Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
Modifies file system :
Creates the following files:
- %TEMP%\ish188093\images\Close.png
- %TEMP%\ish188093\images\Close_Hover.png
- %TEMP%\ish188093\form.bmp.Mask
- %TEMP%\ish188093\images\BG.png
- %TEMP%\ish188093\images\Color_Button_Hover.png
- %TEMP%\ish188093\images\FooterInfo.png
- %TEMP%\ish188093\images\Color_Button.png
- %TEMP%\ish188093\css\sdk-ui\images\button-bg.png
- %TEMP%\ish188093\css\sdk-ui\images\progress-bg-corner.png
- %TEMP%\ish188093\css\sdk-ui\checkbox.css
- %PROGRAM_FILES%\is188609.log
- %TEMP%\ish188093\css\sdk-ui\progress-bar.css
- %TEMP%\ish188093\csshover3.htc
- %TEMP%\ish188093\css\sdk-ui\images\progress-bg.png
- %TEMP%\ish188093\css\sdk-ui\images\progress-bg2.png
- %TEMP%\ish188093\images\ProgressBar.png
- %TEMP%\ish188093\locale\EN.locale
- %TEMP%\ish188093\images\Progress.png
- %TEMP%\is1218200230\1328138370.cfg
- %HOMEPATH%\Desktop\Continue Allmyapps Installation.lnk
- %TEMP%\0003230A.log
- %TEMP%\0002E797.log
- %TEMP%\ICReinstall_<Virus name>.exe
- %TEMP%\0002E5D2.log
- %TEMP%\ish188093\images\Grey_Button_Hover.png
- %TEMP%\0002E574.log
- %TEMP%\ish188093\images\Grey_Button.png
- %TEMP%\ish188093\images\Loader.gif
- %TEMP%\0002E69D.log
- %TEMP%\0002E630.log
- %TEMP%\is1218200230\1422017402.cfg
- %TEMP%\ish188093\css\sdk-ui\button.css
- %TEMP%\ish176203\css\sdk-ui\images\progress-bg2.png
- %TEMP%\ish176203\css\sdk-ui\progress-bar.css
- %TEMP%\ish176203\css\sdk-ui\images\progress-bg-corner.png
- %TEMP%\ish176203\css\sdk-ui\images\progress-bg.png
- %TEMP%\ish176203\images\BG.png
- %TEMP%\ish176203\images\Close.png
- %TEMP%\ish176203\csshover3.htc
- %TEMP%\ish176203\form.bmp.Mask
- %TEMP%\ish176203\css\ie6_main.css
- %TEMP%\ish176203\css\main.css
- %TEMP%\0002AFDD.log
- %TEMP%\ish176203\bg.png
- %TEMP%\ish176203\css\sdk-ui\checkbox.css
- %TEMP%\ish176203\css\sdk-ui\images\button-bg.png
- %TEMP%\ish176203\css\sdk-ui\browse.css
- %TEMP%\ish176203\css\sdk-ui\button.css
- %TEMP%\ish176203\bootstrap_59663.html
- %TEMP%\0002DE7F.log
- %TEMP%\ish176203\images\ProgressBar.png
- %TEMP%\ish176203\locale\EN.locale
- %TEMP%\ish188093\css\main.css
- %TEMP%\ish188093\css\sdk-ui\browse.css
- %TEMP%\ish188093\bg.png
- %TEMP%\ish188093\css\ie6_main.css
- %TEMP%\ish176203\images\Color_Button_Hover.png
- %TEMP%\ish176203\images\FooterInfo.png
- %TEMP%\ish176203\images\Close_Hover.png
- %TEMP%\ish176203\images\Color_Button.png
- %TEMP%\ish176203\images\Loader.gif
- %TEMP%\ish176203\images\Progress.png
- %TEMP%\ish176203\images\Grey_Button.png
- %TEMP%\ish176203\images\Grey_Button_Hover.png
Deletes the following files:
- %TEMP%\ish188093\images\Close_Hover.png
- %TEMP%\ish188093\images\Close.png
- %TEMP%\ish188093\images\Color_Button_Hover.png
- %TEMP%\ish188093\images\Color_Button.png
- %TEMP%\ish188093\images\BG.png
- %TEMP%\ish188093\css\sdk-ui\progress-bar.css
- %TEMP%\ish188093\css\sdk-ui\images\progress-bg2.png
- %TEMP%\ish188093\form.bmp.Mask
- %TEMP%\ish188093\csshover3.htc
- %TEMP%\ish188093\locale\EN.locale
- %TEMP%\ish188093\images\ProgressBar.png
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- %TEMP%\ish188093\images\Progress.png
- %TEMP%\ish188093\images\Grey_Button.png
- %TEMP%\ish188093\images\FooterInfo.png
- %TEMP%\ish188093\images\Loader.gif
- %TEMP%\ish188093\images\Grey_Button_Hover.png
- %TEMP%\ish188093\css\sdk-ui\images\progress-bg.png
- %TEMP%\0002E69D.log
- %TEMP%\0002E630.log
- %TEMP%\ish176203\bootstrap_59663.html
- %TEMP%\0002E797.log
- %TEMP%\0002E5D2.log
- %TEMP%\0002DE7F.log
- %TEMP%\0002AFDD.log
- %TEMP%\0002E574.log
- %PROGRAM_FILES%\is188609.log
- %TEMP%\ish188093\css\sdk-ui\checkbox.css
- %TEMP%\ish188093\css\sdk-ui\button.css
- %TEMP%\ish188093\css\sdk-ui\images\progress-bg-corner.png
- %TEMP%\ish188093\css\sdk-ui\images\button-bg.png
- %TEMP%\ish188093\css\sdk-ui\browse.css
- %TEMP%\ish188093\bg.png
- %TEMP%\0003230A.log
- %TEMP%\ish188093\css\main.css
- %TEMP%\ish188093\css\ie6_main.css
Network activity:
Connects to:
- 'ap#.#######core.com.s3.amazonaws.com':80
- 'st####.allmyapps.com':80
- 'ap#.##lmyapps.com':443
- 'os.###myappscdn.com':80
- 'localhost':1041
TCP:
HTTP GET requests:
- st####.allmyapps.com/data/apps/2/1/2171/693cce4ae48a825c60fc61026f430878_icon.png
- ap#.#######core.com.s3.amazonaws.com/Allmyapps/sha1.cis
- ap#.#######core.com.s3.amazonaws.com/Allmyapps/7Zip.cis
HTTP POST requests:
- os.###myappscdn.com/Allmyapps/?v=################
UDP:
- DNS ASK ap#.#######core.com.s3.amazonaws.com
- DNS ASK st####.allmyapps.com
- DNS ASK os.###myappscdn.com
- DNS ASK ap#.##lmyapps.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''