Trojan.DownLoader25.56971

Technical Information

To ensure autorun and distribution:

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\cpuz143] 'ImagePath' = '%TEMP%\cpuz143\cpuz143_x32.sys'

Malicious functions:

Creates and executes the following:

'<Current directory>\Speccy\local\stubexe\0x57E8B6129BAE272B\secedit.exe' /export /cfg "%TEMP%\spc_se.txt" /quiet /areas SECURITYPOLICY
'<Current directory>\Speccy\local\stubexe\0x68E1A7398F6B74C6\Speccy.exe'

Modifies file system:

Creates the following files:

%WINDIR%\security\res2.log
%WINDIR%\security\res1.log
<Current directory>\Speccy\local\stubexe\0x57E8B6129BAE272B\secedit.exe.manifest.__tmp__
%WINDIR%\security\edbtmp.log
%WINDIR%\security\edb.chk
%WINDIR%\security\logs\scesrv.log
%WINDIR%\security\edb.log
%WINDIR%\security\tmp.edb
<Current directory>\Speccy\local\stubexe\0x57E8B6129BAE272B\secedit.exe.__tmp__
<Current directory>\Speccy\local\stubexe\0x68E1A7398F6B74C6\Speccy.exe.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\Manifests\Speccy.exe_0xab48ec8d0dd2bc8c610422dfd0322fa5.1.manifest.__tmp__
<Current directory>\Speccy\xsandbox.bin.__tmp__
<Current directory>\Speccy\local\stubexe\0x68E1A7398F6B74C6\Speccy.exe.__tmp__
%TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\X86_Nullsoft.NSIS.exehead@1.0.0.0\X86_Nullsoft.NSIS.exehead@1.0.0.0.manifest.__tmp__
%TEMP%\cpuz143\cpuz143_x32.sys
%TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\Manifests\uninst.exe_0xed9837a308e91110f455e0e1a3a256d1.1.manifest.__tmp__
%TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\X86_Nullsoft.NSIS.exehead@1.0.0.0\Nullsoft.NSIS.exehead.manifest.__tmp__

Deletes the following files:

%TEMP%\Cab7.tmp
%TEMP%\sce09777.tmp
%TEMP%\spc_se.txt
%TEMP%\Cab1.tmp
%TEMP%\Cab3.tmp
%TEMP%\Cab5.tmp

Moves the following files:

from %TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\X86_Nullsoft.NSIS.exehead@1.0.0.0\X86_Nullsoft.NSIS.exehead@1.0.0.0.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\X86_Nullsoft.NSIS.exehead@1.0.0.0\X86_Nullsoft.NSIS.exehead@1.0.0.0.manifest
from %TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\X86_Nullsoft.NSIS.exehead@1.0.0.0\Nullsoft.NSIS.exehead.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\X86_Nullsoft.NSIS.exehead@1.0.0.0\Nullsoft.NSIS.exehead.manifest
from <Current directory>\Speccy\local\stubexe\0x57E8B6129BAE272B\secedit.exe.__tmp__ to <Current directory>\Speccy\local\stubexe\0x57E8B6129BAE272B\secedit.exe
from %WINDIR%\security\edbtmp.log to %WINDIR%\security\edb.log
from <Current directory>\Speccy\local\stubexe\0x57E8B6129BAE272B\secedit.exe.manifest.__tmp__ to <Current directory>\Speccy\local\stubexe\0x57E8B6129BAE272B\secedit.exe.manifest
from <Current directory>\Speccy\local\stubexe\0x68E1A7398F6B74C6\Speccy.exe.__tmp__ to <Current directory>\Speccy\local\stubexe\0x68E1A7398F6B74C6\Speccy.exe
from <Current directory>\Speccy\xsandbox.bin.__tmp__ to <Current directory>\Speccy\xsandbox.bin
from <Current directory>\Speccy\local\stubexe\0x68E1A7398F6B74C6\Speccy.exe.manifest.__tmp__ to <Current directory>\Speccy\local\stubexe\0x68E1A7398F6B74C6\Speccy.exe.manifest
from %TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\Manifests\uninst.exe_0xed9837a308e91110f455e0e1a3a256d1.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\Manifests\uninst.exe_0xed9837a308e91110f455e0e1a3a256d1.1.manifest
from %TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\Manifests\Speccy.exe_0xab48ec8d0dd2bc8c610422dfd0322fa5.1.manifest.__tmp__ to %TEMP%\SPOON\CACHE\0x59BC3F8A2076E30C\sxs\Manifests\Speccy.exe_0xab48ec8d0dd2bc8c610422dfd0322fa5.1.manifest

Substitutes the following files:

%WINDIR%\security\edbtmp.log

Network activity:

Connects to:

'www.download.windowsupdate.com':80
'sv.##mcb.com':80
'st###.spoon.net':443
'wp#d':80

TCP:

HTTP GET requests:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
http://sv.##mcb.com/sv.crt
http://11#.#11.111.2/wpad.dat via wp#d
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt

UDP: