Trojan.DownLoader11.38671

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Source Link File Secure Reporting Group' = '%APPDATA%\gceaqeh\cevvstcaopm.exe'

Malicious functions:

Creates and executes the following:

'%APPDATA%\gceaqeh\tcpqrqpvnm.exe' "%APPDATA%\gceaqeh\cevvstcaopm.exe"
'%APPDATA%\gceaqeh\cevvstcaopm.exe'

Executes the following:

'<SYSTEM32>\wbem\wmiadap.exe' /R /T

Modifies file system :

Creates the following files:

%APPDATA%\gceaqeh\cevvstcaopm.oksx
%APPDATA%\gceaqeh\tcpqrqpvnm.exe
%APPDATA%\gceaqeh\cevvstcaopm.exe

Sets the 'hidden' attribute to the following files:

%APPDATA%\gceaqeh\tcpqrqpvnm.exe
%APPDATA%\gceaqeh\cevvstcaopm.exe

Deletes the following files:

<SYSTEM32>\PerfStringBackup.TMP
<SYSTEM32>\wbem\Performance\WmiApRpl.ini

Network activity:

Connects to:

'le####however.net':80
'he####period.net':80
'he####however.net':80
'ge####choose.net':80
'he###choose.net':80
'he####choose.net':80
'le####choose.net':80
'le####although.net':80
'le####period.net':80
'he####although.net':80
'va####salthough.net':80
're####choose.net':80
're####although.net':80
're####period.net':80
'va####speriod.net':80
'ge####although.net':80
'he####lthough.net':80
'ge####period.net':80
'va####schoose.net':80
'ge####however.net':80
'pl#####talthough.net':80
'ne####arychoose.net':80
'ne#####ryalthough.net':80
'ne####aryperiod.net':80
'pl####ntperiod.net':80
'he###period.net':80
'di####ultperiod.net':80
'di#####lthowever.net':80
'pl####ntchoose.net':80
'he####owever.net':80
'or###period.net':80
're####ealthough.net':80
're####eperiod.net':80
're####ehowever.net':80
'or####owever.net':80
'ne#####ryhowever.net':80
'pl####nthowever.net':80
'or###choose.net':80
'or####lthough.net':80
're####echoose.net':80

TCP:

HTTP GET requests:

le####however.net/forum/search.php?em################################################
he####period.net/forum/search.php?em################################################
he####however.net/forum/search.php?em################################################
ge####choose.net/forum/search.php?em################################################
he###choose.net/forum/search.php?em################################################
he####choose.net/forum/search.php?em################################################
le####choose.net/forum/search.php?em################################################
le####although.net/forum/search.php?em################################################
le####period.net/forum/search.php?em################################################
he####although.net/forum/search.php?em################################################
va####salthough.net/forum/search.php?em################################################
re####choose.net/forum/search.php?em################################################
re####although.net/forum/search.php?em################################################
re####period.net/forum/search.php?em################################################
va####speriod.net/forum/search.php?em################################################
ge####although.net/forum/search.php?em################################################
he####lthough.net/forum/search.php?em################################################
ge####period.net/forum/search.php?em################################################
va####schoose.net/forum/search.php?em################################################
ge####however.net/forum/search.php?em################################################
pl#####talthough.net/forum/search.php?em################################################
ne####arychoose.net/forum/search.php?em################################################
ne#####ryalthough.net/forum/search.php?em################################################
ne####aryperiod.net/forum/search.php?em################################################
pl####ntperiod.net/forum/search.php?em################################################
he###period.net/forum/search.php?em################################################
di####ultperiod.net/forum/search.php?em################################################
di#####lthowever.net/forum/search.php?em################################################
pl####ntchoose.net/forum/search.php?em################################################
he####owever.net/forum/search.php?em################################################
or###period.net/forum/search.php?em################################################
re####ealthough.net/forum/search.php?em################################################
re####eperiod.net/forum/search.php?em################################################
re####ehowever.net/forum/search.php?em################################################
or####owever.net/forum/search.php?em################################################
ne#####ryhowever.net/forum/search.php?em################################################
pl####nthowever.net/forum/search.php?em################################################
or###choose.net/forum/search.php?em################################################
or####lthough.net/forum/search.php?em################################################
re####echoose.net/forum/search.php?em################################################

UDP:

DNS ASK he####however.net
DNS ASK le####however.net
DNS ASK he###choose.net
DNS ASK he####lthough.net
DNS ASK ge####choose.net
DNS ASK le####although.net
DNS ASK he####choose.net
DNS ASK he####although.net
DNS ASK he####period.net
DNS ASK le####period.net
DNS ASK re####although.net
DNS ASK va####salthough.net
DNS ASK va####speriod.net
DNS ASK va####showever.net
DNS ASK re####period.net
DNS ASK ge####period.net
DNS ASK ge####although.net
DNS ASK ge####however.net
DNS ASK re####choose.net
DNS ASK va####schoose.net
DNS ASK le####choose.net
DNS ASK pl#####talthough.net
DNS ASK ne####arychoose.net
DNS ASK ne#####ryalthough.net
DNS ASK ne####aryperiod.net
DNS ASK pl####ntperiod.net
DNS ASK he###period.net
DNS ASK di####ultperiod.net
DNS ASK di#####lthowever.net
DNS ASK pl####ntchoose.net
DNS ASK he####owever.net
DNS ASK or###period.net
DNS ASK re####ealthough.net
DNS ASK re####eperiod.net
DNS ASK re####ehowever.net
DNS ASK or####owever.net
DNS ASK ne#####ryhowever.net
DNS ASK pl####nthowever.net
DNS ASK or###choose.net
DNS ASK or####lthough.net
DNS ASK re####echoose.net

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'Indicator' WindowName: ''

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial