Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] 'navHelper2' = '"%APPDATA%\navHelper2.exe"'
Malicious functions
Modifies settings of Windows Internet Explorer
- [<HKLM>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKLM>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyServer' = 'http=127.0.0.1:8888;https=127.0.0.1:8888;'
- [<HKLM>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyOverride' = '<-loopback>'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyOverride' = '<-loopback>'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings] 'ProxyServer' = 'http=127.0.0.1:8888;https=127.0.0.1:8888;'
Modifies file system
Creates the following files
- %APPDATA%\navhelper2.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\jal3pbhm\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\odfnmnad\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\376zq4si\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\28q8x299\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\isolatedstorage\13ysuaug.vxi\zgjimqwh.mns\url.e4ur3uy4unzrvyrfnsfugjyjoy1bgdhg\assemfiles\storage_811092dcc98648d790a1730d08245b4b_sessiondata_b1761bfa3361475a89b20382587c588d.bi...
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\isolatedstorage\13ysuaug.vxi\zgjimqwh.mns\url.e4ur3uy4unzrvyrfnsfugjyjoy1bgdhg\assemfiles\storage_811092dcc98648d790a1730d08245b4b_statistics.bin
- %LOCALAPPDATA%\isolatedstorage\13ysuaug.vxi\zgjimqwh.mns\url.e4ur3uy4unzrvyrfnsfugjyjoy1bgdhg\info.dat
- %LOCALAPPDATA%\isolatedstorage\13ysuaug.vxi\zgjimqwh.mns\url.e4ur3uy4unzrvyrfnsfugjyjoy1bgdhg\identity.dat
- %APPDATA%\config.json
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\26683df7974f1e794476b12d7a4120c7_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %TEMP%\tmp24c0.tmp
- %TEMP%\tmp24a0.tmp
- %APPDATA%\microsoft\systemcertificates\my\keys\4342590f787693afab3340e76d7581fca582a25b
- %APPDATA%\microsoft\systemcertificates\my\certificates\9188e947d9376f9454f36c7f2f54f1cde1f8e20c
- %APPDATA%\microsoft\systemcertificates\request\certificates\4930f2db0a34779625b4b7a786369a51731b82ca
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\17604a8ead273c1d3ae04e7aaa2d95cc_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %LOCALAPPDATA%\isolatedstorage\13ysuaug.vxi\zgjimqwh.mns\url.e4ur3uy4unzrvyrfnsfugjyjoy1bgdhg\assemfiles\storage_811092dcc98648d790a1730d08245b4b_policy.bin
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\28q8x299\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\376zq4si\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\odfnmnad\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\jal3pbhm\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Deletes the following files
- %APPDATA%\microsoft\systemcertificates\request\certificates\4930f2db0a34779625b4b7a786369a51731b82ca
- %TEMP%\tmp24a0.tmp
- %TEMP%\tmp24c0.tmp
Network activity
Connects to
- '81############d790a1730d08245b4b.monitor-eqatec.com':80
TCP
HTTP POST requests
- http://81############d790a1730d08245b4b.monitor-eqatec.com/monitor.ashx?pv################################################################################################
UDP
- DNS ASK 81############d790a1730d08245b4b.monitor-eqatec.com
Miscellaneous
Adds a root certificate
Creates and executes the following
- '%APPDATA%\navhelper2.exe'
Executes the following
- '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\wininet.dll",DispatchAPICall 1
