Trojan.DownLoader33.40923

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MicroUpdate' = '%HOMEPATH%\Documents\MSDCSC\msdcsc.exe'
[<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'UserInit' = '<SYSTEM32>\userinit.exe,%HOMEPATH%\Documents\MSDCSC\msdcsc.exe'

Creates or modifies the following files

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\WindowsInput] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\WindowsInput] 'ImagePath' = '"%WINDIR%\SysWOW64\WindowsInput.exe"'

Malicious functions

To bypass firewall, removes or modifies the following registry keys

[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

blocks the following features:

Injects code into

the following system processes:

the following user processes:

Modifies file system

Creates the following files

Sets the 'hidden' attribute to the following files

Deletes the following files

Network activity

TCP

HTTP GET requests

'ra####ts.ddns.net':1616

'ra####ts.ddns.net':1604

'ra####ts.ddns.net':10134

UDP

Miscellaneous

Searches for the following windows

Creates and executes the following

'%TEMP%\quasar.exe'
'%APPDATA%\java\javaupdate.exe'
'%TEMP%\iha9tkdoqcet.exe'
'%HOMEPATH%\documents\msdcsc\msdcsc.exe'
'%TEMP%\bciharbmrcjx.exe'
'%WINDIR%\syswow64\windowsinput.exe' --install
'%WINDIR%\syswow64\windowsinput.exe'
'%APPDATA%\explorer.exe'
'%APPDATA%\svchost.exe' /launchSelfAndExit "%APPDATA%\explorer.exe" 2296 /protectFile
'%APPDATA%\svchost.exe' /watchProcess "%APPDATA%\explorer.exe" 2296 "/protectFile"
'%WINDIR%\syswow64\cmd.exe' /k attrib "%TEMP%\IhA9TkDOqcET.exe" +s +h' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /k attrib "%LOCALAPPDATA%\Temp" +s +h' (with hidden window)
'%WINDIR%\syswow64\notepad.exe' ' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ymk8zd_4.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB578.tmp" "%TEMP%\CSCB577.tmp"' (with hidden window)
'%APPDATA%\explorer.exe' ' (with hidden window)

Executes the following

'%WINDIR%\syswow64\schtasks.exe' /create /tn "JavaUpdate" /sc ONLOGON /tr "%TEMP%\Quasar.exe" /rl HIGHEST /f
'%WINDIR%\syswow64\schtasks.exe' /create /tn "JavaUpdate" /sc ONLOGON /tr "%APPDATA%\Java\JavaUpdate.exe" /rl HIGHEST /f
'%WINDIR%\syswow64\cmd.exe' /k attrib "%TEMP%\IhA9TkDOqcET.exe" +s +h
'%WINDIR%\syswow64\cmd.exe' /k attrib "%LOCALAPPDATA%\Temp" +s +h
'%WINDIR%\syswow64\notepad.exe'
'%ProgramFiles(x86)%\internet explorer\iexplore.exe'
'%WINDIR%\syswow64\attrib.exe' "%TEMP%\IhA9TkDOqcET.exe" +s +h
'%WINDIR%\syswow64\attrib.exe' "%LOCALAPPDATA%\Temp" +s +h
'%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ymk8zd_4.cmdline"
'%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB578.tmp" "%TEMP%\CSCB577.tmp"
'<SYSTEM32>\taskeng.exe' {15EB24E4-442D-4C38-8F76-EBD48C902527} S-1-5-21-1960123792-2022915161-3775307078-1001:ciiadlmdvd\user:Interactive:[1]