Trojan.DownLoader25.16539

Technical Information

Malicious functions:

Executes the following:

'%TEMP%\evb1.tmp' <File name>

Injects code into

the following user processes:

evb1.tmp

Searches for windows to

detect analytical utilities:

ClassName: '', WindowName: 'Fiddler - HTTP Debugging Proxy'
ClassName: 'OLLYDBG', WindowName: ''

Modifies file system:

Creates the following files:

%TEMP%\~DF466B.tmp
%TEMP%\evb1.tmp
%ProgramFiles%\Internet Explorer\MUI\0409\Lkbstrik.ocx
C:\envset\PBconfig.bat
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\statustrial[1].php
C:\hgtfywz.txt
%TEMP%\~DF7EA2.tmp
C:\DataProgram.txt
%ProgramFiles%\Internet Explorer\MUI\0409\Lmbstrik.ocx
%ProgramFiles%\Internet Explorer\MUI\0409\COMDLG32.OCX
%ProgramFiles%\Internet Explorer\MUI\0409\MSINET.OCX
%ProgramFiles%\Internet Explorer\MUI\0409\AnTRep.ocx
%ProgramFiles%\Internet Explorer\MUI\0409\gcinfo32.ocx
%ProgramFiles%\Internet Explorer\MUI\0409\mswinsck.ocx
%ProgramFiles%\Internet Explorer\MUI\0409\SYSINFO.OCX
%ProgramFiles%\Internet Explorer\MUI\0409\comctl32.ocx
%ProgramFiles%\Internet Explorer\MUI\0409\MSCOMCTL.OCX

Deletes the following files:

%WINDIR%\setupapi.log
%WINDIR%\setupact.log
%WINDIR%\spupdsvc.log
%WINDIR%\setuperr.log
%WINDIR%\ocmsn.log
%WINDIR%\ocgen.log
%WINDIR%\sessmgr.setup.log
%WINDIR%\regopt.log
%WINDIR%\Sti_Trace.log
%WINDIR%\WindowsUpdate.log
%WINDIR%\wiaservc.log
%TEMP%\~DF7EA2.tmp
%WINDIR%\wmsetup.log
%WINDIR%\tsoc.log
%WINDIR%\tabletoc.log
%WINDIR%\wiadebug.log
%WINDIR%\updspapi.log
%WINDIR%\ntdtcsetup.log
%WINDIR%\cmsetacl.log
%WINDIR%\0.log
%WINDIR%\comsetup.log
%WINDIR%\COM+.log
%TEMP%\~DF466B.tmp
%TEMP%\evb1.tmp
C:\hgtfywz.txt
C:\DataProgram.txt
%WINDIR%\DtcInstall.log
%WINDIR%\msgsocm.log
%WINDIR%\MedCtrOC.log
%WINDIR%\netfxocm.log
%WINDIR%\msmqinst.log
%WINDIR%\iis6.log
%WINDIR%\FaxSetup.log
%WINDIR%\KB942288-v3.log
%WINDIR%\imsins.log

Modifies the HOSTS file.

Network activity:

Connects to:

'ko###citer.pw':80
'localhost':1037

TCP:

HTTP GET requests:

http://ko###citer.pw/members/cekuser/statustrial.php?e=##########################

UDP:

DNS ASK ko###citer.pw

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: 'Cheat Engine 6.2'
ClassName: '' WindowName: 'Cheat Engine 6.1'
ClassName: '' WindowName: 'Cheat Engine 6.0'
ClassName: '' WindowName: 'Cheat Engine 6.3'
ClassName: '' WindowName: 'Cheat Engine 6.6'
ClassName: '' WindowName: 'Cheat Engine 6.5'
ClassName: '' WindowName: 'Cheat Engine 6.4'
ClassName: '' WindowName: 'Track Folder Changes'
ClassName: '' WindowName: 'Directory Monitor - 1.1.3.6 (Admin)'
ClassName: '' WindowName: 'Directory Monitor - 1.1.2.12'
ClassName: '' WindowName: 'Disk Pulse'
ClassName: '' WindowName: 'Cheat Engine 5.4'
ClassName: '' WindowName: 'Memory Viewer'
ClassName: '' WindowName: 'Cheat Engine'
ClassName: '' WindowName: 'WhatChanged 1.07'
ClassName: '' WindowName: 'WhatChanged v1.06'
ClassName: '' WindowName: 'WhatChanged v1.05'
ClassName: '' WindowName: 'Fiddler Web Debugger'
ClassName: '' WindowName: 'Fmon'
ClassName: '' WindowName: 'Microsoft Network Monitor 3.4'
ClassName: '' WindowName: 'Resource Hacker'
ClassName: '' WindowName: 'Cheat Engine 6.9'
ClassName: '' WindowName: 'Cheat Engine 6.8'
ClassName: '' WindowName: 'Cheat Engine 6.7'
ClassName: '' WindowName: 'Cheat Engine 7.0'
ClassName: '' WindowName: 'OllyDbg - KotakCiter.exe'
ClassName: '' WindowName: 'OllyDbg'
ClassName: '' WindowName: 'File Monitor'
ClassName: '' WindowName: 'Directory Monitor'
ClassName: '' WindowName: 'File Activity Monitor Tool v1.0(Beta)'
ClassName: '' WindowName: 'File Activity Monitor Tool v1.0 (Beta)'
ClassName: '' WindowName: 'File Activity Monitor Tool'
ClassName: '' WindowName: 'DirLogger_gui'
ClassName: '' WindowName: 'Watch 4 Folder'
ClassName: '' WindowName: 'FolderChangesView'
ClassName: '' WindowName: 'DirLogger_gui v1.4'
ClassName: '' WindowName: 'Resource Monitor'
ClassName: '' WindowName: 'Update: 8/3/2017'
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: '' WindowName: 'File Monitoring'
ClassName: '' WindowName: 'Sentry-go Quick Monitor Console'
ClassName: '' WindowName: 'DRPU PC Data Manager (Basic Edition)'
ClassName: '' WindowName: 'File Monitoring :)'
ClassName: '' WindowName: 'FileReally'
ClassName: '' WindowName: 'PCMate Free Folder Monitor - [c:\]'
ClassName: '' WindowName: 'Free File Monitor - [c:\]'
ClassName: '' WindowName: 'FileReally v0.1 alpha'
ClassName: '' WindowName: 'LastActivityView'
ClassName: '' WindowName: 'Ascendant NFM Network File Monitor'
ClassName: '' WindowName: 'Moo0 File Monitor'
ClassName: '' WindowName: 'DirMon'
ClassName: '' WindowName: 'Watch 4 Folder 2.3'
ClassName: '' WindowName: 'Watch 4 Folder 2.0'
ClassName: '' WindowName: 'TheFolderSpy'
ClassName: '' WindowName: 'Free File Monitor'
ClassName: '' WindowName: 'PC Inspector Folder & Service Guard'
ClassName: '' WindowName: 'TheFolderSpy: Select add item to start working'

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial