Technical Information
Malicious functions:
Executes the following:
- <SYSTEM32>\ping.exe 0.0.0.0
- <SYSTEM32>\cmd.exe /c ""%TEMP%\00033ceb.bat" "
Modifies file system :
Creates the following files:
- %TEMP%\00033ceb.bat
Deletes itself.
Network activity:
Connects to:
- '10#.#1.186.107':80
- 'localhost':1035
TCP:
HTTP GET requests:
- 10#.#1.186.107/pm/link/m.gif
Miscellaneous:
Searches for the following windows:
- ClassName: 'GRQb#3hWIefFpZA4*$8zr7sVH' WindowName: ';3-LrfYoTBcl6g,M?9[i>h2uE0v'
- ClassName: '{ZbKMcG>Vqkdns7#QiCWXOFw' WindowName: 'IHP#A7abl&U5](/Kh3{d.Xgwmy<O'
- ClassName: ';&m7{b3n/XR:x<>NQ]s5' WindowName: 'E9/# jr4y?'
- ClassName: 't&xce.5DkPX(avh9]soj' WindowName: 'FXmLM/>AyGkoCVTS:% {tqDn0Y'
- ClassName: 'oQa1?*S{f7CEBq A%[rd^' WindowName: 'vjlMuxK<;C1.tiP@L$>)'
- ClassName: 'I8R#!xF.04Y;zk &C%<3^iqvs)r' WindowName: 'F4z>)?LO(u7eabNn[-DM25f'
- ClassName: '}UHYCj)Q{nb3SWm4gAt5Pw;' WindowName: ':RHPaK@Z#{uD+FxdLE*ck3m[G%'
- ClassName: 'Ul/<@zg4o8wkS;(O#J!s3' WindowName: 'niwu%Z2(9MBWDQl5m.H^e!,E<*8'
- ClassName: 'Ybr$-@ *}[3gqs<9]S5L^yH' WindowName: ']:XE7WAmbMkr<+^w2a[?(Vpo%$RiP'
- ClassName: '[jK2D]+Q)%hb{m!05u3B?,PVC' WindowName: '3qJ2ex)yrY?vEZ,6$RtDmQ'
- ClassName: 'qu*jL>@ x+' WindowName: '?f&{^[LE+q}-mx ;>w8X'
- ClassName: 'hc+o>Q' WindowName: '3)5dM>Y?@Ui.B$co;/,uW&l!'
- ClassName: ';&M#:?H6Yzf.aO}Do2nbljCw' WindowName: 'POyFce-#nU0H 1/>iNZ(SRGV'
- ClassName: 'I' WindowName: '<pl;[B:bJvSGXk1wids/&c'
- ClassName: 'YoM+,!Bnah);u%zTVb D' WindowName: 'W0w-O@y#Np}nz*su81]<^(>jY+T[$'
- ClassName: '}XT[4otL^EiJN7:V?eM(xl3Obj0' WindowName: 'v?Uy&8sxw5Q^}[JIA*;7R<WP'
- ClassName: 'R>qX<^BlGmf]zY?ZsoeI ' WindowName: 'kXF;rx*Lbh{nlpsCa@Y0)W#4S'
- ClassName: '.1HOlPyjNr{SeZ(G96hxF)ap' WindowName: 'y@<Q9W+e-. lup:Fc56Jx3}C'
- ClassName: '' WindowName: 'Q <poLGN)%mRvD6Z8#fy$'
- ClassName: 'Hk]s[jw(>4g#@.7' WindowName: 'z4mpr9*EdoNIk:QC.Zs&P1,'
- ClassName: 'KSd' WindowName: 'CHExT4Bg/i}rv?.NDQ>AJ'
