Technical Information
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\applicantform_en.doc
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
- %HOMEPATH%\desktop\lisp_success.doc
- %HOMEPATH%\desktop\nwfieldnotes1966.docx
- %HOMEPATH%\desktop\sdszfo.docx
- %HOMEPATH%\desktop\uep_form_786_bulletin_1726i602.doc
- %HOMEPATH%\desktop\weeklysheet1215.doc
Modifies file system
Creates the following files
- %TEMP%\tmp5f9.tmp
- %TEMP%\tmp798.tmp
- %TEMP%\tmp797.tmp
- %TEMP%\tmp796.tmp
- %TEMP%\tmp795.tmp
- %TEMP%\tmp794.tmp
- %TEMP%\tmp783.tmp
- %TEMP%\tmp782.tmp
- %TEMP%\tmp781.tmp
- %TEMP%\tmp780.tmp
- %TEMP%\tmp77f.tmp
- %TEMP%\tmp77e.tmp
- %TEMP%\tmp76e.tmp
- %TEMP%\tmp76d.tmp
- %TEMP%\tmp76c.tmp
- %TEMP%\tmp76b.tmp
- %TEMP%\tmp76a.tmp
- %TEMP%\tmp759.tmp
- %TEMP%\tmp758.tmp
- %TEMP%\tmp757.tmp
- %TEMP%\tmp756.tmp
- %TEMP%\tmp755.tmp
- %TEMP%\tmp799.tmp
- %TEMP%\tmp79a.tmp
- %TEMP%\tmp7aa.tmp
- %TEMP%\tmp7ab.tmp
- %TEMP%\tmp82f.tmp
- %TEMP%\tmp80e.tmp
- %TEMP%\tmp7fe.tmp
- %TEMP%\tmp7ed.tmp
- %TEMP%\tmp7ec.tmp
- %TEMP%\tmp7eb.tmp
- %TEMP%\tmp7ea.tmp
- %TEMP%\tmp7e9.tmp
- %TEMP%\tmp7e8.tmp
- %TEMP%\tmp7d8.tmp
- %TEMP%\tmp7d6.tmp
- %TEMP%\tmp7d7.tmp
- %TEMP%\tmp7d5.tmp
- %TEMP%\tmp7d4.tmp
- %TEMP%\tmp7d3.tmp
- %TEMP%\tmp7c2.tmp
- %TEMP%\tmp7c1.tmp
- %TEMP%\tmp7c0.tmp
- %TEMP%\tmp7bf.tmp
- %TEMP%\tmp7be.tmp
- %TEMP%\tmp7ad.tmp
- %TEMP%\tmp7ac.tmp
- %TEMP%\tmp830.tmp
- %TEMP%\tmp744.tmp
- %TEMP%\tmp743.tmp
- %TEMP%\tmp742.tmp
- %TEMP%\tmp6b9.tmp
- %TEMP%\tmp6b8.tmp
- %TEMP%\tmp6a8.tmp
- %TEMP%\tmp6a7.tmp
- %TEMP%\tmp696.tmp
- %TEMP%\tmp695.tmp
- %TEMP%\tmp694.tmp
- %TEMP%\tmp683.tmp
- %TEMP%\tmp682.tmp
- %TEMP%\tmp681.tmp
- %TEMP%\tmp671.tmp
- %TEMP%\tmp670.tmp
- %TEMP%\tmp65f.tmp
- %TEMP%\tmp65e.tmp
- %TEMP%\tmp65d.tmp
- %TEMP%\tmp64d.tmp
- %TEMP%\tmp63c.tmp
- %TEMP%\tmp63b.tmp
- %TEMP%\tmp63a.tmp
- %TEMP%\tmp639.tmp
- %TEMP%\tmp609.tmp
- %TEMP%\tmp6ba.tmp
- %TEMP%\tmp6bb.tmp
- %TEMP%\tmp6cc.tmp
- %TEMP%\tmp6cd.tmp
- %TEMP%\tmp731.tmp
- %TEMP%\tmp730.tmp
- %TEMP%\tmp72f.tmp
- %TEMP%\tmp72e.tmp
- %TEMP%\tmp72d.tmp
- %TEMP%\tmp71c.tmp
- %TEMP%\tmp71b.tmp
- %TEMP%\tmp71a.tmp
- %TEMP%\tmp70a.tmp
- %TEMP%\tmp709.tmp
- %TEMP%\tmp707.tmp
- %TEMP%\tmp708.tmp
- %TEMP%\tmp6f6.tmp
- %TEMP%\tmp6f5.tmp
- %TEMP%\tmp6f4.tmp
- %TEMP%\tmp6f3.tmp
- %TEMP%\tmp6f2.tmp
- %TEMP%\tmp6e1.tmp
- %TEMP%\tmp6e0.tmp
- %TEMP%\tmp6df.tmp
- %TEMP%\tmp6de.tmp
- %TEMP%\tmp6ce.tmp
- %TEMP%\tmp741.tmp
- nul
Deletes the following files
- %TEMP%\tmp609.tmp
- %TEMP%\tmp76a.tmp
- %TEMP%\tmp76c.tmp
- %TEMP%\tmp76e.tmp
- %TEMP%\tmp77f.tmp
- %TEMP%\tmp781.tmp
- %TEMP%\tmp783.tmp
- %TEMP%\tmp795.tmp
- %TEMP%\tmp797.tmp
- %TEMP%\tmp799.tmp
- %TEMP%\tmp7aa.tmp
- %TEMP%\tmp7ac.tmp
- %TEMP%\tmp7be.tmp
- %TEMP%\tmp7c0.tmp
- %TEMP%\tmp7c2.tmp
- %TEMP%\tmp7d4.tmp
- %TEMP%\tmp7d6.tmp
- %TEMP%\tmp7d8.tmp
- %TEMP%\tmp7e9.tmp
- %TEMP%\tmp7eb.tmp
- %TEMP%\tmp7ed.tmp
- %TEMP%\tmp7fe.tmp
- %TEMP%\tmp80e.tmp
- %TEMP%\tmp82f.tmp
- %TEMP%\tmp758.tmp
- %TEMP%\tmp830.tmp
- %TEMP%\tmp756.tmp
- %TEMP%\tmp742.tmp
- %TEMP%\tmp63a.tmp
- %TEMP%\tmp63c.tmp
- %TEMP%\tmp65d.tmp
- %TEMP%\tmp65f.tmp
- %TEMP%\tmp671.tmp
- %TEMP%\tmp682.tmp
- %TEMP%\tmp694.tmp
- %TEMP%\tmp696.tmp
- %TEMP%\tmp6a8.tmp
- %TEMP%\tmp6b9.tmp
- %TEMP%\tmp6bb.tmp
- %TEMP%\tmp6cd.tmp
- %TEMP%\tmp6de.tmp
- %TEMP%\tmp6e0.tmp
- %TEMP%\tmp6f2.tmp
- %TEMP%\tmp6f4.tmp
- %TEMP%\tmp6f6.tmp
- %TEMP%\tmp708.tmp
- %TEMP%\tmp70a.tmp
- %TEMP%\tmp71b.tmp
- %TEMP%\tmp72d.tmp
- %TEMP%\tmp72f.tmp
- %TEMP%\tmp731.tmp
- %TEMP%\tmp744.tmp
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
Network activity
TCP
HTTP GET requests
- http://ch#####.amazonaws.com/
- http://www.ge###ugin.net/json.gp?ip###############
HTTP POST requests
- http://45.##.183.212:35253/IRemotePanel via 45.##.183.212
UDP
- DNS ASK ap#.ip.sb
- DNS ASK ch#####.amazonaws.com
- DNS ASK wh###.iana.org
- DNS ASK WH###.RIPE.NET
- DNS ASK ge###ugin.net
Miscellaneous
Executes the following
- '%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'
- '%WINDIR%\syswow64\cmd.exe' /C ping 127.0.0.1 -n 3 > nul &del "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 3
