Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /F /IM Steam.exe
Modifies file system
Creates the following files
- %TEMP%\7f34.tmp\steam clear.bat
- nul
Network activity
TCP
HTTP GET requests
- http://cl########nload.steampowered.com/client/steam_client_win32
- http://me####.steampowered.com/client/strings_all.zip.vz.25df0569b8531cfc5042408ffa4e1f9c8d60281b_2284969
- http://me####.steampowered.com/client/strings_en_all.zip.vz.09deaa83f1bf52cf7930f660f423e0caa3e60c5e_90062
- http://me####.steampowered.com/client/resources_all.zip.vz.64d7384e19f02a34b754573b0ed046612a8b6fb3_1304057
- http://me####.steampowered.com/client/resources_hidpi_all.zip.vz.66e6d0c4758df08e7a52aeca5d75f7cf2d243268_56612
- http://me####.steampowered.com/client/resources_music_all.zip.vz.7a62e15083d4a65668f0d1fa58ad8c1b99fb5ace_3708050
- http://me####.steampowered.com/client/resources_misc_all.zip.vz.4a1fa88d21b005b67a41a9a0fc6044ae1fa46791_2225211
- http://me####.steampowered.com/client/steamui_websrc_all.zip.vz.27cb9b4e61ea0e72ec1e1c59a0c9234d66167692_1998267
- http://me####.steampowered.com/client/public_all.zip.vz.3c605b1329c76b6c2ddd6700778341167c69734e_894587
- http://me####.steampowered.com/client/friendsui_all.zip.vz.0c7ddfeb7e1d0ba1140c79544c313fac2247ae2b_2130974
- http://me####.steampowered.com/client/tenfoot_images_all.zip.vz.1af41b6242b1b51825e0f5c6840568ec4db003d0_31340465
- http://me####.steampowered.com/client/tenfoot_sounds_all.zip.vz.ffef2b2fc386819a842ea79484b966a937c2ca7e_1209792
- http://me####.steampowered.com/client/tenfoot_ambientsounds_all.zip.89b80bcfdd11b2b99257ddbbdc374e2df54e2738
- http://me####.steampowered.com/client/tenfoot_fonts_all.zip.vz.7673e4cd32b6752bc621d8bc1a7118a9af19b64a_12077027
- http://me####.steampowered.com/client/tenfoot_dicts_all.zip.33245b7d523f68418283e93b0572508fa127ee8f
- http://me####.steampowered.com/client/tenfoot_misc_all.zip.1ca83d76835b4613170f5cead778b176b11f2b0c
- http://me####.steampowered.com/client/steam_client_win32?15########
- http://me####.steampowered.com/client/tenfoot_all.zip.vz.d83395e1e777e2ab23026760cb58ef3bdbf8ce93_2624914
- http://me####.steampowered.com/client/bins_codecs_win32.zip.vz.568108d774a036c6684c0a1f78a33ec2e8044b4c_2547912
UDP
- DNS ASK cl########nload.steampowered.com
- DNS ASK me####.steampowered.com
Miscellaneous
Executes the following
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\7F34.tmp\steam clear.bat" <Full path to file>"
- '%ProgramFiles(x86)%\steam\steam.exe' "steam://friends/status/offline"
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 3
- '%ProgramFiles(x86)%\steam\steam.exe' "steam://run/413851"
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 5
- '%ProgramFiles(x86)%\steam\steam.exe' "steam://run/413857"
- '%ProgramFiles(x86)%\steam\steam.exe' "steam://run/413859"
- '%ProgramFiles(x86)%\steam\bin\steamwebhelper.exe' -cachedir="%LOCALAPPDATA%\Steam\htmlcache" -steampid=2240 -buildid=1451690000 -steamid="0" --disable-gpu-compositing --disable-gpu --process-per-tab --enable-system-flash --disable-spell-check...
- '%ProgramFiles(x86)%\steam\steam.exe' "steam://run/413856"
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 7
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 1
