Trojan.DownLoader49.35785

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '<Current directory>\'

Modifies file system

Creates the following files

%HOMEPATH%\desktop\congthanhxuapc.com.lnk
<Current directory>\host.ini.lock
<Current directory>\host.ini.gq4408
<Current directory>\gamemanifest.xml
<Current directory>\temp\.ftpquota
<Current directory>\temp\configautoupdate.ini
<Current directory>\temp\add.bat
<Current directory>\add.bat
<Current directory>\temp\404.html
<Current directory>\temp\502.html
<Current directory>\temp\client.dll
<Current directory>\temp\config.dat
<Current directory>\temp\config.exe
<Current directory>\temp\config.ini
<Current directory>\temp\config_backup.ini
<Current directory>\temp\configrunauto.ini
<Current directory>\temp\dietvirus.rar
<Current directory>\temp\engine.dll
<Current directory>\temp\error_log
<Current directory>\temp\filtertext.dll
<Current directory>\temp\game.exe
<Current directory>\temp\jxreplay.dll
<Current directory>\temp\lualibdll.dll
<Current directory>\temp\manhinhlon.bat
<Current directory>\temp\mfc80.dll
<Current directory>\temp\microsoft.vc80.crt.manifest
<Current directory>\temp\microsoft.vc80.mfc.manifest
<Current directory>\temp\msvcm80.dll
<Current directory>\temp\msvcp80.dll
<Current directory>\temp\msvcp100.dll
<Current directory>\temp\msvcp100d.dll
<Current directory>\temp\msvcp120.dll
<Current directory>\temp\msvcp120d.dll
<Current directory>\temp\msvcr80.dll
<Current directory>\temp\msvcr100.dll
<Current directory>\temp\msvcr100d.dll
<Current directory>\temp\msvcr120.dll
<Current directory>\temp\msvcr120d.dll
<Current directory>\temp\package.ini
<Current directory>\temp\package1.ini
<Current directory>\temp\rainbow.dll
<Current directory>\temp\represent2.dll
<Current directory>\temp\represent3.dll
<Current directory>\temp\runauto.exe
<Current directory>\temp\update.xml
<Current directory>\temp\version.ini
<Current directory>\temp\version.xml
<Current directory>\temp\vltk.ico
<Current directory>\temp\vn.fon
<Current directory>\temp\zlib.dll
<Current directory>\temp\package_1024.ini
<Current directory>\temp\fix-vao-game.bat
<Current directory>\temp\fprotectclient.dll
<Current directory>\temp\gameprotect.sys
<Current directory>\temp\guards.dll
<Current directory>\temp\pak50.dll
<Current directory>\temp\tattuongluawin.zip
<Current directory>\temp\unpak50.dll
<Current directory>\temp\antigame.ini
<Current directory>\temp\antivolam.ini
<Current directory>\temp\autoupdate.zip
<Current directory>\temp\autoupdate.exe
<Current directory>\host.ini.hp4408
<Current directory>\host.ini.hp3808

Deletes following files that it created itself

<Current directory>\host.ini.lock
<Current directory>\gamemanifest.xml
<Current directory>\add.bat
<Current directory>\config_backup.ini

Moves the following files

from <Current directory>\host.ini.gq4408 to <Current directory>\host.ini
from <Current directory>\temp\.ftpquota to <Current directory>\.ftpquota
from <Current directory>\temp\404.html to <Current directory>\404.html
from <Current directory>\temp\502.html to <Current directory>\502.html
from <Current directory>\temp\antigame.ini to <Current directory>\antigame.ini
from <Current directory>\temp\antivolam.ini to <Current directory>\antivolam.ini
from <Current directory>\temp\autoupdate.exe to <Current directory>\autoupdate.exe
from <Current directory>\temp\autoupdate.zip to <Current directory>\autoupdate.zip
from <Current directory>\temp\client.dll to <Current directory>\client.dll
from <Current directory>\temp\config.dat to <Current directory>\config.dat
from <Current directory>\temp\config.exe to <Current directory>\config.exe
from <Current directory>\temp\config.ini to <Current directory>\config.ini
from <Current directory>\temp\config_backup.ini to <Current directory>\config_backup.ini
from <Current directory>\temp\configautoupdate.ini to <Current directory>\configautoupdate.ini
from <Current directory>\temp\configrunauto.ini to <Current directory>\configrunauto.ini
from <Current directory>\temp\dietvirus.rar to <Current directory>\dietvirus.rar
from <Current directory>\temp\engine.dll to <Current directory>\engine.dll
from <Current directory>\temp\error_log to <Current directory>\error_log
from <Current directory>\temp\filtertext.dll to <Current directory>\filtertext.dll
from <Current directory>\temp\fix-vao-game.bat to <Current directory>\fix-vao-game.bat
from <Current directory>\temp\fprotectclient.dll to <Current directory>\fprotectclient.dll
from <Current directory>\temp\game.exe to <Current directory>\game.exe
from <Current directory>\temp\gameprotect.sys to <Current directory>\gameprotect.sys
from <Current directory>\temp\guards.dll to <Current directory>\guards.dll
from <Current directory>\temp\jxreplay.dll to <Current directory>\jxreplay.dll
from <Current directory>\temp\lualibdll.dll to <Current directory>\lualibdll.dll
from <Current directory>\temp\manhinhlon.bat to <Current directory>\manhinhlon.bat
from <Current directory>\temp\mfc80.dll to <Current directory>\mfc80.dll
from <Current directory>\temp\microsoft.vc80.crt.manifest to <Current directory>\microsoft.vc80.crt.manifest
from <Current directory>\temp\microsoft.vc80.mfc.manifest to <Current directory>\microsoft.vc80.mfc.manifest
from <Current directory>\temp\msvcm80.dll to <Current directory>\msvcm80.dll
from <Current directory>\temp\msvcp100.dll to <Current directory>\msvcp100.dll
from <Current directory>\temp\msvcp100d.dll to <Current directory>\msvcp100d.dll
from <Current directory>\temp\msvcp120.dll to <Current directory>\msvcp120.dll
from <Current directory>\temp\msvcp120d.dll to <Current directory>\msvcp120d.dll
from <Current directory>\temp\msvcp80.dll to <Current directory>\msvcp80.dll
from <Current directory>\temp\msvcr100.dll to <Current directory>\msvcr100.dll
from <Current directory>\temp\msvcr100d.dll to <Current directory>\msvcr100d.dll
from <Current directory>\temp\msvcr120.dll to <Current directory>\msvcr120.dll
from <Current directory>\temp\msvcr120d.dll to <Current directory>\msvcr120d.dll
from <Current directory>\temp\msvcr80.dll to <Current directory>\msvcr80.dll
from <Current directory>\temp\package.ini to <Current directory>\package.ini
from <Current directory>\temp\package1.ini to <Current directory>\package1.ini
from <Current directory>\temp\package_1024.ini to <Current directory>\package_1024.ini
from <Current directory>\temp\pak50.dll to <Current directory>\pak50.dll
from <Current directory>\temp\rainbow.dll to <Current directory>\rainbow.dll
from <Current directory>\temp\represent2.dll to <Current directory>\represent2.dll
from <Current directory>\temp\represent3.dll to <Current directory>\represent3.dll
from <Current directory>\temp\runauto.exe to <Current directory>\runauto.exe
from <Current directory>\temp\tattuongluawin.zip to <Current directory>\tattuongluawin.zip
from <Current directory>\temp\unpak50.dll to <Current directory>\unpak50.dll
from <Current directory>\temp\update.xml to <Current directory>\update.xml
from <Current directory>\temp\version.ini to <Current directory>\version.ini
from <Current directory>\temp\version.xml to <Current directory>\version.xml
from <Current directory>\temp\vltk.ico to <Current directory>\vltk.ico
from <Current directory>\temp\vn.fon to <Current directory>\vn.fon
from <Current directory>\temp\zlib.dll to <Current directory>\zlib.dll
from <Current directory>\host.ini.hp4408 to <Current directory>\host.ini

Substitutes the following files

<Current directory>\host.ini.lock
<Current directory>\add.bat
<Current directory>\host.ini.hp4408
<Current directory>\config_backup.ini
<Current directory>\host.ini
<Current directory>\gamemanifest.xml
<Current directory>\temp\.ftpquota
<Current directory>\temp\add.bat
<Current directory>\temp\config_backup.ini

Network activity

Connects to

'up####.#ongthanhxuapc.com':80
'co####anhxuapc.com':443
'st####.##oudflareinsights.com':443

TCP

HTTP GET requests

Other

'co####anhxuapc.com':443
'st####.##oudflareinsights.com':443

UDP

DNS ASK up####.#ongthanhxuapc.com
DNS ASK co####anhxuapc.com
DNS ASK st####.##oudflareinsights.com

Miscellaneous

Restarts the analyzed sample

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c C:/uizkpuwe/add.bat
'%WINDIR%\syswow64\cmd.exe' /c C:/uizkpuwe/add.bat' (with hidden window)

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial