arrow_back
search
close

TSPY_ZBOT.YUYALI

December 09, 2015
 Analysis by: Jennifer Gumban
 Modified by: Anthony Joe Melgarejo
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

File Size:

1,249,496 bytes

File Type:

EXE

Initial Samples Received Date:

25 Nov 2015

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following files:

  • %Application Data%\{random folder 2}\{random filename 2}.tmp
  • %Application Data%\{random folder 2}\{random filename 2}.{random extension}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

  • %Application Data%\{random folder 1}\{random file name 1}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

  • %Application Data%\{random folder 1}
  • %Application Data%\{random folder 2}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%Application Data%\{random folder 1}\{random file name 1}.exe"

Other System Modifications

This spyware adds the following registry entries:

HKCU\Software\Microsoft\
Internet Explorer\Privacy
CleanCookies = "0"

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Other Details

This spyware connects to the following URL(s) to get the affected system's IP address:

  • http://checkip.dyndns.org/

It connects to the following possibly malicious URL:

  • http://{BLOCKED}6nmuptef7.onion/z1.bin