Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'coqofofqanco' = '%HOMEPATH%\coqofofqanco.exe'
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ncktc[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\proro[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\kurozu.co[1].htm
- %HOMEPATH%\coqofofqanco.exe
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\4ea1672c-83c7-4aed-8a82-2864eadc6c48
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\coqofofqanco.exe
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\kurozu.co[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\proro[1].htm
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\ncktc[1].htm
Network activity:
Connects to:
- 'ku###u.co.jp':80
- 'pr##o.net':80
- 'nc##c.edu':80
TCP:
HTTP POST requests:
- ku###u.co.jp/
- pr##o.net/
- nc##c.edu/
UDP:
- DNS ASK ha##ig.nl
- DNS ASK g-#.ro
- DNS ASK so##irt.com
- DNS ASK jo###all.com
- DNS ASK ai##.co.jp
- DNS ASK bi##opl.pl
- DNS ASK fi##bc.com
- DNS ASK aw##.net
- DNS ASK la##0.it
- DNS ASK ir#g.fr
- DNS ASK ri##ter.bg
- DNS ASK ab##l35.com
- DNS ASK no##tel.com
- DNS ASK pl##m.com
- DNS ASK de##r.com
- DNS ASK te###nya.net
- DNS ASK b-##d-p.com
- DNS ASK ea##oen.com
- DNS ASK lu###emo.com
- DNS ASK ko##fm.com
- DNS ASK bc###als.com
- DNS ASK as#a.pl
- DNS ASK si##ate.com
- DNS ASK ge##r.pl
- DNS ASK ho###ree.com
- DNS ASK c-##us.nl
- DNS ASK co##gj.com
- DNS ASK ko###j.co.jp
- DNS ASK be##pak.com
- DNS ASK ho##zoe.com
- DNS ASK ma###ane.com
- DNS ASK up###.com.uy
- DNS ASK di##-car.pl
- DNS ASK id#.com.ve
- DNS ASK wi##ech.com
- DNS ASK ca##all.com
- DNS ASK ab##ft.com
- DNS ASK ad##cu.org
- DNS ASK ki##net.org
- DNS ASK ho##trup.dk
- DNS ASK go##re.com
- DNS ASK 3a###.com.tw
- DNS ASK ba##lba.com
- DNS ASK hr##et.org
- DNS ASK bi##ly.ru
- DNS ASK bt###.com.au
- DNS ASK cu###sto.com
- DNS ASK e-###eya.com
- DNS ASK mi###sha.com
- DNS ASK ca##mc.net
- DNS ASK 2c##i.com
- DNS ASK aw##a.nl
- DNS ASK sa###pan.com
- DNS ASK si###abe.net
- DNS ASK do##ci.nl
- DNS ASK cc##cpa.com
- DNS ASK pt#e.ch
- DNS ASK xp##.com.mx
- DNS ASK ox##og.com
- DNS ASK oo###anj.com
- DNS ASK in##col.com
- DNS ASK fa##m.pl
- DNS ASK ma##et.com
- DNS ASK t-##fg.com
- DNS ASK tu##nde.de
- DNS ASK ku##den.com
- DNS ASK nc##c.edu
- DNS ASK pr##o.net
- DNS ASK ku###u.co.jp
- DNS ASK su##ou.org
- DNS ASK ae##us.at
- DNS ASK ap##ck.com
- DNS ASK sc##n.com
- DNS ASK cl###ild.com
- DNS ASK pl##y.com
- DNS ASK hs##-ul.com
- DNS ASK ys##o.com
- DNS ASK ko##post.ru
- DNS ASK ho###ent.com
- DNS ASK jr##.net
- DNS ASK co###.com.ec
- DNS ASK wi##ya.lk
- DNS ASK gp##co.com
- DNS ASK lg##c.com
- DNS ASK et###ook.com
- DNS ASK ra##s.net
- DNS ASK je##ter.com
- DNS ASK vs###.com.tw
- DNS ASK no###.com.sa
- DNS ASK at##lit.com
- DNS ASK mm##i.com
- DNS ASK sr##d.jp
- DNS ASK ru##ul.com
- DNS ASK ss###elce.pl
- DNS ASK pe##cin.com
- DNS ASK ne##pak.nl
- DNS ASK nw##.org
- DNS ASK ny##aw.com
- DNS ASK kw##k.ca
- DNS ASK de##l.pl
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'