Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Active Setup\Installed Components\{E352779C-2F54-428f-85AB-9A2D337D39D5}] 'stubpath' = ''
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\indskelwb.exe'
- 'C:\Client.exe'
- 'C:\server.exe'
Executes the following:
- '<SYSTEM32>\userinit.exe'
Injects code into
the following system processes:
- <SYSTEM32>\userinit.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\indskelwb.exe_lang.ini
- %TEMP%\169703_res.tmp
- C:\server.exe
- C:\Client.exe
- <SYSTEM32>\indskelwb.exe
Moves the following files:
- from %TEMP%\169703_res.tmp to %TEMP%\169796_lang.dll
Network activity:
Connects to:
- 'to######ker.webkebi.co.kr':9997
- 'in###g.wowip.kr':80
UDP:
- DNS ASK to######ker.webkebi.co.kr
- DNS ASK in###g.wowip.kr
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'