Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\20181112.lnk
Modifies file system:
Creates the following files:
- %WINDIR% Restore\20181112\20181112.exe
- %WINDIR% Restore\num.txt
Network activity:
Connects to:
- 'localhost':1037
- 'us###per.com':80
- 'tr###myip.org':80
- 'tr###finc.com':80
TCP:
HTTP GET requests:
- http://www.us###per.com/myip.php via us###per.com
- http://www.us###per.com/tor/1.php?pa#################### via us###per.com
- http://us###per.com/rt.php
- http://www.tr###finc.com/mysq/apicheck.php via tr###finc.com
HTTP POST requests:
- http://www.us###per.com/mysqo3/newuser3.php via us###per.com
UDP:
- DNS ASK us###per.com
- DNS ASK www.us###per.com
- DNS ASK www.tr###myip.org
- DNS ASK www.tr###finc.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebcheckMonitor' WindowName: ''
