Trojan.DownLoader45.23025

Technical Information

Malicious functions

Downloads

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over282892\v32.cab
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over168904\v32.cab
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over182543\v32.cab
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over617524\v32.cab
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over721126\v32.cab
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over738826\v32.cab
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over611179\v32.cab
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over253267\v32.cab

Modifies file system

Creates the following files

<Current directory>\files\setup.exe
%TEMP%\over611179\$dpx$.tmp\e039838301789a4c9645ffa418fc0a4a.tmp
%TEMP%\over611179\v32.cab
%TEMP%\over738826\v32.txt
%TEMP%\over738826\$dpx$.tmp\53b02a4216031c48b68718c8b57479f8.tmp
%TEMP%\over738826\v32.cab
%TEMP%\over721126\v32.txt
%TEMP%\over721126\$dpx$.tmp\1049cb04ef6d864d92924235c3ac3d55.tmp
%TEMP%\over721126\v32.cab
%TEMP%\over617524\v32.txt
%TEMP%\over617524\$dpx$.tmp\d1d520a7cae7484ea7a8b82517f14179.tmp
%TEMP%\over617524\v32.cab
%TEMP%\over182543\v32.txt
%TEMP%\over182543\$dpx$.tmp\2df5246e54e16d4e99b8eb07ab06c882.tmp
%TEMP%\over182543\v32.cab
%TEMP%\over168904\v32.txt
%TEMP%\over168904\$dpx$.tmp\0e731355a4f84b43807ddb734ad54485.tmp
%TEMP%\over168904\v32.cab
%TEMP%\over282892\v32.txt
%TEMP%\over282892\$dpx$.tmp\033f5981e828a046aba312d850bed4db.tmp
%TEMP%\over282892\v32.cab
<Current directory>\files\configure.xml
<Current directory>\files\x86\msvcr100.dll
<Current directory>\files\x86\cleanospp.exe
<Current directory>\files\x64\msvcr100.dll
<Current directory>\files\x64\cleanospp.exe
<Current directory>\files\uninstall.xml
<Current directory>\files\files.dat
%TEMP%\over611179\v32.txt
%TEMP%\over253267\v32.cab

Deletes the following files

<Current directory>\files\files.dat
%TEMP%\over611179\v32.txt
%TEMP%\over611179\v32.cab
%TEMP%\over738826\versiondescriptor.xml
%TEMP%\over738826\v32.txt
%TEMP%\over738826\v32.cab
%TEMP%\over721126\versiondescriptor.xml
%TEMP%\over721126\v32.txt
%TEMP%\over721126\v32.cab
%TEMP%\over617524\versiondescriptor.xml
%TEMP%\over611179\versiondescriptor.xml
%TEMP%\over617524\v32.txt
%TEMP%\over182543\versiondescriptor.xml
%TEMP%\over182543\v32.txt
%TEMP%\over182543\v32.cab
%TEMP%\over168904\versiondescriptor.xml
%TEMP%\over168904\v32.txt
%TEMP%\over168904\v32.cab
%TEMP%\over282892\versiondescriptor.xml
%TEMP%\over282892\v32.txt
%TEMP%\over282892\v32.cab
%TEMP%\over617524\v32.cab
%TEMP%\over253267\v32.cab

Moves the following files

from %TEMP%\over282892\$dpx$.tmp\033f5981e828a046aba312d850bed4db.tmp to %TEMP%\over282892\versiondescriptor.xml
from %TEMP%\over168904\$dpx$.tmp\0e731355a4f84b43807ddb734ad54485.tmp to %TEMP%\over168904\versiondescriptor.xml
from %TEMP%\over182543\$dpx$.tmp\2df5246e54e16d4e99b8eb07ab06c882.tmp to %TEMP%\over182543\versiondescriptor.xml
from %TEMP%\over617524\$dpx$.tmp\d1d520a7cae7484ea7a8b82517f14179.tmp to %TEMP%\over617524\versiondescriptor.xml
from %TEMP%\over721126\$dpx$.tmp\1049cb04ef6d864d92924235c3ac3d55.tmp to %TEMP%\over721126\versiondescriptor.xml
from %TEMP%\over738826\$dpx$.tmp\53b02a4216031c48b68718c8b57479f8.tmp to %TEMP%\over738826\versiondescriptor.xml
from %TEMP%\over611179\$dpx$.tmp\e039838301789a4c9645ffa418fc0a4a.tmp to %TEMP%\over611179\versiondescriptor.xml

Network activity

Connects to

'officecdn.microsoft.com':80

TCP

HTTP GET requests

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

UDP

DNS ASK officecdn.microsoft.com

Miscellaneous

Creates and executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over168904\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'<Current directory>\files\files.dat' -y -pkmsauto
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over721126\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over611179\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over282892\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over182543\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over617524\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over738826\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over738826' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over617524\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over611179\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over611179' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over611179\v32.cab') }"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over721126\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over738826\v32.cab') }"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over721126\v32.cab') }"' (with hidden window)
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over721126' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over738826\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over253267\v32.cab') }"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over617524\v32.cab') }"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over168904\v32.cab') }"' (with hidden window)
'<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto' (with hidden window)
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over617524' (with hidden window)
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over282892' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over282892\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over282892\v32.cab') }"' (with hidden window)
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over168904' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over168904\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over182543\v32.cab') }"' (with hidden window)
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over182543' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over182543\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over253267' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over253267\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)

Executes the following

'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over282892
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over168904
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over182543
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over617524
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over721126
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over738826
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over611179
'<SYSTEM32>\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over253267
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over253267\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней