Technical Information
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\dll.exe" "dll.exe" ENABLE
Modifies file system
Creates the following files
- %TEMP%\apk_tools.exe
- %TEMP%\tools\zipalign.exe
- %TEMP%\tools\testkey.x509.pem
- %TEMP%\tools\testkey.pk8
- %TEMP%\tools\smali.jar
- %TEMP%\tools\signapk.jar
- %TEMP%\tools\roptipng.exe
- %TEMP%\tools\baksmali.jar
- %TEMP%\tools\apktool2.0.0b9.jar
- %TEMP%\logs\021620.log
- %TEMP%\tools\apktool1.5.2.jar
- %TEMP%\tools\adbwinapi.dll
- %TEMP%\tools\adb.exe
- %TEMP%\tools\aapt.exe
- %TEMP%\tools\7za.exe
- %TEMP%\server.exe
- %TEMP%\20110911\tools.zip
- %TEMP%\20110911\list.txt
- %TEMP%\20110911\7za.exe
- %TEMP%\tools\adbwinusbapi.dll
- %TEMP%\hsperfdata_user\2104
Deletes the following files
- %TEMP%\20110911\7za.exe
- %TEMP%\20110911\list.txt
- %TEMP%\20110911\tools.zip
Network activity
TCP
- 'pa###bin.com':443
UDP
- DNS ASK pa###bin.com
Miscellaneous
Searches for the following windows
- ClassName: 'AutoHotkey' WindowName: '%TEMP%\APK_Tools.exe'
- ClassName: '#32771' WindowName: ''
Creates and executes the following
- '%TEMP%\apk_tools.exe'
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip AdbWinUsbApi.dll
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip signapk.jar
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip testkey.pk8
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip roptipng.exe
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip testkey.x509.pem
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip apktool2.0.0b9.jar
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip apktool1.5.2.jar
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip baksmali.jar
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip zipalign.exe
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip AdbWinApi.dll
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip Frameworks
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip aapt.exe
- '%TEMP%\server.exe'
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip 7za.exe
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip smali.jar
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip adb.exe
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip baksmali.jar' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip signapk.jar' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip testkey.x509.pem' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip Frameworks' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip testkey.pk8' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C java -version' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip zipalign.exe' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip smali.jar' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip apktool2.0.0b9.jar' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip apktool1.5.2.jar' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip AdbWinUsbApi.dll' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip AdbWinApi.dll' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip adb.exe' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip aapt.exe' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip 7za.exe' (with hidden window)
- '%TEMP%\20110911\7za.exe' x -otools %TEMP%\20110911\tools.zip roptipng.exe' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\tools\adb.exe" version' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\dll.exe" "dll.exe" ENABLE' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C java -version
- '%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\tools\adb.exe" version
- '%TEMP%\tools\adb.exe' version