Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\crgg.exe' jupiter.mistralaucanada.com Pravo-na-mest.zip
- '%TEMP%\stpf.exe' 42bd6f2fd09d905f5914e8e29e43c5f1 jupiter.mistralaucanada.com /images/srvr/partner/send.php 6
- '%TEMP%\ext.exe'
Executes the following:
- '<SYSTEM32>\cmd.exe' /c ""%PROGRAM_FILES%\Ata\Turk\zapppp.bat" "
- '<SYSTEM32>\wscript.exe' "%PROGRAM_FILES%\Ata\Turk\slkndfgslkdvnaa.vbs"
- '<SYSTEM32>\wscript.exe' "%PROGRAM_FILES%\Ata\Turk\panraldfiwo.vbs"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\stpf.exe.bat" stpf.exe 42bd6f2fd09d905f5914e8e29e43c5f1 jupiter.mistralaucanada.com /images/srvr/partner/send.php 6"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ext.exe.bat" ext.exe "
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\crgg.exe.bat" crgg.exe jupiter.mistralaucanada.com Pravo-na-mest.zip"
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\Ata\Turk\panraldfiwo.vbs
- %PROGRAM_FILES%\Ata\Turk\slkndfgslkdvnaa.vbs
- %TEMP%\$inst\temp_0.tmp
- %PROGRAM_FILES%\Ata\Turk\pdvdhh.zxc
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\send[1].htm
- %PROGRAM_FILES%\Ata\Turk\zapppp.bat
- %PROGRAM_FILES%\Ata\Turk\edemdal.ko
- %TEMP%\stpf.exe
- <Current directory>\c
- <Current directory>\s
- %TEMP%\ext.exe
- %TEMP%\aee3d3dba1104a82962646fca634a1a6
- %TEMP%\$inst\2.tmp
- %TEMP%\crgg.exe
Deletes the following files:
- %TEMP%\stpf.exe
- %TEMP%\crgg.exe
- %TEMP%\ext.exe
- %TEMP%\$inst\2.tmp
- <Current directory>\s
- <Current directory>\c
- %TEMP%\$inst\temp_0.tmp
- %TEMP%\aee3d3dba1104a82962646fca634a1a6
Modifies the HOSTS file.
Network activity:
Connects to:
- '96.##.190.62':1212
- 'localhost':1037
- 'ju#####.mistralaucanada.com':80
UDP:
- DNS ASK ju#####.mistralaucanada.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'