Trojan.DownLoader25.53594

Technical Information

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\tool\WYRTLFix.exe' = '%ProgramFiles%\Wanyx\tool\WYR...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\WYDLPlatform.exe' = '%ProgramFiles%\Wanyx\WYDLPla...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\tool\WYRTLFix.exe' = '%ProgramFiles%\Wanyx\tool\W...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\tool\WYPluginFix.exe' = '%ProgramFiles%\Wanyx\too...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\tool\WYPluginFix.exe' = '%ProgramFiles%\Wanyx\tool\...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\WYGM.exe' = '%ProgramFiles%\Wanyx\WYGM.exe:*:Enab...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\WYGM.exe' = '%ProgramFiles%\Wanyx\WYGM.exe:*:Enable...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\WYFlash.exe' = '%ProgramFiles%\Wanyx\WYFlash.exe:*:...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\WYDLPlatform.exe' = '%ProgramFiles%\Wanyx\WYDLPlatf...
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%ProgramFiles%\Wanyx\WYFlash.exe' = '%ProgramFiles%\Wanyx\WYFlash.exe:...

Creates and executes the following:

'%ProgramFiles%\Wanyx\tool\WYBubble.exe' -query_action
'%ProgramFiles%\Wanyx\WYUpdate.exe' -update -delay=3 -type=1
'%ProgramFiles%\Wanyx\WYGM.exe' -atonce
'%ProgramFiles%\Wanyx\WYGM.exe' -update_data
'%ProgramFiles%\Wanyx\WYUpdate.exe' -install

Modifies file system:

Creates the following files:

%APPDATA%\Wanyx\slider\slider_201706_20170606164845759.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170606175228788[1].jpg
%APPDATA%\Wanyx\slider\slider_201706_20170606175228788.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170606164839135[1].jpg
%APPDATA%\Wanyx\slider\slider_201706_20170606164839135.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170606164845759[1].jpg
%APPDATA%\Wanyx\slider\slider_201707_20170711163449233.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170711163454540[1].jpg
%APPDATA%\Wanyx\slider\slider_201707_20170711163454540.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170606175233547[1].jpg
%APPDATA%\Wanyx\slider\slider_201706_20170606175233547.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170711163449233[1].jpg
%APPDATA%\Wanyx\data\search.gms
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\CADJY34N
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\update_icon[1].php
%APPDATA%\Wanyx\data\local\recent.xml
%APPDATA%\Wanyx\data\local\user.xml
%APPDATA%\Wanyx\data\search.gms-journal
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\CAOLAHDA.php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\CAY74D6L.php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\CA0JYLM5.php
%APPDATA%\Wanyx\config\config.xml
%APPDATA%\Wanyx\cache.xml
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\CAIJ2ZM5.php
%APPDATA%\Wanyx\slider\slider_201707_20170710152127881.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170626173757203[1].jpg
%APPDATA%\Wanyx\slider\slider_201706_20170626173757203.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20160523162136750[1].gif
%APPDATA%\Wanyx\slider\slider_201605_20160523162136750.gif
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170710152127881[1].jpg
%APPDATA%\Wanyx\slider\slider_201609_20160912133331969.gif
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20160817130948555[1].gif
%APPDATA%\Wanyx\slider\slider_201608_20160817130948555.gif
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170705173206480[1].jpg
%APPDATA%\Wanyx\slider\slider_201707_20170705173206480.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20160912133331969[1].gif
%APPDATA%\Wanyx\slider\slider_201707_20170705165927997.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170711163535621[1].png
%APPDATA%\Wanyx\slider\slider_201707_20170711163535621.png
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170705165921238[1].jpg
%APPDATA%\Wanyx\slider\slider_201707_20170705165921238.jpg
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170705165927997[1].jpg
%APPDATA%\Wanyx\slider\slider_201706_20170626173137285.png
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170626173141960[1].png
%APPDATA%\Wanyx\slider\slider_201706_20170626173141960.png
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170711163539347[1].png
%APPDATA%\Wanyx\slider\slider_201707_20170711163539347.png
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\20170626173137285[1].png
%ProgramFiles%\Wanyx\msvcr80.dll
%ProgramFiles%\Wanyx\Uninstall.exe
%ProgramFiles%\Wanyx\tool\WYBubble.exe
%ProgramFiles%\Wanyx\WYUIRender.dll
%ProgramFiles%\Wanyx\Microsoft.VC80.CRT.manifest
%ProgramFiles%\Wanyx\msvcp80.dll
%ProgramFiles%\Wanyx\tool\WYTipEx.exe
%ProgramFiles%\Wanyx\tool\WYUp.exe
%ProgramFiles%\Wanyx\tool\WYMini.exe
%ProgramFiles%\Wanyx\tool\WYCommon.dll
%ProgramFiles%\Wanyx\tool\WYUIRender.dll
%ProgramFiles%\Wanyx\tool\WYDLUtils.dll
%ProgramFiles%\Wanyx\WYBrowser.exe
%ProgramFiles%\Wanyx\WYWeb.exe
%ProgramFiles%\Wanyx\WYUpdate.exe
%TEMP%\nsg2.tmp
%ProgramFiles%\Wanyx\WYGM.exe
%ProgramFiles%\Wanyx\WYFlash.exe
%ProgramFiles%\Wanyx\WYCommon.dll
%ProgramFiles%\Wanyx\WYDLUtils.dll
%ProgramFiles%\Wanyx\WYDLPlatform.exe
%ProgramFiles%\Wanyx\WYVersion.dll
%ProgramFiles%\Wanyx\WYBugReport.exe
%ProgramFiles%\Wanyx\WYUrlEncrypt.dll
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\update_database[1].php
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\НжУОП·єР.lnk
%HOMEPATH%\Desktop\НжУОП·єР.lnk
%ProgramFiles%\Wanyx\audio\complete.wav
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\update_hot[1].php
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\update_top[1].php
%HOMEPATH%\Start Menu\Programs\НжУОП·єР\НжУОП·ТіУОґуМь.lnk
%HOMEPATH%\Start Menu\Programs\НжУОП·єР\Р¶ФШНжУОП·єР.lnk
%HOMEPATH%\Local Settings\<INETFILES>\Content.IE5\KHMHGZ4F\stat[1].php
%HOMEPATH%\Desktop\НжУОП·ТіУОґуМь.lnk
%HOMEPATH%\Start Menu\Programs\НжУОП·єР\НжУОП·єР.lnk
%HOMEPATH%\Start Menu\Programs\НжУОП·єР\НжУОП·flashІҐ·ЕЖч.lnk
%ProgramFiles%\Wanyx\tool\msvcp80.dll
%ProgramFiles%\Wanyx\tool\msvcr80.dll
%APPDATA%\Wanyx\data\database.gmx
%ProgramFiles%\Wanyx\tool\WYRTLFix.exe
%ProgramFiles%\Wanyx\tool\WYPluginFix.exe
%ProgramFiles%\Wanyx\tool\Microsoft.VC80.CRT.manifest
%APPDATA%\Wanyx\data\plugin\netwl.gmx
%APPDATA%\Wanyx\data\plugin\inwl.gmx
%APPDATA%\Wanyx\data\plugin\pc.gmx
%APPDATA%\Wanyx\data\plugin\hot.gmx
%APPDATA%\Wanyx\data\plugin\top.gmx
%APPDATA%\Wanyx\data\plugin\scan.gmx

Deletes the following files:

%TEMP%\nsl3.tmp\WYNsisMiniExtend.dll
%TEMP%\nsl3.tmp\System.dll
%APPDATA%\Wanyx\data\search.gms-journal

Substitutes the following files:

%APPDATA%\Wanyx\data\search.gms-journal

Network activity:

Connects to:

'se#####.wanyxbox.com':80
'ic##.#anyxbox.com':80
'up####.wanyxbox.com':80
'st##.#anyxbox.com':80

TCP:

HTTP GET requests:

http://ic##.#anyxbox.com/slider/201707/20170711163535621.png
http://ic##.#anyxbox.com/slider/201707/20170711163539347.png
http://ic##.#anyxbox.com/slider/201706/20170626173137285.png
http://ic##.#anyxbox.com/slider/201707/20170705165927997.jpg
http://ic##.#anyxbox.com/slider/201707/20170711163449233.jpg
http://ic##.#anyxbox.com/slider/201707/20170711163454540.jpg
http://ic##.#anyxbox.com/slider/201707/20170705165921238.jpg
http://ic##.#anyxbox.com/slider/201707/20170705173206480.jpg
http://ic##.#anyxbox.com/slider/201609/20160912133331969.gif
http://ic##.#anyxbox.com/slider/201608/20160817130948555.gif
http://ic##.#anyxbox.com/slider/201706/20170626173757203.jpg
http://ic##.#anyxbox.com/slider/201706/20170626173141960.png
http://ic##.#anyxbox.com/slider/201605/20160523162136750.gif
http://ic##.#anyxbox.com/slider/201707/20170710152127881.jpg
http://se#####.wanyxbox.com/time.php?da########
http://up####.wanyxbox.com/update/?da############################################################################################################################################################...
http://up####.wanyxbox.com/update_icon.php?da########################################################################
http://st##.#anyxbox.com/stat.php?da####################################################################
http://up####.wanyxbox.com/update_hot.php?da########################################################################################
http://up####.wanyxbox.com/update_top.php?da######################################################################################
http://up####.wanyxbox.com/update_database.php?da######################################################################################
http://ic##.#anyxbox.com/slider/201706/20170606164845759.jpg
http://ic##.#anyxbox.com/slider/201706/20170606175228788.jpg
http://ic##.#anyxbox.com/slider/201706/20170606175233547.jpg
http://ic##.#anyxbox.com/slider/201706/20170606164839135.jpg
http://up####.wanyxbox.com/update_plugin.php?da##################################################################################################################################################...
http://up####.wanyxbox.com/update_icon.php?da##########################################################################
http://up####.wanyxbox.com/update_icon.php?da############################################################################

HTTP POST requests:

http://st##.#anyxbox.com/stat/do_stat.php?da########################################################################################################
http://up####.wanyxbox.com/update_icon.php?da####################################################################

UDP:

DNS ASK se#####.wanyxbox.com
DNS ASK ic##.#anyxbox.com
DNS ASK up####.wanyxbox.com
DNS ASK st##.#anyxbox.com

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: '玩游戏Flash游戏'
ClassName: '' WindowName: '???Flash??'
ClassName: 'GMFakeUpWnd' WindowName: ''
ClassName: '' WindowName: '???????'
ClassName: '' WindowName: '玩游戏版本更新'
ClassName: '' WindowName: '玩游戏升级提示'
ClassName: '' WindowName: '玩游戏盒浏览器'
ClassName: 'WanyxGMWnd' WindowName: 'НжУОП·єР'
ClassName: 'WanyxGMWnd' WindowName: '????????'
ClassName: 'GMBubbleWnd' WindowName: ''
ClassName: '' WindowName: '??????Flash????'
ClassName: '' WindowName: 'НжУОП·єРдЇААЖч'
ClassName: '' WindowName: '??????????????'
ClassName: '' WindowName: 'НжУОП·FlashУОП·'

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial