Technical Information
Malicious functions:
Creates and executes the following:
- '%TEMP%\javaSetup.exe' /s REBOOT=Suppress JAVAUPDATE=0 WEBSTARTICON=0
- '%TEMP%\javaSetup.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\cscript.exe' //NoLogo %TEMP%\hd.vbs
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\Zona\License_uk.rtf
- %PROGRAM_FILES%\Zona\License_ru.rtf
- %PROGRAM_FILES%\Zona\License_en.rtf
- %TEMP%\appdata.7z
- %TEMP%\Zona.7z
- %PROGRAM_FILES%\Zona\utils.jar
- %APPDATA%\Zona\init.xml
- %TEMP%\ZonaInstall.log
- %TEMP%\hd.vbs
- %TEMP%\javaSetup.exe
- %TEMP%\zon2.tmp
Network activity:
Connects to:
- 'i2.#8.net':80
- 'zo#a.ru':80
TCP:
HTTP GET requests:
- zo#a.ru/Zona.7z
- zo#a.ru/appdata.7z
- i2.#8.net/T/gJr_X.jpeg
- zo#a.ru/jre_latest.exe
UDP:
- DNS ASK dl.#ona.ru
- DNS ASK i2.#8.net
- DNS ASK zo#a.ru
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'