Trojan.DownLoader2.12160

Technical Information

Malicious functions

Modifies settings of Windows Internet Explorer

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2201' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2202' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2301' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1001' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1004' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1201' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1206' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1208' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1209' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '120A' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1406' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1407' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1607' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '160A' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1800' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1804' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A04' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2103' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2104' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2105' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2105' = '00000003'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2104' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2000' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1200' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1201' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1206' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1208' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1209' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '120A' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1400' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1405' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1406' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1407' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1607' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '160A' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1800' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1804' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1806' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1A04' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1004' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1001' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2103' = '00000000'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2301' = '00000000'

Modifies file system

Creates the following files

%TEMP%\autdb51.tmp
%ProgramFiles(x86)%\autocompletepro\is-a9ge0.tmp
%ProgramFiles(x86)%\autocompletepro\is-30de2.tmp
%ProgramFiles(x86)%\autocompletepro\support@predictad.com\defaults\preferences\is-b6iah.tmp
%ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\is-g744j.tmp
%ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\is-6jnuc.tmp
%ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\is-o2tdj.tmp
%ProgramFiles(x86)%\autocompletepro\support@predictad.com\is-n34ss.tmp
%ProgramFiles(x86)%\autocompletepro\support@predictad.com\is-k4cf6.tmp
%ProgramFiles(x86)%\autocompletepro\is-ilrlt.tmp
%ProgramFiles(x86)%\autocompletepro\is-dkgku.tmp
%ProgramFiles(x86)%\autocompletepro\is-98cl9.tmp
%TEMP%\is-d19i7.tmp\issproc.dll
%TEMP%\is-d19i7.tmp\_isetup\_shfoldr.dll
%TEMP%\is-d19i7.tmp\_isetup\_setup64.tmp
%TEMP%\is-d19i7.tmp\_isetup\_regdll.tmp
%TEMP%\is-ulcef.tmp\acpro.tmp
%TEMP%\acpro.exe
%TEMP%\autfcb7.tmp
%LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012022042920220430\index.dat
%TEMP%\wfsetup.exe
%TEMP%\is-d19i7.tmp\issproclanguage.ini
%ProgramFiles(x86)%\autocompletepro\unins000.dat

Deletes the following files

%TEMP%\autdb51.tmp
%APPDATA%\microsoft\windows\cookies\user@fbgdc[1].txt
%TEMP%\autfcb7.tmp
%TEMP%\wfsetup.exe
%TEMP%\acpro.exe
%TEMP%\is-d19i7.tmp\issproc.dll
%TEMP%\is-d19i7.tmp\issproclanguage.ini
%TEMP%\is-d19i7.tmp\_isetup\_regdll.tmp
%TEMP%\is-d19i7.tmp\_isetup\_setup64.tmp
%TEMP%\is-d19i7.tmp\_isetup\_shfoldr.dll
%TEMP%\is-ulcef.tmp\acpro.tmp

Moves the following files

from %ProgramFiles(x86)%\autocompletepro\is-98cl9.tmp to %ProgramFiles(x86)%\autocompletepro\unins000.exe
from %ProgramFiles(x86)%\autocompletepro\is-ilrlt.tmp to %ProgramFiles(x86)%\autocompletepro\autocompletepro.dll
from %ProgramFiles(x86)%\autocompletepro\support@predictad.com\is-k4cf6.tmp to %ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome.manifest
from %ProgramFiles(x86)%\autocompletepro\support@predictad.com\is-n34ss.tmp to %ProgramFiles(x86)%\autocompletepro\support@predictad.com\install.rdf
from %ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\is-o2tdj.tmp to %ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\browseroverlay.xul
from %ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\is-6jnuc.tmp to %ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\options.js
from %ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\is-g744j.tmp to %ProgramFiles(x86)%\autocompletepro\support@predictad.com\chrome\content\options.xul
from %ProgramFiles(x86)%\autocompletepro\support@predictad.com\defaults\preferences\is-b6iah.tmp to %ProgramFiles(x86)%\autocompletepro\support@predictad.com\defaults\preferences\predictad.js
from %ProgramFiles(x86)%\autocompletepro\is-30de2.tmp to %ProgramFiles(x86)%\autocompletepro\insttracker.exe
from %ProgramFiles(x86)%\autocompletepro\is-a9ge0.tmp to %ProgramFiles(x86)%\autocompletepro\acremoteupdate.exe
from %ProgramFiles(x86)%\autocompletepro\is-dkgku.tmp to %ProgramFiles(x86)%\autocompletepro\taskscheduler.dll

Modifies the following files

Network activity

Connects to

'fb##c.com':80
'google.com':80
'im#.##doparking.com':80
'in#####.autocompletepro.com':80
'hu###omains.com':443

TCP

HTTP GET requests

http://fb##c.com/click/?s=#############################
http://ww##.fbgdc.com/click/?s=#######################################################################
http://www.google.com/adsense/domains/caf.js
http://im#.##doparking.com/templates/bg/arrows.png
http://ww##.fbgdc.com/favicon.ico
http://in#####.autocompletepro.com/installHandler/?ac############################

Other

'hu###omains.com':443

UDP

DNS ASK fb##c.com
DNS ASK ww##.fbgdc.com
DNS ASK google.com
DNS ASK im#.##doparking.com
DNS ASK in#####.autocompletepro.com
DNS ASK hu###omains.com

Miscellaneous

Searches for the following windows

ClassName: 'Static' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebCheckMonitor' WindowName: ''

Creates and executes the following

'%TEMP%\wfsetup.exe'
'%TEMP%\is-ulcef.tmp\acpro.tmp' /SL5="$13022E,185455,54272,%TEMP%\AcPro.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
'%ProgramFiles(x86)%\autocompletepro\insttracker.exe' -install -cs:true -si:7999 -ver:1.1 -dir:"%ProgramFiles(x86)%\AutocompletePro"
'%ProgramFiles(x86)%\autocompletepro\insttracker.exe' -install -cs:true -si:7999 -ver:1.1 -dir:"%ProgramFiles(x86)%\AutocompletePro"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\regsvr32.exe' /s AutocompletePro.dll

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial