Trojan.DownLoader13.30029

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Backup Connectivity Telephony Connection' = 'C:\vwbqwocwnsgazd\yqknhwwdptvw.exe'

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\WMI Portable Log Secondary WinHTTP] 'Start' = '00000002'

Malicious functions:

Creates and executes the following:

'C:\vwbqwocwnsgazd\bmnlkramw.exe' "c:\vwbqwocwnsgazd\yqknhwwdptvw.exe"
'C:\vwbqwocwnsgazd\yqknhwwdptvw.exe'
'C:\vwbqwocwnsgazd\qttl2nd5h6ptnwhizcj.exe'

Modifies file system :

Creates the following files:

C:\vwbqwocwnsgazd\yqknhwwdptvw.exe
C:\vwbqwocwnsgazd\bmnlkramw.exe
C:\vwbqwocwnsgazd\amexv9bzg
%WINDIR%\vwbqwocwnsgazd\xhyajbol
C:\vwbqwocwnsgazd\xhyajbol
C:\vwbqwocwnsgazd\qttl2nd5h6ptnwhizcj.exe

Sets the 'hidden' attribute to the following files:

C:\vwbqwocwnsgazd\bmnlkramw.exe
C:\vwbqwocwnsgazd\yqknhwwdptvw.exe

Deletes the following files:

C:\vwbqwocwnsgazd\qttl2nd5h6ptnwhizcj.exe
%WINDIR%\vwbqwocwnsgazd\xhyajbol

Network activity:

Connects to:

'pl####ntshare.net':80
'ne####aryshare.net':80
'pl####ntshake.net':80
'ne####aryshake.net':80
'or###happen.net':80
're####ehappen.net':80
'or###nearly.net':80
're####enearly.net':80
'ne####aryhappen.net':80
'he###shake.net':80
'di####ultshare.net':80
'he###happen.net':80
'di####ultshake.net':80
'ne####arynearly.net':80
'pl####nthappen.net':80
'he###share.net':80
'pl####ntnearly.net':80
'he###nshare.net':80
'ge####nearly.net':80
'he###nshake.net':80
'le###rshare.net':80
'ge###eshare.net':80
'va####snearly.net':80
'ge####happen.net':80
'ge###eshake.net':80
'le###rshake.net':80
'or###share.net':80
're####eshare.net':80
'or###shake.net':80
're####eshake.net':80
'le####happen.net':80
'he####happen.net':80
'le####nearly.net':80
'he####nearly.net':80
'di####ulthappen.net':80
're####suppose.net':80
'va####sservice.net':80
're####mister.net':80
'va####ssuppose.net':80
're###nriver.net':80
'de####nearly.net':80
're####service.net':80
'va####sriver.net':80
'va####smister.net':80
'he####uppose.net':80
'ge####suppose.net':80
'he###mister.net':80
'ge####mister.net':80
'he###river.net':80
'ge###eriver.net':80
'he####ervice.net':80
'ge####service.net':80
'an###rshake.net':80
'gl###shake.net':80
'an####happen.net':80
'gl###happen.net':80
'di####ultnearly.net':80
'he###nearly.net':80
'an###rshare.net':80
'gl###share.net':80
'gl###nearly.net':80
'fo####dhappen.net':80
'de###eshake.net':80
'fo####dnearly.net':80
'de####happen.net':80
'fo####dshare.net':80
'an####nearly.net':80
'fo####dshake.net':80
'de###eshare.net':80

TCP:

HTTP GET requests:

http://pl####ntshare.net/index.php?me########
http://ne####aryshare.net/index.php?me########
http://pl####ntshake.net/index.php?me########
http://ne####aryshake.net/index.php?me########
http://or###happen.net/index.php?me########
http://re####ehappen.net/index.php?me########
http://or###nearly.net/index.php?me########
http://re####enearly.net/index.php?me########
http://ne####aryhappen.net/index.php?me########
http://he###shake.net/index.php?me########
http://di####ultshare.net/index.php?me########
http://he###happen.net/index.php?me########
http://di####ultshake.net/index.php?me########
http://ne####arynearly.net/index.php?me########
http://pl####nthappen.net/index.php?me########
http://he###share.net/index.php?me########
http://pl####ntnearly.net/index.php?me########
http://he###nshare.net/index.php?me########
http://ge####nearly.net/index.php?me########
http://he###nshake.net/index.php?me########
http://le###rshare.net/index.php?me########
http://ge###eshare.net/index.php?me########
http://va####snearly.net/index.php?me########
http://ge####happen.net/index.php?me########
http://ge###eshake.net/index.php?me########
http://le###rshake.net/index.php?me########
http://or###share.net/index.php?me########
http://re####eshare.net/index.php?me########
http://or###shake.net/index.php?me########
http://re####eshake.net/index.php?me########
http://le####happen.net/index.php?me########
http://he####happen.net/index.php?me########
http://le####nearly.net/index.php?me########
http://he####nearly.net/index.php?me########
http://di####ulthappen.net/index.php?me########
http://re####suppose.net/index.php?me########
http://va####sservice.net/index.php?me########
http://re####mister.net/index.php?me########
http://va####ssuppose.net/index.php?me########
http://re###nriver.net/index.php?me########
http://de####nearly.net/index.php?me########
http://re####service.net/index.php?me########
http://va####sriver.net/index.php?me########
http://va####smister.net/index.php?me########
http://he####uppose.net/index.php?me########
http://ge####suppose.net/index.php?me########
http://he###mister.net/index.php?me########
http://ge####mister.net/index.php?me########
http://he###river.net/index.php?me########
http://ge###eriver.net/index.php?me########
http://he####ervice.net/index.php?me########
http://ge####service.net/index.php?me########
http://an###rshake.net/index.php?me########
http://gl###shake.net/index.php?me########
http://an####happen.net/index.php?me########
http://gl###happen.net/index.php?me########
http://di####ultnearly.net/index.php?me########
http://he###nearly.net/index.php?me########
http://an###rshare.net/index.php?me########
http://gl###share.net/index.php?me########
http://gl###nearly.net/index.php?me########
http://fo####dhappen.net/index.php?me########
http://de###eshake.net/index.php?me########
http://fo####dnearly.net/index.php?me########
http://de####happen.net/index.php?me########
http://fo####dshare.net/index.php?me########
http://an####nearly.net/index.php?me########
http://fo####dshake.net/index.php?me########
http://de###eshare.net/index.php?me########

UDP:

DNS ASK pl####ntshare.net
DNS ASK ne####aryshare.net
DNS ASK pl####ntshake.net
DNS ASK ne####aryshake.net
DNS ASK or###happen.net
DNS ASK re####ehappen.net
DNS ASK or###nearly.net
DNS ASK re####enearly.net
DNS ASK ne####aryhappen.net
DNS ASK he###shake.net
DNS ASK di####ultshare.net
DNS ASK he###happen.net
DNS ASK di####ultshake.net
DNS ASK ne####arynearly.net
DNS ASK pl####nthappen.net
DNS ASK he###share.net
DNS ASK pl####ntnearly.net
DNS ASK or###shake.net
DNS ASK ge####nearly.net
DNS ASK ge####happen.net
DNS ASK le###rshare.net
DNS ASK he###nshare.net
DNS ASK va####snearly.net
DNS ASK re####nearly.net
DNS ASK ge###eshake.net
DNS ASK ge###eshare.net
DNS ASK he###nshake.net
DNS ASK re####eshare.net
DNS ASK le####nearly.net
DNS ASK re####eshake.net
DNS ASK or###share.net
DNS ASK he####happen.net
DNS ASK le###rshake.net
DNS ASK he####nearly.net
DNS ASK le####happen.net
DNS ASK re####suppose.net
DNS ASK va####sservice.net
DNS ASK re####mister.net
DNS ASK va####ssuppose.net
DNS ASK re###nriver.net
DNS ASK de####nearly.net
DNS ASK re####service.net
DNS ASK va####sriver.net
DNS ASK va####smister.net
DNS ASK he####uppose.net
DNS ASK ge####suppose.net
DNS ASK he###mister.net
DNS ASK ge####mister.net
DNS ASK he###river.net
DNS ASK ge###eriver.net
DNS ASK he####ervice.net
DNS ASK ge####service.net
DNS ASK fo####dnearly.net
DNS ASK gl###shake.net
DNS ASK an###rshare.net
DNS ASK gl###happen.net
DNS ASK an###rshake.net
DNS ASK he###nearly.net
DNS ASK di####ulthappen.net
DNS ASK gl###share.net
DNS ASK di####ultnearly.net
DNS ASK an####happen.net
DNS ASK de###eshake.net
DNS ASK fo####dshake.net
DNS ASK de####happen.net
DNS ASK fo####dhappen.net
DNS ASK an####nearly.net
DNS ASK gl###nearly.net
DNS ASK de###eshare.net
DNS ASK fo####dshare.net

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''

Tecnologías

Términos

Formación y educación

Mitos

Technical Information

Curing recommendations

Free trial