Installation
This threat can create files on your PC, including:
-
%LOCALAPPDATA%\[random alphanumeric characters]\[concatenation of two existing executable files].exe
-
%LOCALAPPDATA%\[random alphanumeric characters]\[concatenation of two existing executable files].exe
It modifies the registry so that it runs each time you start your PC. For example:
In subkey:
HKLM\software\microsoft\windows\currentversion\runSets value: "
Cryptographic Services Control"
With data: "
%LOCALAPPDATA%\[random alphanumeric characters]\[concatenation of two existing executable files].exe" for example "
%LOCALAPPDATA%\zyx\winvmicsvc.exe"
Payload
Allows backdoor access and control
This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, including:
- Deleting files
- Downloading and running files
- Logging your keystrokes or stealing your sensitive data
- Modifying your system settings
- Running or stopping applications
- Spreading malware to other PCs
- Uploading files
Connects to a remote host
We have seen this threat connect to a remote host, including:
- solocoufandle.com using port 80
- papausafr.com using port 80
Malware can connect to a remote host to do any of the following:
- Check for an Internet connection
- Download and run files (including updates or other malware)
- Report a new infection to its author
- Receive configuration or other data
- Receive instructions from a malicious hacker
- Search for your PC location
- Upload information taken from your PC
- Validate a digital certificate
It can stop some processes from running on your PC, including:
Bypasses firewall
This threat tries to bypass your firewall by modifying the registry. For example:
HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy
You might need to restore your Windows Firewall settings.
Additional information
Creates a mutex
This threat can create a mutex on your PC. For example:
- PB_MAIN_MUTEX_GL_63785462387
It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.
This malware description was published using automated analysis of file SHA1 0a2c473a4b3b37047785ee5e5039bfe8257f64e1.
