TROJ_DROPPR.YYML

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
14f491 = "%System Root%\14f4918\14f4918.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
14f4918 = "%User Profile%\Application Data\14f4918.exe"

Other System Modifications

This Trojan modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
EventMessageFile = "%System%\ESENT.dll"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
CategoryMessageFile = "%System%\ESENT.dll"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
CategoryCount = "1"

(Note: The default value data of the said registry entry is 10.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Eventlog\Application\
ESENT
TypesSupported = "7"

(Note: The default value data of the said registry entry is 7.)

Dropping Routine

This Trojan drops the following files:

• %System Root%\14f4918\14f4918.exe
• %User Profile%\Application Data\14f4918.exe
• %User Startup%\14f4918.exe
• %User Startup%\14f4918.exe:1
• %User Profile%\Application Data\14f4918.exe:1
• %System Root%\14f4918\14f4918.exe:1

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %User Profile% is a user's profile folder, where it usually is C:\Documents and Settings\{user name} on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name} on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other Details

This Trojan connects to the following possibly malicious URL:

• http://www.{BLOCKED}apmak.com/kf4bv
• http://{BLOCKED}yip.com/text
• {BLOCKED}.73.42
• {BLOCKED}0.1
• {BLOCKED}.32.5
• {BLOCKED}.193.9
• {BLOCKED}.137.230
• {BLOCKED}.123.153
• {BLOCKED}.84.4
• {BLOCKED}.116.161
• {BLOCKED}61.192
• {BLOCKED}.123.152
• {BLOCKED}.99.171
• {BLOCKED}.156.78
• {BLOCKED}.222.129
• {BLOCKED}.191.95
• {BLOCKED}1.233.221
• {BLOCKED}5.57.46
• {BLOCKED}3.233.169
• {BLOCKED}.228.70
• {BLOCKED}8.9.208
• {BLOCKED}9.41.86
• {BLOCKED}.222.215
• {BLOCKED}96.141
• {BLOCKED}.99.251
• {BLOCKED}4.132.114
• {BLOCKED}.84.20
• {BLOCKED}.148.94
• {BLOCKED}130.68
• {BLOCKED}.103.213
• {BLOCKED}4.109.221
• {BLOCKED}.112.135
• {BLOCKED}.98.5
• {BLOCKED}42.110
• {BLOCKED}74.75
• {BLOCKED}8.2.233
• {BLOCKED}.57.236
• {BLOCKED}.156.84
• {BLOCKED}3.162.92
• {BLOCKED}3.84
• {BLOCKED}.100.230
• {BLOCKED}.127.140
• {BLOCKED}66.3
• {BLOCKED}85.217
• {BLOCKED}.20.59
• {BLOCKED}.209.61
• {BLOCKED}.148.87
• {BLOCKED}.10.175
• {BLOCKED}208.147
• {BLOCKED}119.83
• {BLOCKED}0.0.15
• {BLOCKED}.110.199
• {BLOCKED}.84.7
• {BLOCKED}4.111.146
• {BLOCKED}.153.167
• {BLOCKED}.247.140
• {BLOCKED}3.234.7
• {BLOCKED}.207.34
• {BLOCKED}.85.146
• {BLOCKED}1.140.119
• {BLOCKED}.60.192
• {BLOCKED}.82.169
• {BLOCKED}.100.114
• {BLOCKED}79.101
• {BLOCKED}9.125.226
• {BLOCKED}8.218
• {BLOCKED}.224.10
• {BLOCKED}9.4.84
• {BLOCKED}113.107
• {BLOCKED}6.168
• {BLOCKED}.227.184
• {BLOCKED}.162.226
• {BLOCKED}4.123.119
• {BLOCKED}.181.56
• {BLOCKED}.191.190
• {BLOCKED}188.169
• {BLOCKED}11.208
• {BLOCKED}.19.133
• {BLOCKED}.90.103
• {BLOCKED}.244.8
• {BLOCKED}.66.117
• {BLOCKED}83.205
• {BLOCKED}.102.77
• {BLOCKED}.224.15
• {BLOCKED}.62.48
• {BLOCKED}.4.178
• {BLOCKED}.18.215
• {BLOCKED}.33.8
• {BLOCKED}.234.195
• {BLOCKED}.86.26
• {BLOCKED}5.88.230
• {BLOCKED}.30.3
• {BLOCKED}9.209.233
• {BLOCKED}243.79
• {BLOCKED}46.248
• {BLOCKED}.200.213
• {BLOCKED}.152.159
• {BLOCKED}.169.35
• {BLOCKED}163
• {BLOCKED}9.46.173
• {BLOCKED}8.228.77
• {BLOCKED}9.48.152
• {BLOCKED}105.40
• {BLOCKED}.172.88
• {BLOCKED}5.220.140
• {BLOCKED}.154.33
• {BLOCKED}6.158.42
• {BLOCKED}.47.30
• {BLOCKED}4.188.191
• {BLOCKED}.186.212
• {BLOCKED}.122.216
• {BLOCKED}.237.229
• {BLOCKED}.158.20
• {BLOCKED}.178.37
• {BLOCKED}6.29.33
• {BLOCKED}.176.122
• {BLOCKED}.73.36
• {BLOCKED}93.128
• {BLOCKED}.98.194
• {BLOCKED}202.99
• {BLOCKED}.148.85
• {BLOCKED}.195.198
• {BLOCKED}176.158
• {BLOCKED}.202.65
• {BLOCKED}0.29
• {BLOCKED}5.96.182
• {BLOCKED}95.19
• {BLOCKED}9.217.228
• {BLOCKED}.249.118
• {BLOCKED}.136.51
• {BLOCKED}.199.19
• {BLOCKED}.237.117
• {BLOCKED}10.218
• {BLOCKED}123.108
• {BLOCKED}.44.172
• {BLOCKED}0.6.31
• {BLOCKED}.161.63
• {BLOCKED}5.88.234
• {BLOCKED}.219.46
• {BLOCKED}.53.79
• {BLOCKED}.228.212
• {BLOCKED}.33.157
• {BLOCKED}4.128.151
• {BLOCKED}.28.28
• {BLOCKED}6.146.88
• {BLOCKED}.112.125
• {BLOCKED}0.23.208
• {BLOCKED}43.45
• {BLOCKED}9.192.234
• {BLOCKED}.180.4
• {BLOCKED}8.9.49
• {BLOCKED}.28.243
• {BLOCKED}.148.96
• {BLOCKED}138.93
• {BLOCKED}.158.5
• {BLOCKED}.213.160
• {BLOCKED}.36.56
• {BLOCKED}.52.7
• {BLOCKED}.251.25
• {BLOCKED}.181.110
• {BLOCKED}75.84
• {BLOCKED}70.195
• {BLOCKED}.189.126
• {BLOCKED}.55.254
• {BLOCKED}.39.135
• {BLOCKED}4.12.66
• {BLOCKED}.11.235
• {BLOCKED}.0.28
• {BLOCKED}.12.186
• {BLOCKED}122.80
• {BLOCKED}.185.115
• {BLOCKED}.82.177
• {BLOCKED}4.93.110
• {BLOCKED}4.104.134
• {BLOCKED}.130.212
• {BLOCKED}236.206
• {BLOCKED}.49.207
• {BLOCKED}238.140
• {BLOCKED}83.96
• {BLOCKED}.161.234
• {BLOCKED}4.42.203
• {BLOCKED}.53.133
• {BLOCKED}30.131
• {BLOCKED}.25.35
• {BLOCKED}5.94.105
• {BLOCKED}.182.206
• {BLOCKED}4.246
• {BLOCKED}3.234.5
• {BLOCKED}.237.110
• {BLOCKED}251.204
• {BLOCKED}.241.86
• {BLOCKED}.107.91
• {BLOCKED}.243.66
• {BLOCKED}249.222
• {BLOCKED}4.6.21
• {BLOCKED}7.184.32
• {BLOCKED}.2.162
• {BLOCKED}0.245.185
• {BLOCKED}0.163.177
• {BLOCKED}.51.232

It deletes itself after execution.

This report is generated via an automated analysis system.