Installation
It will try to create the following registry entries and keys to mark its installation. This way, when it checks a remote server it knows if it needs to update itself or not.
In subkey: HKLM\<random>, for example HKCU\Software\Osnuafczni
Sets value: "License"
With data: "<version number of the malware", for example "415"
In subkey: HKCU\<random>, for example HKLM\Software\Osnuafczni
Sets value: "License"
With data: "<version number of the malware", for example "415"
Payload
Downloads updates and other malware
The threat connects to a remote server to download updates and other malware. The server address is hardcoded in the malware.
We have seen it connect to the following servers:
- 10.0.3.1/wpad.dat
- 192.162.19.27/b/shoe/159
- 192.162.19.27/b/shoe/54672
- 192.162.19.27/b/shoe/789
- 192.162.19.27/b/shoe/84358
- 192.162.19.27/b/shoe/951
- 192.162.19.27/mod_articles-auth5.6/ajax/
- 192.162.19.27/mod_articles-auth5.6/jquery/
- 192.162.19.27/mod_articles-bmp9.56/ajax/
- 192.162.19.27/mod_articles-bmp9.56/jquery/
- 192.162.19.27/mod_articles-login-985.658/ajax/
- 192.162.19.27/mod_articles-login-985.658/jquery/
- 192.162.19.27/mod_articles-login-llget9/ajax/
- 192.162.19.27/mod_articles-login-llget9/jquery/
- biggercarz.ru/b/shoe/1480
- dients-lihuret.su/mod_articles-auth5.6/ajax/
- dients-lihuret.su/mod_articles-auth5.6/jquery/
- dients-lihuret.su/mod_articles-login895.654/jquery/
- dients-lihuret.su/mod_articles-login-9.5/ajax/
- dients-lihuret.su/mod_articles-login-9.5/jquery/
- dients-lihuret.su/mod_articles-login9658.6584/jquery/
- dients-lihuret.su/mod_articles-login-985.658/ajax/
- dients-lihuret.su/mod_articles-login-985.658/jquery/
- dients-lihuret.su/mod_articles-login-llget9/ajax/
- dients-lihuret.su/mod_articles-login-llget9/jquery/
- dients-lihuret.su/mod_articles-login-llget9845.6587/ajax/
- dients-lihuret.su/mod_articles-login-llget9845.6587/jquery/
- from-gunergs.ru/b/shoe/159
- from-gunergs.ru/b/shoe/54601
- from-gunergs.ru/b/shoe/54672
- from-gunergs.ru/b/shoe/74198
- from-gunergs.ru/b/shoe/749634
- from-gunergs.ru/b/shoe/789
- from-gunergs.ru/b/shoe/84358
- from-gunergs.ru/b/shoe/84371
- from-gunergs.ru/b/shoe/951
- gerring-serilg.su/net-phocaguestbook-l199.12/jquery/
- history-later.su/b/shoe/54613
- icepower.su/b/shoe/54672
|
- icepower.su/b/shoe/54963
- icepower.su/b/shoe/749634
- icepower.su/b/shoe/789
- icepower.su/b/shoe/84371
- king-jinert.com/com-phocaguestbook-qw9/jquery/
- mitger-qaser.com/b/shoe/749634
- oak-tureght.ru/mod_articles-auth5.6/ajax/
- oak-tureght.ru/mod_articles-auth5.6/jquery/
- older-hiuwm.com/b/shoe/749634
- priple-red.su/mod_articles-login895.654/ajax/
- priple-red.su/mod_articles-login895.654/jquery/
- priple-red.su/mod_articles-qaz12.9/jquery/
- quarante-ml.com/nivoslider98.45/jquery/
- raing-gerut.su/b/shoe/1480
- raing-gerut.su/b/shoe/159
- raing-gerut.su/b/shoe/54601
- raing-gerut.su/b/shoe/54605
- raing-gerut.su/b/shoe/54607
- raing-gerut.su/b/shoe/54613
- raing-gerut.su/b/shoe/54615
- raing-gerut.su/b/shoe/54616
- raing-gerut.su/b/shoe/54619
- raing-gerut.su/b/shoe/54672
- raing-gerut.su/b/shoe/74198
- raing-gerut.su/b/shoe/749634
- raing-gerut.su/b/shoe/789
- raing-gerut.su/b/shoe/84357
- raing-gerut.su/b/shoe/84358
- raing-gerut.su/b/shoe/84370
- raing-gerut.su/b/shoe/84371
- raing-gerut.su/b/shoe/951
- smokejuse.su/mod_articles-bmp9.56/jquery/
- smokejuse.su/mod_articles-java985.654/ajax/
- smokejuse.su/mod_articles-java985.654/jquery/
- tundra-tennes.com/script-components/jquery/
- unuse-bubler.com/b/shoe/789
- windowsupdate.microsoft.com/
- wpad/wpad.dat
|
It then downloads an updated version of itself and other malware files, including variants of:
The downloaded file is saved as one of the following:
- %TEMP%\Java_Update_<random_characters>.exe, for example, %TEMP%\Java_Update_5a8bf3e9.exe
- %TEMP%\UpdateFlashPlayer_<random_characters>.exe, for example, %TEMP%\UpdateFlashPlayer_b61c21a2.exe
Here is what the infection chain looks like (at the time of analysis) as Zemot is dropped by an email generated by Kuluoz spambot:
Analysis by Patrick Estavillo
