Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '4281963cad02b10cf4d327e9b45c6225' = '"%TEMP%\afwServ.EXE" ..'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '4281963cad02b10cf4d327e9b45c6225' = '"%TEMP%\afwServ.EXE" ..'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\4281963cad02b10cf4d327e9b45c6225.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\afwServ.EXE' = '%TEMP%\afwServ.EXE:*:Enabled:afwServ.EXE'
Creates and executes the following:
- '%TEMP%\afwServ.EXE'
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\afwServ.EXE" "afwServ.EXE" ENABLE
Modifies file system :
Creates the following files:
- %TEMP%\afwServ.EXE
Network activity:
Connects to:
- 'ho#####olove.no-ip.org':49842
UDP:
- DNS ASK ho#####olove.no-ip.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'