Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\-2-3-29-1404288243-1408237502-1081353075-4331\{9i3z5fb9-vtxy-uqv-84dr-53v3u8dp6nir}
Malicious functions
Reads files which store third party applications passwords
- <LS_APPDATA>\google\chrome\user data\default\login data
- <LS_APPDATA>\google\chrome\user data\default\web data
Modifies file system
Creates the following files
- %APPDATA%\amd64_microsoft-windows-devices-wifi\enu_84687fe973d070912535
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\telegram\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\telegram\d877f783d5d3ef8c\map0
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\steam\config\dialogconfig.vdf
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\steam\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\steam\config\config.vdf
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\screen.jpg
- %APPDATA%\amd64_microsoft-windows-devices-wifi\d3dcompiler_43.sqlite3.module.dll
- %APPDATA%\amd64_microsoft-windows-devices-wifi\d3dcompiler_43.sqlite3.module.dll.7
- %TEMP%\aut73f9.tmp
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\telegram\d877f783d5d3ef8c1
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\index.dat
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\ksefb3t3\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\i49u1gw1\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\o2r1nbbm\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\sm9vgwjm\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\desktop.ini
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\cookies\mozilla firefox (6).txt
Sets the 'hidden' attribute to the following files
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\sm9vgwjm\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\o2r1nbbm\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\i49u1gw1\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\ksefb3t3\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\desktop.ini
Deletes the following files
- %TEMP%\aut73f9.tmp
- %APPDATA%\amd64_microsoft-windows-devices-wifi\d3dcompiler_43.sqlite3.module.dll.7
- %APPDATA%\amd64_microsoft-windows-devices-wifi\d3dcompiler_43.sqlite3.module.dll
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\screen.jpg
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\cookies\mozilla firefox (6).txt
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\steam\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\steam\config\config.vdf
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\steam\config\dialogconfig.vdf
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\telegram\d877f783d5d3ef8c1
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\telegram\инструкция по установке.txt
- %APPDATA%\amd64_microsoft-windows-devices-wifi\1\telegram\d877f783d5d3ef8c\map0
Moves itself
- from <Full path to file> to %APPDATA%\amd64_microsoft-windows-devices-wifi\d3dcompiler_43.exe
Network activity
UDP
- DNS ASK ap#.##legram.org
- DNS ASK ip##i.co
Miscellaneous
Creates and executes the following
- '%APPDATA%\amd64_microsoft-windows-devices-wifi\d3dcompiler_43.module.exe' a -y -mx9 -ssw "%APPDATA%\amd64_microsoft-windows-devices-wifi\ENU_84687FE973D070912535.7z" "%APPDATA%\amd64_microsoft-windows-devices-wifi\1\*"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
