Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Visual C++ Redistributable 2010 - x64' = '%APPDATA%\vc_redist(x64).exe'
Malicious functions:
Creates and executes the following:
- '%APPDATA%\mine.exe' 1
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mine[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mine[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mine[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mine[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mine[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mine[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mine[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mine[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mine[5].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[5].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mine[5].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[6].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mine[5].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[4].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mine[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mine[4].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mine[4].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mine[4].php
- %APPDATA%\mine\ssleay32.dll
- %APPDATA%\mine\libssh2.dll
- %APPDATA%\mine\zlib1.dll
- %APPDATA%\mine\bitstreams\COPYING_fpgaminer
- %APPDATA%\mine\poclbm130302Intel(R) HD Graphics 4000gv1w256l4.bin
- %APPDATA%\mine\libcurl-4.dll
- %APPDATA%\mine.exe
- %APPDATA%\mine\libeay32.dll
- %APPDATA%\mine\librtmp.dll
- %APPDATA%\mine\libidn-11.dll
- %APPDATA%\mine\MCast.class
- %APPDATA%\mine\API.class
- %APPDATA%\mine\bitstreams\fpgaminer_top_fixed7_197MHz.ncd
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[1].php
- %APPDATA%\mine\svchost.exe
- %APPDATA%\mine\diakgcn121016.cl
- %APPDATA%\mine\diablo130302.cl
- %APPDATA%\mine\phatk121016.cl
- %APPDATA%\mine\scrypt130511.cl
- %APPDATA%\mine\poclbm130302.cl
Deletes the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mine[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mine[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mine[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mine[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[3].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\mine[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\2VAZY7AN\mine[1].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\mine[2].php
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\YPORKZYZ\mine[1].php
Moves itself:
- from <Full path to virus> to %APPDATA%\vc_redist(x64).exe
Network activity:
Connects to:
- 'ki###koa.com':80
- 'jg###1okla.com':80
- 'sh#####w-sorrow01.com':80
- 'ju###1okla.com':80
- 'ki####751sss.com':80
- 'jg###vvkla.com':80
- 'ki###125ss.com':80
- 'k2###huya.com':80
- 'km###2ss.com':80
- 'sh###2ow01.com':80
- 'ku###091-23.com':80
- 'ga####-gamble.com':80
- 'ne###gent34.com':80
- 're##eme.ru':80
- 'my###-drv.com':80
- 'sh####-sorrow01.com':80
- 'k2###koa.com':80
- 'fr###slik0.com':80
- 'de##rv3.com':80
- 'ki###999s.com':80
TCP:
HTTP GET requests:
- ki###koa.com/mine.php?i=###########################################
- jg###1okla.com/mine.php?i=###########################################
- sh#####w-sorrow01.com/mine.php?i=###########################################
- ju###1okla.com/mine.php?i=###########################################
- ki####751sss.com/mine.php?i=###########################################
- jg###vvkla.com/mine.php?i=###########################################
- ki###125ss.com/mine.php?i=###########################################
- k2###huya.com/mine.php?i=###########################################
- km###2ss.com/mine.php?i=###########################################
- sh###2ow01.com/mine.php?i=###########################################
- ku###091-23.com/mine.php?i=###########################################
- ga####-gamble.com/mine.php?i=###########################################
- ne###gent34.com/mine.php?i=###########################################
- re##eme.ru/mine.php?i=###########################################
- my###-drv.com/mine.php?i=###########################################
- sh####-sorrow01.com/mine.php?i=###########################################
- k2###koa.com/mine.php?i=###########################################
- fr###slik0.com/mine.php?i=###########################################
- de##rv3.com/mine.php?i=###########################################
- ki###999s.com/mine.php?i=###########################################
UDP:
- DNS ASK ki###koa.com
- DNS ASK jg###1okla.com
- DNS ASK sh#####w-sorrow01.com
- DNS ASK ju###1okla.com
- DNS ASK ki####751sss.com
- DNS ASK jg###vvkla.com
- DNS ASK ki###125ss.com
- DNS ASK k2###huya.com
- DNS ASK km###2ss.com
- DNS ASK sh###2ow01.com
- DNS ASK ku###091-23.com
- DNS ASK ga####-gamble.com
- DNS ASK ne###gent34.com
- DNS ASK re##eme.ru
- DNS ASK my###-drv.com
- DNS ASK sh####-sorrow01.com
- DNS ASK k2###koa.com
- DNS ASK fr###slik0.com
- DNS ASK de##rv3.com
- DNS ASK ki###999s.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'
