.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = '%TEMP%\jgcpkewymfzgtrvfiyfc.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = 'lgalewmmyphmxtvdes.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = 'ywthdyrujdygutyjnemkh.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrxlyjelxkkq' = 'jgcpkewymfzgtrvfiyfc.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'neubqeqmuhvwdv' = 'jgcpkewymfzgtrvfiyfc.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'qizhxmzwftikslk' = 'vogpgwkishxajddj.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'cwpzrixwhxoscxyff' = '%TEMP%\jgcpkewymfzgtrvfiyfc.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'vogpgwkishxajddj' = '%TEMP%\ywthdyrujdygutyjnemkh.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'viuxisaswf' = '%TEMP%\ywthdyrujdygutyjnemkh.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = '%TEMP%\wsnztmderjciurudfua.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = '%TEMP%\ywthdyrujdygutyjnemkh.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = 'cwpzrixwhxoscxyff.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = 'wsnztmderjciurudfua.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = 'lgalewmmyphmxtvdes.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'mcrxlyjelxkkq' = 'lgalewmmyphmxtvdes.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'neubqeqmuhvwdv' = 'lgalewmmyphmxtvdes.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'neubqeqmuhvwdv' = 'cwpzrixwhxoscxyff.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'qizhxmzwftikslk' = 'ywthdyrujdygutyjnemkh.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'cwpzrixwhxoscxyff' = '%TEMP%\vogpgwkishxajddj.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] 'vogpgwkishxajddj' = '%TEMP%\jgcpkewymfzgtrvfiyfc.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'viuxisaswf' = '%TEMP%\jgcpkewymfzgtrvfiyfc.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'qervhsbuzju' = '%TEMP%\lgalewmmyphmxtvdes.exe'
[<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'ncqviueyepba' = '%TEMP%\jgcpkewymfzgtrvfiyfc.exe .'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'viuxisaswf' = '%TEMP%\wsnztmderjciurudfua.exe'

Malicious functions

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files

blocks execution of the following system utilities:

Registry Editor (RegEdit)

blocks the following features:

User Account Control (UAC)

Forces autoplay for removable media.

Modifies file system

Creates the following files

%TEMP%\omqfabvcywa.exe
%TEMP%\wsnztmderjciurudfua.exe
%TEMP%\jgcpkewymfzgtrvfiyfc.exe
%TEMP%\ywthdyrujdygutyjnemkh.exe
%TEMP%\pombyuosidzixxdpumvush.exe
%TEMP%\ygnlr.exe
%WINDIR%\syswow64\dimhkmmwstvkflxpaynswruw.gcd
<LS_APPDATA>\dimhkmmwstvkflxpaynswruw.gcd
%WINDIR%\vogpgwkishxajddj.exe
%WINDIR%\dimhkmmwstvkflxpaynswruw.gcd
%TEMP%\dimhkmmwstvkflxpaynswruw.gcd
%WINDIR%\syswow64\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
%ProgramFiles(x86)%\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
<LS_APPDATA>\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
%WINDIR%\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
%TEMP%\lgalewmmyphmxtvdes.exe
%TEMP%\cwpzrixwhxoscxyff.exe
%TEMP%\vogpgwkishxajddj.exe
%WINDIR%\pombyuosidzixxdpumvush.exe
%WINDIR%\ywthdyrujdygutyjnemkh.exe
%WINDIR%\jgcpkewymfzgtrvfiyfc.exe
%WINDIR%\wsnztmderjciurudfua.exe
%WINDIR%\lgalewmmyphmxtvdes.exe
%WINDIR%\cwpzrixwhxoscxyff.exe
%ProgramFiles(x86)%\dimhkmmwstvkflxpaynswruw.gcd
%WINDIR%\syswow64\pombyuosidzixxdpumvush.exe
%WINDIR%\syswow64\ywthdyrujdygutyjnemkh.exe
%WINDIR%\syswow64\jgcpkewymfzgtrvfiyfc.exe
%WINDIR%\syswow64\wsnztmderjciurudfua.exe
%WINDIR%\syswow64\lgalewmmyphmxtvdes.exe
%WINDIR%\syswow64\cwpzrixwhxoscxyff.exe
%WINDIR%\syswow64\vogpgwkishxajddj.exe
%TEMP%\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
%TEMP%\wgppxej\viuxisaswf.exe

Sets the 'hidden' attribute to the following files

%WINDIR%\syswow64\vogpgwkishxajddj.exe
<LS_APPDATA>\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
%ProgramFiles(x86)%\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
%WINDIR%\syswow64\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
%TEMP%\dimhkmmwstvkflxpaynswruw.gcd
%WINDIR%\dimhkmmwstvkflxpaynswruw.gcd
<LS_APPDATA>\dimhkmmwstvkflxpaynswruw.gcd
%ProgramFiles(x86)%\dimhkmmwstvkflxpaynswruw.gcd
%WINDIR%\syswow64\dimhkmmwstvkflxpaynswruw.gcd
%TEMP%\pombyuosidzixxdpumvush.exe
%TEMP%\ywthdyrujdygutyjnemkh.exe
%TEMP%\jgcpkewymfzgtrvfiyfc.exe
%TEMP%\wsnztmderjciurudfua.exe
%TEMP%\lgalewmmyphmxtvdes.exe
%WINDIR%\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr
%TEMP%\cwpzrixwhxoscxyff.exe
%WINDIR%\pombyuosidzixxdpumvush.exe
%WINDIR%\ywthdyrujdygutyjnemkh.exe
%WINDIR%\jgcpkewymfzgtrvfiyfc.exe
%WINDIR%\wsnztmderjciurudfua.exe
%WINDIR%\lgalewmmyphmxtvdes.exe
%WINDIR%\cwpzrixwhxoscxyff.exe
%WINDIR%\vogpgwkishxajddj.exe
%WINDIR%\syswow64\pombyuosidzixxdpumvush.exe
%WINDIR%\syswow64\ywthdyrujdygutyjnemkh.exe
%WINDIR%\syswow64\jgcpkewymfzgtrvfiyfc.exe
%WINDIR%\syswow64\wsnztmderjciurudfua.exe
%WINDIR%\syswow64\lgalewmmyphmxtvdes.exe
%WINDIR%\syswow64\cwpzrixwhxoscxyff.exe
%TEMP%\vogpgwkishxajddj.exe
%TEMP%\mcrxlyjelxkkqhehdmmcrxlyjelxkkqhehd.mcr

Network activity

TCP

HTTP GET requests

http://wh#####yipaddress.com/
http://www.wh###smyip.com/
http://www.sh####ipaddress.com/
http://www.bl##ger.com/
http://jo###ohxty.net/
http://ck##ko.info/

UDP

DNS ASK wh#####yipaddress.com
DNS ASK wh###smyip.com
DNS ASK sh####ipaddress.com
DNS ASK wh#####yip.everdot.org
DNS ASK wh###smyip.ca
DNS ASK bl##ger.com
DNS ASK jo###ohxty.net
DNS ASK fi##lox.com
DNS ASK lh###gnz.net
DNS ASK fr###dpb.net
DNS ASK ue###uxmhe.info
DNS ASK ck##ko.info
DNS ASK ti###cvssuh.org

Miscellaneous

Creates and executes the following

'%TEMP%\omqfabvcywa.exe' "<Full path to file>*"
'%TEMP%\ygnlr.exe' "-%TEMP%\vogpgwkishxajddj.exe"

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial