Trojan.DownLoader13.1031

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'User-mode Now Foundation Config' = 'C:\wqefednzz\whnqbiekb.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Storage Update Redirector Framework] 'Start' = '00000002'

Malicious functions:

Creates and executes the following:

'C:\wqefednzz\utcpsrj.exe' "c:\wqefednzz\whnqbiekb.exe"
'C:\wqefednzz\whnqbiekb.exe'
'C:\wqefednzz\outz2tpgecjsyocjimva2.exe'

Modifies file system :

Creates the following files:

C:\wqefednzz\whnqbiekb.exe
C:\wqefednzz\utcpsrj.exe
C:\wqefednzz\m7ysfzbvpx
%WINDIR%\wqefednzz\hhddyah
C:\wqefednzz\hhddyah
C:\wqefednzz\outz2tpgecjsyocjimva2.exe

Sets the 'hidden' attribute to the following files:

C:\wqefednzz\utcpsrj.exe
C:\wqefednzz\whnqbiekb.exe

Deletes the following files:

C:\wqefednzz\outz2tpgecjsyocjimva2.exe
%WINDIR%\wqefednzz\hhddyah

Network activity:

Connects to:

'of####eparate.net':80
'al####eparate.net':80
'ch####istant.net':80
'co####edistant.net':80
'of####lothes.net':80
'al####lothes.net':80
'of###health.net':80
'al###health.net':80
'co####eclothes.net':80
'pr####tdistant.net':80
'ch####eparate.net':80
'pr####tclothes.net':80
'th####istant.net':80
'co####ehealth.net':80
'ch####lothes.net':80
'co####eseparate.net':80
'ch###health.net':80
'mo####gseparate.net':80
'ra####health.net':80
'tw####distant.net':80
'ra####separate.net':80
'mo####gclothes.net':80
'ra####distant.net':80
'mo####ghealth.net':80
'ra####clothes.net':80
'mi####distant.net':80
'mi####separate.net':80
'tw####separate.net':80
'of####istant.net':80
'al####istant.net':80
'mi####clothes.net':80
'tw####clothes.net':80
'mi####health.net':80
'tw####health.net':80
'th####lothes.net':80
'hi####ysafety.net':80
'st####efuture.net':80
'hi####yearly.net':80
'st####esafety.net':80
'we####rsmell.net':80
'am###tearly.net':80
'hi####yfuture.net':80
'am###tsmell.net':80
'st####eearly.net':80
'ra####safety.net':80
'mo####gsafety.net':80
'ra###rearly.net':80
'mo####gearly.net':80
'st####esmell.net':80
'hi####ysmell.net':80
'ra####future.net':80
'mo####gfuture.net':80
'th###future.net':80
'cl###future.net':80
'th###safety.net':80
'cl###safety.net':80
'th###health.net':80
'pr####thealth.net':80
'th####eparate.net':80
'pr####tseparate.net':80
'cl###early.net':80
'we####rsafety.net':80
'am####future.net':80
'we####rearly.net':80
'am####safety.net':80
'cl###smell.net':80
'th###early.net':80
'we####rfuture.net':80
'th###smell.net':80

TCP:

HTTP GET requests:

http://of####eparate.net/index.php?me########
http://al####eparate.net/index.php?me########
http://ch####istant.net/index.php?me########
http://co####edistant.net/index.php?me########
http://of####lothes.net/index.php?me########
http://al####lothes.net/index.php?me########
http://of###health.net/index.php?me########
http://al###health.net/index.php?me########
http://co####eclothes.net/index.php?me########
http://pr####tdistant.net/index.php?me########
http://ch####eparate.net/index.php?me########
http://pr####tclothes.net/index.php?me########
http://th####istant.net/index.php?me########
http://co####ehealth.net/index.php?me########
http://ch####lothes.net/index.php?me########
http://co####eseparate.net/index.php?me########
http://ch###health.net/index.php?me########
http://mo####gseparate.net/index.php?me########
http://ra####health.net/index.php?me########
http://tw####distant.net/index.php?me########
http://ra####separate.net/index.php?me########
http://mo####gclothes.net/index.php?me########
http://ra####distant.net/index.php?me########
http://mo####ghealth.net/index.php?me########
http://ra####clothes.net/index.php?me########
http://mi####distant.net/index.php?me########
http://mi####separate.net/index.php?me########
http://tw####separate.net/index.php?me########
http://of####istant.net/index.php?me########
http://al####istant.net/index.php?me########
http://mi####clothes.net/index.php?me########
http://tw####clothes.net/index.php?me########
http://mi####health.net/index.php?me########
http://tw####health.net/index.php?me########
http://th####lothes.net/index.php?me########
http://hi####ysafety.net/index.php?me########
http://st####efuture.net/index.php?me########
http://hi####yearly.net/index.php?me########
http://st####esafety.net/index.php?me########
http://we####rsmell.net/index.php?me########
http://am###tearly.net/index.php?me########
http://hi####yfuture.net/index.php?me########
http://am###tsmell.net/index.php?me########
http://st####eearly.net/index.php?me########
http://ra####safety.net/index.php?me########
http://mo####gsafety.net/index.php?me########
http://ra###rearly.net/index.php?me########
http://mo####gearly.net/index.php?me########
http://st####esmell.net/index.php?me########
http://hi####ysmell.net/index.php?me########
http://ra####future.net/index.php?me########
http://mo####gfuture.net/index.php?me########
http://th###future.net/index.php?me########
http://cl###future.net/index.php?me########
http://th###safety.net/index.php?me########
http://cl###safety.net/index.php?me########
http://th###health.net/index.php?me########
http://pr####thealth.net/index.php?me########
http://th####eparate.net/index.php?me########
http://pr####tseparate.net/index.php?me########
http://cl###early.net/index.php?me########
http://we####rsafety.net/index.php?me########
http://am####future.net/index.php?me########
http://we####rearly.net/index.php?me########
http://am####safety.net/index.php?me########
http://cl###smell.net/index.php?me########
http://th###early.net/index.php?me########
http://we####rfuture.net/index.php?me########
http://th###smell.net/index.php?me########

UDP:

DNS ASK of####eparate.net
DNS ASK al####eparate.net
DNS ASK ch####istant.net
DNS ASK co####edistant.net
DNS ASK of####lothes.net
DNS ASK al####lothes.net
DNS ASK of###health.net
DNS ASK al###health.net
DNS ASK co####eclothes.net
DNS ASK pr####tdistant.net
DNS ASK ch####eparate.net
DNS ASK pr####tclothes.net
DNS ASK th####istant.net
DNS ASK co####ehealth.net
DNS ASK ch####lothes.net
DNS ASK co####eseparate.net
DNS ASK ch###health.net
DNS ASK of####istant.net
DNS ASK ra####health.net
DNS ASK mo####ghealth.net
DNS ASK ra####separate.net
DNS ASK mo####gseparate.net
DNS ASK ra####distant.net
DNS ASK mo####gdistant.net
DNS ASK ra####clothes.net
DNS ASK mo####gclothes.net
DNS ASK tw####distant.net
DNS ASK tw####separate.net
DNS ASK mi####health.net
DNS ASK al####istant.net
DNS ASK mi####separate.net
DNS ASK tw####clothes.net
DNS ASK mi####distant.net
DNS ASK tw####health.net
DNS ASK mi####clothes.net
DNS ASK hi####ysafety.net
DNS ASK st####efuture.net
DNS ASK hi####yearly.net
DNS ASK st####esafety.net
DNS ASK we####rsmell.net
DNS ASK am###tearly.net
DNS ASK hi####yfuture.net
DNS ASK am###tsmell.net
DNS ASK st####eearly.net
DNS ASK ra####safety.net
DNS ASK mo####gsafety.net
DNS ASK ra###rearly.net
DNS ASK mo####gearly.net
DNS ASK st####esmell.net
DNS ASK hi####ysmell.net
DNS ASK ra####future.net
DNS ASK mo####gfuture.net
DNS ASK we####rearly.net
DNS ASK cl###future.net
DNS ASK th####eparate.net
DNS ASK cl###safety.net
DNS ASK th###future.net
DNS ASK pr####thealth.net
DNS ASK th####lothes.net
DNS ASK pr####tseparate.net
DNS ASK th###health.net
DNS ASK th###safety.net
DNS ASK am####future.net
DNS ASK we####rfuture.net
DNS ASK am####safety.net
DNS ASK we####rsafety.net
DNS ASK th###early.net
DNS ASK cl###early.net
DNS ASK th###smell.net
DNS ASK cl###smell.net

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial