Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'ISG' = '"%TEMP%\<File name>.exe" /cs:0 '
Malicious functions:
Creates and executes the following:
- '%ALLUSERSPROFILE%\Application Data\728dcc\IS728_7.exe' (downloaded from the Internet)
Executes the following:
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\del.bat" >> NUL
- '%ALLUSERSPROFILE%\Application Data\728dcc\IS728_7.exe' /s /i /brc=j /ls=1
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG' WindowName: ''
Modifies file system:
Creates the following files:
- %ALLUSERSPROFILE%\Application Data\728dcc\InternetSG.exe
- %ALLUSERSPROFILE%\Application Data\728dcc\IS728_7.exe
- %TEMP%\del.bat
- <Current directory>\hy<File name>.exe\<File name>.exe
- %TEMP%\<File name>.exe
- %TEMP%\~DFA213.tmp
Deletes the following files:
- %TEMP%\~DFA213.tmp
- %ALLUSERSPROFILE%\Application Data\728dcc\InternetSG.exe
- <Current directory>\hy<File name>.exe\<File name>.exe
Deletes itself.
Network activity:
Connects to:
- '76.##.19.180':80
- '74.##.198.253':80
- '74.##.198.254':80
TCP:
HTTP GET requests:
- http://re#####.#ilaflopqaxjaioper.com/?6f################################################################################################################################################# via 76...
- http://up#####.#ilaflopqaxjaioper.com/index.php?6f###############################################################################################################################################...
- http://up#####.#ilaflopqaxjaioper.com/index.php?6f############################################################################### via 74.##.198.254
- http://up#####.#ilaflopqaxjaioper.com/index.php?6f############################################################################### via 74.##.198.253
Miscellaneous:
Searches for the following windows:
- ClassName: 'TMainWindowISG' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
