Trojan.DownLoader29.52282

Technical Information

To ensure autorun and distribution

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\kbotkcme] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\kbotkcme] 'ImagePath' = '<SYSTEM32>\kbotkcme\ypilsfrq.exe /d"<Full path to file>"'
[<HKLM>\SYSTEM\CurrentControlSet\services\kbotkcme] 'ImagePath' = '<SYSTEM32>\kbotkcme\ypilsfrq.exe'

Malicious functions

Injects code into

the following system processes:

<SYSTEM32>\svchost.exe

Modifies file system

Creates the following files

%TEMP%\ypilsfrq.exe
C:\documents and settings\localservice:.repos

Moves the following files

from %TEMP%\ypilsfrq.exe to <SYSTEM32>\kbotkcme\ypilsfrq.exe

Deletes itself.

Network activity

Connects to

'mx#.#oair.com':25
'p.####om.ctmail.com':25
'no####.emscorporate.com':25
'mx#.#harter.net':25
'mx####.adityabirla.com':25
'ad#####.##il.protection.outlook.com':25
'mx##.mb1p.com':25
'mx#.#beyond.net':25
'ca#########.mail.protection.outlook.com':25
'ce############ce-com01i.mail.protection.outlook.com':25

TCP

HTTP GET requests

http://www.google.com/
http://ap#.##-cy.ru:35000/

UDP

DNS ASK mi##########m.mail.protection.outlook.com
DNS ASK mx#.##m.iphmx.com
DNS ASK ma###ity.com
DNS ASK mx.#####.#om.cust.b.hostedemail.com
DNS ASK te##tra.com
DNS ASK ex####l.bigpond.com
DNS ASK us.#bm.com
DNS ASK he##a.org
DNS ASK ma##.##dianet.com.pl
DNS ASK d1######.#ss.barracudanetworks.com
DNS ASK in##pro.com
DNS ASK sm##.##cureserver.net
DNS ASK bo##ng.com
DNS ASK ph######n-02.mbs.boeing.net
DNS ASK fo###hkola.net
DNS ASK om#.com
DNS ASK me###net.com.pl
DNS ASK vk##on.ru
DNS ASK po###a.wp.pl
DNS ASK ad###lska.pl
DNS ASK po#t.sk
DNS ASK ca#.##rusfree.cz
DNS ASK aspmx.l.google.com
DNS ASK mx###.##il.am0.yahoodns.net
DNS ASK mx######b2d01.pphosted.com
DNS ASK ho###track.com
DNS ASK re###nhofer.at
DNS ASK mx.###senhofer.at
DNS ASK fr##mail.hu
DNS ASK fm#.#reemail.hu
DNS ASK hi##eed.ch
DNS ASK mx###.upcmail.net
DNS ASK o2.pl
DNS ASK ce############ce-com01i.mail.protection.outlook.com
DNS ASK gm##l.com
DNS ASK p.####om.ctmail.com
DNS ASK em####porate.com
DNS ASK no####.emscorporate.com
DNS ASK ln#.com
DNS ASK ad###abirla.com
DNS ASK mx####.adityabirla.com
DNS ASK pc##.com
DNS ASK ya##o.es
DNS ASK bh.###kmonitor.com
DNS ASK mx##.mb1p.com
DNS ASK bi##h.com
DNS ASK mx#.#beyond.net
DNS ASK ca##one.com
DNS ASK ca#########.mail.protection.outlook.com
DNS ASK ad#####.##il.protection.outlook.com
DNS ASK ad#.com
DNS ASK ch###ermi.net
DNS ASK mx#.#oair.com
DNS ASK tr##x.com
DNS ASK ho###il.co.uk
DNS ASK eu#.###.#rotection.outlook.com
DNS ASK na####a-auto.com
DNS ASK sm##.##booda-auto.com
DNS ASK mo###ink.net
DNS ASK lo##s.com
DNS ASK mx.yandex.ru
DNS ASK alt2.gmail-smtp-in.l.google.com
DNS ASK ap#.#r-cy.ru
DNS ASK tr#######.mx10.staysecuregroup.com
DNS ASK be######copter.textron.com
DNS ASK be#############textron-com.mail.protection.outlook.com
DNS ASK co##r.com
DNS ASK no##ood.com
DNS ASK ma#####.mobilink.net
DNS ASK oh#######.com.mx2.ikano.rcimx.net
DNS ASK oh###ills.com
DNS ASK ms#####.##c.protection.outlook.com
DNS ASK da##a.de
DNS ASK ex####.abebooks.com
DNS ASK ab##ooks.de
DNS ASK po###a.onet.pl
DNS ASK fr###6.onet.pl
DNS ASK ce#####-insurance.com
DNS ASK t-##line.de
DNS ASK cu#######-1-in.mailcontrol.com
DNS ASK 19#.###.#11.95.cbl.abuseat.org
DNS ASK qq.com
DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
DNS ASK mx.#p.pl
DNS ASK wp.pl
DNS ASK te###rapex.com
DNS ASK mx#.qq.com
DNS ASK do###o.ne.jp
DNS ASK 19#.###.#11.95.zen.spamhaus.org
DNS ASK 19#.###.211.95.in-addr.arpa
DNS ASK ya##o.co.in
DNS ASK 19#.###.#11.95.bl.spamcop.net
DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
DNS ASK to###ail.com
DNS ASK mx.###zta.onet.pl
DNS ASK vp.pl
DNS ASK mx.###edient.net
DNS ASK mx#####.#ail.gm0.yahoodns.net
DNS ASK ya##o.com
DNS ASK we#.de
DNS ASK mx####.##il.gm0.yahoodns.net
DNS ASK ao#.com
DNS ASK mt##.##0.yahoodns.net
DNS ASK ya###.com.au
DNS ASK mx###03.web.de
DNS ASK ar####mortgage.com
DNS ASK tr##inc.com
DNS ASK pn#.com.ph
DNS ASK li##.com
DNS ASK li######.#lc.protection.outlook.com
DNS ASK bu###czek.pl
DNS ASK gl####wisata.co.id
DNS ASK ag###ance.com
DNS ASK google.com
DNS ASK ar####uci.prv.pl
DNS ASK mx.#oho.com
DNS ASK a3#####03.direcpc.com
DNS ASK co##ast.net
DNS ASK mx#.#omcast.net
DNS ASK ms#.com
DNS ASK tl#n.pl
DNS ASK mx.#len.pl
DNS ASK di###way.com
DNS ASK ma###.agfinance.com
DNS ASK mf####.docomo.ne.jp
DNS ASK mx##.#-online.de
DNS ASK ma##.pnb.com.ph
DNS ASK ch##lo.nl
DNS ASK mx.###.#ail.iss.as9143.net
DNS ASK tr##en.com
DNS ASK tr###npcs.com
DNS ASK mx######ed601.pphosted.com
DNS ASK mx#.#harter.net
DNS ASK tr####.###.inbound15.mxlogic.net
DNS ASK mx.#ds.nl
DNS ASK ro##n.pl
DNS ASK ro###.rodan.pl
DNS ASK ch##ter.net
DNS ASK ho##ail.com
DNS ASK ho#########.olc.protection.outlook.com
DNS ASK dd#.nl
'<DNS_SERVER>':53

Miscellaneous

Creates and executes the following

'<SYSTEM32>\kbotkcme\ypilsfrq.exe' /d"<Full path to file>"
'<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\kbotkcme\' (with hidden window)
'<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\ypilsfrq.exe" <SYSTEM32>\kbotkcme\' (with hidden window)
'<SYSTEM32>\sc.exe' create kbotkcme binPath= "<SYSTEM32>\kbotkcme\ypilsfrq.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
'<SYSTEM32>\sc.exe' description kbotkcme "wifi internet conection"' (with hidden window)
'<SYSTEM32>\sc.exe' start kbotkcme' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\kbotkcme\
'<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\ypilsfrq.exe" <SYSTEM32>\kbotkcme\
'<SYSTEM32>\sc.exe' create kbotkcme binPath= "<SYSTEM32>\kbotkcme\ypilsfrq.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
'<SYSTEM32>\sc.exe' description kbotkcme "wifi internet conection"
'<SYSTEM32>\sc.exe' start kbotkcme
'<SYSTEM32>\svchost.exe'