A two-component Trojan whose main purpose is to perform web injections. It consists of a dropper and a malicious library.
The Trojan creates the %MYDOCUMENTS%\IntMayak folder and saves the decrypted DLL into %MYDOCUMENTS%\IntMayak\0103.tmp. Then it creates %MYDOCUMENTS%\IntMayak\T01emp01.reg.
After that, the Trojan runs a search for the explorer.exe process and injects a malicious code into it. The code copies 0103.tmp to %SYSTEM32% with a name generated based on the serial number of the first partition of the hard disk.
Then the Trojan runs regedit.exe injecting the REG file, which was created earlier, into it. Using this file, the library is registered in the following branch: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs" = "%SYSTEM32%\%name%.dll".
Then the dropper deletes temporary files and the IntMayak folder. Moreover, to conceal the way of penetrating the system, the malicious program deletes cookies and clears Internet Explorer cache.
The malicious library is compatible with Internet Explorer, Opera, Firefox, and Chrome.
While operating, Trojan.Mayachok.17727 saves an encrypted configuration file to a hard drive. The file contains command and control server addresses, a script that the malware injects into webpages browsed by the user, and other parameters.