Trojan.MulDrop36.5491

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager] 'BootExecute' = 'autocheck autochk *'

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\ampa] 'ImagePath' = '<SYSTEM32>\ampa.sys'

Creates the following services

'ampa' <SYSTEM32>\ampa.sys

Modifies file system

Creates the following files

%WINDIR%\temp\ukepsjhrvq\2gpt_bcd
%WINDIR%\temp\ukepsjhrvq\2mbr_bcd
%WINDIR%\temp\ukepsjhrvq\7z.dll
%WINDIR%\temp\ukepsjhrvq\7z.exe
%WINDIR%\temp\ukepsjhrvq\bcdboot.exe
%WINDIR%\temp\ukepsjhrvq\cfg.ini
%WINDIR%\temp\ukepsjhrvq\dyndiskconverter.exe
%WINDIR%\temp\ukepsjhrvq\epw.exe
%WINDIR%\temp\ukepsjhrvq\help.exe
%WINDIR%\temp\ukepsjhrvq\iconv.dll
%WINDIR%\temp\ukepsjhrvq\info.exe
%WINDIR%\temp\ukepsjhrvq\info.ini
%WINDIR%\temp\ukepsjhrvq\install.bat
%WINDIR%\temp\ukepsjhrvq\language.ini
%WINDIR%\temp\ukepsjhrvq\libgcc_s_sjlj-1.dll
%WINDIR%\temp\ukepsjhrvq\libwim-15.dll
%WINDIR%\temp\ukepsjhrvq\libxml2-2.dll
%WINDIR%\temp\ukepsjhrvq\license.rtf
%WINDIR%\temp\ukepsjhrvq\loaddrv.exe
%WINDIR%\temp\ukepsjhrvq\loaddrv_win32.exe
%WINDIR%\temp\ukepsjhrvq\loaddrv_x64.exe
%WINDIR%\temp\ukepsjhrvq\manual.pdf
%WINDIR%\temp\ukepsjhrvq\mfc80.dll
%WINDIR%\temp\ukepsjhrvq\mfc80u.dll
%WINDIR%\temp\ukepsjhrvq\mfcm80.dll
%WINDIR%\temp\ukepsjhrvq\mfcm80u.dll
%WINDIR%\temp\ukepsjhrvq\microsoft.vc80.crt.manifest
%WINDIR%\temp\ukepsjhrvq\microsoft.vc80.mfc.manifest
%WINDIR%\temp\ukepsjhrvq\msvcm80.dll
%WINDIR%\temp\ukepsjhrvq\msvcp80.dll
%WINDIR%\temp\ukepsjhrvq\msvcr80.dll
%WINDIR%\temp\ukepsjhrvq\ntfs2fat32.exe
%WINDIR%\temp\ukepsjhrvq\partassist.exe
%WINDIR%\temp\ukepsjhrvq\pe.dll
%WINDIR%\temp\ukepsjhrvq\pthreadgc2.dll
%WINDIR%\temp\ukepsjhrvq\readme.rtf
%WINDIR%\temp\ukepsjhrvq\scanpartition.dll
%WINDIR%\temp\ukepsjhrvq\setupgreen32.exe
%WINDIR%\temp\ukepsjhrvq\setupgreen64.exe
%WINDIR%\temp\ukepsjhrvq\upgrade.ini
%WINDIR%\temp\ukepsjhrvq\wimgapi.dll
%WINDIR%\temp\ukepsjhrvq\wimlib-imagex.exe
%WINDIR%\temp\ukepsjhrvq\winchk.exe
%WINDIR%\temp\ukepsjhrvq\winpeshl.ini
%WINDIR%\temp\ukepsjhrvq\wnd.ini
%WINDIR%\temp\ukepsjhrvq\doc\about.html
%WINDIR%\temp\ukepsjhrvq\doc\active.html
%WINDIR%\temp\ukepsjhrvq\doc\allocate.html
%WINDIR%\temp\ukepsjhrvq\doc\bootcd.html
%WINDIR%\temp\ukepsjhrvq\doc\check.html
%WINDIR%\temp\ukepsjhrvq\doc\clear.html
%WINDIR%\temp\ukepsjhrvq\doc\cmd.html
%WINDIR%\temp\ukepsjhrvq\doc\configuration.html
%WINDIR%\temp\ukepsjhrvq\doc\convert.html
%WINDIR%\temp\ukepsjhrvq\doc\copydisk.html
%WINDIR%\temp\ukepsjhrvq\doc\copydiskwizard.html
%WINDIR%\temp\ukepsjhrvq\doc\copypart.html
%WINDIR%\temp\ukepsjhrvq\doc\copypartwizard.html
%WINDIR%\temp\ukepsjhrvq\doc\create.html
%WINDIR%\temp\ukepsjhrvq\doc\ddc.html
%WINDIR%\temp\ukepsjhrvq\doc\delete.html
%WINDIR%\temp\ukepsjhrvq\doc\extend.html
%WINDIR%\temp\ukepsjhrvq\doc\faq.html
%WINDIR%\temp\ukepsjhrvq\doc\format.html
%WINDIR%\temp\ukepsjhrvq\doc\gptmbr.html
%WINDIR%\temp\ukepsjhrvq\doc\helptree.html
%WINDIR%\temp\ukepsjhrvq\doc\hide.html
%WINDIR%\temp\ukepsjhrvq\doc\index.html
%WINDIR%\temp\ukepsjhrvq\doc\initdisk.html
%WINDIR%\temp\ukepsjhrvq\doc\label.html
%WINDIR%\temp\ukepsjhrvq\doc\letter.html
%WINDIR%\temp\ukepsjhrvq\doc\main.html
%WINDIR%\temp\ukepsjhrvq\doc\merge.html
%WINDIR%\temp\ukepsjhrvq\doc\migrate.html
%WINDIR%\temp\ukepsjhrvq\doc\n2f.html
%WINDIR%\temp\ukepsjhrvq\doc\partalign.html
%WINDIR%\temp\ukepsjhrvq\doc\partrecovery.html
%WINDIR%\temp\ukepsjhrvq\doc\password.html
%WINDIR%\temp\ukepsjhrvq\doc\prilog.html
%WINDIR%\temp\ukepsjhrvq\doc\properties.html
%WINDIR%\temp\ukepsjhrvq\doc\quick-partition.html
%WINDIR%\temp\ukepsjhrvq\doc\rebuildmbr.html
%WINDIR%\temp\ukepsjhrvq\doc\resize.html
%WINDIR%\temp\ukepsjhrvq\doc\serial.html
%WINDIR%\temp\ukepsjhrvq\doc\split.html
%WINDIR%\temp\ukepsjhrvq\doc\style.css
%WINDIR%\temp\ukepsjhrvq\doc\support.html
%WINDIR%\temp\ukepsjhrvq\doc\surface.html
%WINDIR%\temp\ukepsjhrvq\doc\typeid.html
%WINDIR%\temp\ukepsjhrvq\doc\wipe.html
%WINDIR%\temp\ukepsjhrvq\doc\wipedisk.html
%WINDIR%\temp\ukepsjhrvq\doc\wipepart.html
%WINDIR%\temp\ukepsjhrvq\doc\wtg.html
%WINDIR%\temp\ukepsjhrvq\doc\images\headfill.png
%WINDIR%\temp\ukepsjhrvq\lang\en.txt
%WINDIR%\temp\ukepsjhrvq\lang\vn.txt
%WINDIR%\temp\ukepsjhrvq\log\ampa1.log

Network activity

UDP

DNS ASK fi#####.###tings.services.mozilla.com

Miscellaneous

Creates and executes the following

'%WINDIR%\temp\ukepsjhrvq\partassist.exe'
'%WINDIR%\temp\ukepsjhrvq\setupgreen64.exe' -u
'%WINDIR%\temp\ukepsjhrvq\loaddrv_x64.exe' -u
'%WINDIR%\temp\ukepsjhrvq\setupgreen64.exe'
'%WINDIR%\temp\ukepsjhrvq\loaddrv_x64.exe'

Executes the following

'%WINDIR%\temp\ukepsjhrvq\setupgreen64.exe' -u' (with hidden window)
'%WINDIR%\temp\ukepsjhrvq\loaddrv_x64.exe' -u' (with hidden window)
'%WINDIR%\temp\ukepsjhrvq\setupgreen64.exe' ' (with hidden window)
'%WINDIR%\temp\ukepsjhrvq\loaddrv_x64.exe' ' (with hidden window)

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial