Installation
It will try to create the following registry entries and keys to mark its installation. This way, when it checks a remote server it knows if it needs to update itself or not.
In subkey: HKLM\<random>, for example HKCU\Software\Osnuafczni
Sets value: "License"
With data: "<version number of the malware", for example "415"
In subkey: HKCU\<random>, for example HKLM\Software\Osnuafczni
Sets value: "License"
With data: "<version number of the malware", for example "415"
Payload
Downloads updates and other malware
The threat connects to a remote server to download updates and other malware. The server address is hardcoded in the malware.
We have seen it connect to the following servers:
-
10.0.3.1/wpad.dat
-
192.162.19.27/b/shoe/159
-
192.162.19.27/b/shoe/54672
-
192.162.19.27/b/shoe/789
-
192.162.19.27/b/shoe/84358
-
192.162.19.27/b/shoe/951
-
192.162.19.27/mod_articles-auth5.6/ajax/
-
192.162.19.27/mod_articles-auth5.6/jquery/
-
192.162.19.27/mod_articles-bmp9.56/ajax/
-
192.162.19.27/mod_articles-bmp9.56/jquery/
-
192.162.19.27/mod_articles-login-985.658/ajax/
-
192.162.19.27/mod_articles-login-985.658/jquery/
-
192.162.19.27/mod_articles-login-llget9/ajax/
-
192.162.19.27/mod_articles-login-llget9/jquery/
-
biggercarz.ru/b/shoe/1480
-
dients-lihuret.su/mod_articles-auth5.6/ajax/
-
dients-lihuret.su/mod_articles-auth5.6/jquery/
-
dients-lihuret.su/mod_articles-login895.654/jquery/
-
dients-lihuret.su/mod_articles-login-9.5/ajax/
-
dients-lihuret.su/mod_articles-login-9.5/jquery/
-
dients-lihuret.su/mod_articles-login9658.6584/jquery/
-
dients-lihuret.su/mod_articles-login-985.658/ajax/
-
dients-lihuret.su/mod_articles-login-985.658/jquery/
-
dients-lihuret.su/mod_articles-login-llget9/ajax/
-
dients-lihuret.su/mod_articles-login-llget9/jquery/
-
dients-lihuret.su/mod_articles-login-llget9845.6587/ajax/
-
dients-lihuret.su/mod_articles-login-llget9845.6587/jquery/
-
from-gunergs.ru/b/shoe/159
-
from-gunergs.ru/b/shoe/54601
-
from-gunergs.ru/b/shoe/54672
-
from-gunergs.ru/b/shoe/74198
-
from-gunergs.ru/b/shoe/749634
-
from-gunergs.ru/b/shoe/789
-
from-gunergs.ru/b/shoe/84358
-
from-gunergs.ru/b/shoe/84371
-
from-gunergs.ru/b/shoe/951
-
gerring-serilg.su/net-phocaguestbook-l199.12/jquery/
-
history-later.su/b/shoe/54613
-
icepower.su/b/shoe/54672
|
-
icepower.su/b/shoe/54963
-
icepower.su/b/shoe/749634
-
icepower.su/b/shoe/789
-
icepower.su/b/shoe/84371
-
king-jinert.com/com-phocaguestbook-qw9/jquery/
-
mitger-qaser.com/b/shoe/749634
-
oak-tureght.ru/mod_articles-auth5.6/ajax/
-
oak-tureght.ru/mod_articles-auth5.6/jquery/
-
older-hiuwm.com/b/shoe/749634
-
priple-red.su/mod_articles-login895.654/ajax/
-
priple-red.su/mod_articles-login895.654/jquery/
-
priple-red.su/mod_articles-qaz12.9/jquery/
-
quarante-ml.com/nivoslider98.45/jquery/
-
raing-gerut.su/b/shoe/1480
-
raing-gerut.su/b/shoe/159
-
raing-gerut.su/b/shoe/54601
-
raing-gerut.su/b/shoe/54605
-
raing-gerut.su/b/shoe/54607
-
raing-gerut.su/b/shoe/54613
-
raing-gerut.su/b/shoe/54615
-
raing-gerut.su/b/shoe/54616
-
raing-gerut.su/b/shoe/54619
-
raing-gerut.su/b/shoe/54672
-
raing-gerut.su/b/shoe/74198
-
raing-gerut.su/b/shoe/749634
-
raing-gerut.su/b/shoe/789
-
raing-gerut.su/b/shoe/84357
-
raing-gerut.su/b/shoe/84358
-
raing-gerut.su/b/shoe/84370
-
raing-gerut.su/b/shoe/84371
-
raing-gerut.su/b/shoe/951
-
smokejuse.su/mod_articles-bmp9.56/jquery/
-
smokejuse.su/mod_articles-java985.654/ajax/
-
smokejuse.su/mod_articles-java985.654/jquery/
-
tundra-tennes.com/script-components/jquery/
-
unuse-bubler.com/b/shoe/789
-
windowsupdate.microsoft.com/
-
wpad/wpad.dat
|
It then downloads an updated version of itself and other malware files, including variants of:
The downloaded file is saved as one of the following:
- Â %TEMP%\Java_Update_<random_characters>.exe, for example, %TEMP%\Java_Update_5a8bf3e9.exe
- Â %TEMP%\UpdateFlashPlayer_<random_characters>.exe, for example, %TEMP%\UpdateFlashPlayer_b61c21a2.exe
Here is what the infection chain looks like (at the time of analysis) as Zemot is dropped by an email generated by Kuluoz spambot:
 
Analysis by Patrick Estavillo
