Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IUHCVA~1.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IUHCVA~2.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IUHCVA~3.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IUHCVA~4.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IU065B~1.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IU23A3~1.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IU0284~1.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IU2731~1.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IU0E2C~1.EXE %TEMP%\caid\HBKCOF~1.DOC'
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'svchost' = '%TEMP%\caid\IU2B48~1.EXE %TEMP%\caid\HBKCOF~1.DOC'
Modifies file system
Creates the following files
- %TEMP%\rarsfx0\rbui.bec
- %TEMP%\caid\vckqtdhg.ini
- %TEMP%\caid\uvowvmwfqj.txt
- %TEMP%\caid\uusj.bin
- %TEMP%\caid\tpmkluf.txt
- %TEMP%\caid\tbionh.xl
- %TEMP%\caid\sunxigjrf.xml
- %TEMP%\caid\stjm.icm
- %TEMP%\caid\remafglwpv.xls
- %TEMP%\caid\rbui.bec
- %TEMP%\caid\qutl.msc
- %TEMP%\caid\qnexpc.bin
- %TEMP%\caid\qhtqbeo.ini
- %TEMP%\caid\opvpu.ppt
- %TEMP%\caid\ocir.mp3
- %TEMP%\caid\nqdibj.icm
- %TEMP%\caid\nprk.dat
- %TEMP%\caid\napkacvpno.xml
- %TEMP%\caid\nageqhax.msc
- %TEMP%\caid\kvuvpdmsb.icm
- %TEMP%\caid\iuhcvafgk.bin.exe
- %TEMP%\caid\jff-b.vbe
- %TEMP%\caid\wsku.ppt
- %TEMP%\caid\xgvujxx.icm
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe
- %TEMP%\rarsfx0\ocir.mp3
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe
- %TEMP%\caid\run.vbs
- %TEMP%\caid\iuhcvafgk.bin.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe
- %TEMP%\rarsfx0\run.vbs
- %TEMP%\regsvcs.exe
- %TEMP%\caid\xqcpedd.txt
- %TEMP%\caid\iuhcvafgk.bin
- %TEMP%\caid\hrdclt.exe
- %TEMP%\caid\hbkcofl.docx
- %TEMP%\rarsfx0\dwshfwksaf.pdf
- %TEMP%\rarsfx0\civptgsda.dll
- %TEMP%\rarsfx0\sunxigjrf.xml
- %TEMP%\rarsfx0\anbcqc.xl
- %TEMP%\rarsfx0\nqdibj.icm
- %TEMP%\rarsfx0\aeqbrtjigg.xls
- %TEMP%\rarsfx0\bjwepc.msc
- %TEMP%\rarsfx0\hrdclt.exe
- %TEMP%\rarsfx0\tbionh.xl
- %TEMP%\rarsfx0\kvuvpdmsb.icm
- %TEMP%\rarsfx0\nprk.dat
- %TEMP%\rarsfx0\remafglwpv.xls
- %TEMP%\rarsfx0\emksibs.docx
- %TEMP%\rarsfx0\awfnpocok.msc
- %TEMP%\rarsfx0\iuhcvafgk.bin
- %TEMP%\rarsfx0\jff-b.vbe
- %TEMP%\rarsfx0\hbkcofl.docx
- %TEMP%\rarsfx0\stjm.icm
- %TEMP%\rarsfx0\vckqtdhg.ini
- %TEMP%\rarsfx0\uusj.bin
- %TEMP%\rarsfx0\wsku.ppt
- %TEMP%\rarsfx0\qnexpc.bin
- %TEMP%\caid\emksibs.docx
- %TEMP%\rarsfx0\qutl.msc
- %TEMP%\caid\dwshfwksaf.pdf
- %TEMP%\caid\civptgsda.dll
- %TEMP%\caid\ceevdtocav.mp3
- %TEMP%\caid\bjwepc.msc
- %TEMP%\caid\awfnpocok.msc
- %TEMP%\caid\anbcqc.xl
- %TEMP%\caid\aeqbrtjigg.xls
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\nageqhax.msc
- %TEMP%\rarsfx0\xgvujxx.icm
- %TEMP%\rarsfx0\uvowvmwfqj.txt
- %TEMP%\rarsfx0\napkacvpno.xml
- %TEMP%\rarsfx0\qhtqbeo.ini
- %TEMP%\rarsfx0\xqcpedd.txt
- %TEMP%\rarsfx0\ceevdtocav.mp3
- %TEMP%\rarsfx0\tpmkluf.txt
- %TEMP%\rarsfx0\opvpu.ppt
- %HOMEPATH%\temp\stjm.icm
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe
Sets the 'hidden' attribute to the following files
- %TEMP%\caid\aeqbrtjigg.xls
- %TEMP%\caid\remafglwpv.xls
- %TEMP%\caid\stjm.icm
- %TEMP%\caid\sunxigjrf.xml
- %TEMP%\caid\tbionh.xl
- %TEMP%\caid\tpmkluf.txt
- %TEMP%\caid\uusj.bin
- %TEMP%\caid\uvowvmwfqj.txt
- %TEMP%\caid\vckqtdhg.ini
- %TEMP%\caid\wsku.ppt
- %TEMP%\caid\xgvujxx.icm
- %TEMP%\caid\xqcpedd.txt
- %TEMP%\caid\iuhcvafgk.bin.exe.exe
- %TEMP%\caid\run.vbs
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\rbui.bec
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\qutl.msc
- %TEMP%\caid\qhtqbeo.ini
- %TEMP%\caid\anbcqc.xl
- %TEMP%\caid\awfnpocok.msc
- %TEMP%\caid\bjwepc.msc
- %TEMP%\caid\ceevdtocav.mp3
- %TEMP%\caid\civptgsda.dll
- %TEMP%\caid\dwshfwksaf.pdf
- %TEMP%\caid\emksibs.docx
- %TEMP%\caid\hbkcofl.docx
- %TEMP%\caid\hrdclt.exe
- %TEMP%\caid\iuhcvafgk.bin
- %TEMP%\caid\iuhcvafgk.bin.exe
- %TEMP%\caid\jff-b.vbe
- %TEMP%\caid\kvuvpdmsb.icm
- %TEMP%\caid\nageqhax.msc
- %TEMP%\caid\napkacvpno.xml
- %TEMP%\caid\nprk.dat
- %TEMP%\caid\nqdibj.icm
- %TEMP%\caid\ocir.mp3
- %TEMP%\caid\opvpu.ppt
- %TEMP%\caid\qnexpc.bin
- %TEMP%\caid\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe
Deletes the following files
- %TEMP%\rarsfx0\iuhcvafgk.bin
- %TEMP%\caid\stjm.icm
- %TEMP%\caid\sunxigjrf.xml
- %TEMP%\caid\tbionh.xl
- %TEMP%\caid\tpmkluf.txt
- %TEMP%\caid\uusj.bin
- %TEMP%\caid\uvowvmwfqj.txt
- %TEMP%\caid\vckqtdhg.ini
- %TEMP%\caid\wsku.ppt
- %TEMP%\caid\rbui.bec
- %TEMP%\caid\remafglwpv.xls
- %TEMP%\caid\xgvujxx.icm
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe
- %TEMP%\caid\run.vbs
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\caid\xqcpedd.txt
- %TEMP%\regsvcs.exe
- %TEMP%\caid\qutl.msc
- %TEMP%\caid\qnexpc.bin
- %TEMP%\caid\qhtqbeo.ini
- %TEMP%\caid\aeqbrtjigg.xls
- %TEMP%\caid\anbcqc.xl
- %TEMP%\caid\awfnpocok.msc
- %TEMP%\caid\bjwepc.msc
- %TEMP%\caid\ceevdtocav.mp3
- %TEMP%\caid\civptgsda.dll
- %TEMP%\caid\dwshfwksaf.pdf
- %TEMP%\caid\emksibs.docx
- %TEMP%\caid\hbkcofl.docx
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe
- %TEMP%\caid\hrdclt.exe
- %TEMP%\caid\iuhcvafgk.bin.exe
- %TEMP%\caid\jff-b.vbe
- %TEMP%\caid\kvuvpdmsb.icm
- %TEMP%\caid\nageqhax.msc
- %TEMP%\caid\napkacvpno.xml
- %TEMP%\caid\nprk.dat
- %TEMP%\caid\nqdibj.icm
- %TEMP%\caid\ocir.mp3
- %TEMP%\caid\opvpu.ppt
- %TEMP%\caid\iuhcvafgk.bin
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe.exe
- %TEMP%\rarsfx0\iuhcvafgk.bin.exe.exe.exe.exe.exe.exe.exe.exe.exe.exe
Substitutes the following files
- %TEMP%\caid\aeqbrtjigg.xls
- %TEMP%\caid\xqcpedd.txt
- %TEMP%\caid\xgvujxx.icm
- %TEMP%\caid\vckqtdhg.ini
- %TEMP%\caid\uvowvmwfqj.txt
- %TEMP%\caid\uusj.bin
- %TEMP%\caid\tpmkluf.txt
- %TEMP%\caid\tbionh.xl
- %TEMP%\caid\stjm.icm
- %TEMP%\caid\rbui.bec
- %TEMP%\caid\qutl.msc
- %TEMP%\caid\qnexpc.bin
- %TEMP%\caid\qhtqbeo.ini
- %TEMP%\caid\ocir.mp3
- %TEMP%\caid\nqdibj.icm
- %TEMP%\caid\napkacvpno.xml
- %TEMP%\caid\nageqhax.msc
- %TEMP%\caid\kvuvpdmsb.icm
- %TEMP%\caid\jff-b.vbe
- %TEMP%\caid\iuhcvafgk.bin.exe
- %TEMP%\caid\iuhcvafgk.bin
- %TEMP%\caid\hrdclt.exe
- %TEMP%\caid\hbkcofl.docx
- %TEMP%\caid\emksibs.docx
- %TEMP%\caid\dwshfwksaf.pdf
- %TEMP%\caid\civptgsda.dll
- %TEMP%\caid\ceevdtocav.mp3
- %TEMP%\caid\bjwepc.msc
- %TEMP%\caid\awfnpocok.msc
- %TEMP%\caid\anbcqc.xl
- %TEMP%\regsvcs.exe
- %TEMP%\caid\run.vbs
Modifies user data files (Trojan.Encoder).
Network activity
UDP
- 'localhost':59805
- 'localhost':58266
- 'localhost':65323
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%TEMP%\rarsfx0\iuhcvafgk.bin' hbkcofl.docx
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\RarSFX0\run.vbs"
- '%WINDIR%\syswow64\cmd.exe' /c ipconfig /release' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c iuhcvafgk.bin hbkcofl.docx' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ipconfig /renew' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\wscript.exe' jff-b.vbe
- '%WINDIR%\syswow64\cmd.exe' /c ipconfig /release
- '%WINDIR%\syswow64\cmd.exe' /c iuhcvafgk.bin hbkcofl.docx
- '%WINDIR%\syswow64\ipconfig.exe' /release
- '%WINDIR%\syswow64\cmd.exe' /c ipconfig /renew
- '%WINDIR%\syswow64\ipconfig.exe' /renew