Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'CTS' = '%WINDIR%\CTS.exe'
Infects the following executable files
- <Drive name for removable media>:\calc.exe
- %LOCALAPPDATA%\google\chrome\application\42.0.2311.135\delegate_execute.exe
- %LOCALAPPDATA%\google\chrome\application\42.0.2311.135\installer\setup.exe
- %LOCALAPPDATA%\google\chrome\application\42.0.2311.135\nacl64.exe
- %LOCALAPPDATA%\google\chrome\application\chrome.exe
- %APPDATA%\telegram desktop\telegram.exe
- %APPDATA%\telegram desktop\unins000.exe
- %APPDATA%\telegram desktop\updater.exe
- %HOMEPATH%\desktop\dotnetfx45_full_setup.exe
- %HOMEPATH%\desktop\winmine.exe
- %HOMEPATH%\desktop\wrar520.exe
Modifies file system
Creates the following files
- %TEMP%\yea07nxib6luxu0.exe
- %WINDIR%\cts.exe
- %TEMP%\jusched.log
- %TEMP%\jds659759.tmp\jds659899.tmp
Moves the following files
- from %TEMP%\jds659759.tmp\jds659899.tmp to %TEMP%\jds659759.tmp\yea07nxib6luxu0.exe
Network activity
Connects to
- 'ja#######d-secure.oracle.com':443
TCP
Other
- 'ja#######d-secure.oracle.com':443
UDP
- DNS ASK ja#######d-secure.oracle.com
Miscellaneous
Creates and executes the following
- '%TEMP%\yea07nxib6luxu0.exe'
- '%WINDIR%\cts.exe'
- '%TEMP%\jds659759.tmp\yea07nxib6luxu0.exe'