Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'qdatem' = 'C:\Users\Public\Documents\Applicationoisdn.exe'
Modifies file system
Creates the following files
- C:\ayyn\applaunch.prf
- C:\ayyn\qmmiscdll.dll
- C:\ayyn\qnox.dll
- C:\ayyn\qqapp.exe
- C:\ayyn\qqipc.dll
- C:\ayyn\qqsafeud.exe
- C:\ayyn\qqsclauncher.exe
- C:\ayyn\qqservice.dll
- C:\ayyn\richcontrolole.dll
- C:\ayyn\timwp.dll
- C:\ayyn\tinyxml.dll
- C:\ayyn\trpc_client.dll
- C:\ayyn\txpfproxy.dll
- C:\ayyn\utilgif.dll
- C:\ayyn\snnt.exe
- C:\users\public\documents\lnmju.dll
- C:\ayyn\processsession.dll
- C:\users\public\documents\sjsw.log
- C:\ayyn\malauncher.exe
- C:\ayyn\jsonc.dll
- C:\ayyn\detector_05_457359.net
- C:\ayyn\sd.dat
- C:\ayyn\snnt.bat
- C:\ayyn\snnt.dat
- C:\ayyn\snnt.vbs
- C:\ayyn\appcenter.dll
- C:\ayyn\arkfs.dll
- C:\ayyn\arkiostub.dll
- C:\ayyn\arkipc.dll
- C:\ayyn\arkxml.dll
- C:\ayyn\camerars.dll
- C:\ayyn\dwmcapdt32.dll
- C:\ayyn\firstload.dll
- C:\ayyn\flashcontrolservice.dll
- C:\ayyn\gfrichcontrol.dll
- C:\ayyn\libhttp.dll
- %APPDATA%\temp\netbase.dat
Moves the following files
- from C:\ayyn\snnt.exe to C:\users\public\documents\applicationoisdn.exe
Network activity
Connects to
- '10#.#45.22.215':80
- '10#.#45.22.223':80
- 'ka###one.top':3368
TCP
HTTP GET requests
- http://10#.#45.22.215/5555/zy.txt
- http://10#.#45.22.223/5555/cdyxf.png
UDP
- DNS ASK ka###one.top
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\wscript.exe' "C:\ayyn\snnt.vbs"
- 'C:\ayyn\snnt.exe'
- '<SYSTEM32>\cmd.exe' /c snnt.bat' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c snnt.bat
