BackDoor.PlugX.78

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = '%APPDATA%\IntegratedAwes\IntegratedAwes.exe'

Malicious functions

Injects code into

the following user processes:

iexplore.exe

Modifies file system

Creates the following files

%APPDATA%\pqrtyg
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\vf59fuvp\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\4ag4q0jj\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nihr9f6l\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\xsnzwyfw\desktop.ini
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\vf59fuvp\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\4ag4q0jj\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\nihr9f6l\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\xsnzwyfw\desktop.ini

Deletes the following files

%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework\v4.0.30319\asp.netwebadminfiles\images\topgradrepeat.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework64\v2.0.50727\asp.netwebadminfiles\images\topgradrepeat.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\aspdotnet_logo.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\darkblue_grad.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\help.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\security_watermark.jpg
%WINDIR%\microsoft.net\framework64\v4.0.30319\asp.netwebadminfiles\images\topgradrepeat.jpg

Moves itself

from <Full path to file> to %APPDATA%\integratedawes\integratedawes.exe

Network activity

Connects to

'sb####.webssl9.info':53

UDP

DNS ASK sb####.webssl9.info
DNS ASK mw#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK li#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK YB##Hgudk/rzM4vIc0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Aj#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK ew/pHo2bNwXzM4vIc0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Wx#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK vn#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Qo##HuHl/zDzM4vIc0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Zp#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Mr#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Og#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Nl#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK 1R#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Qe#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK de#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Ir#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK 1Q#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK nz#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK EX#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Gb#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK td#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK j+#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK wU##HhC8zK/zM4vIc0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK RE#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK uQ#/HiwhWh/zM4vIc0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK 0j##Hque/SrzM4vIc0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK IB#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK ub#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK VP#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Dd#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK wV#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK Dy#############Ic0P5jBdLECIuwYvo.sbuudd.webssl9.info
DNS ASK

Miscellaneous

Executes the following

'%ProgramFiles(x86)%\internet explorer\iexplore.exe'
'%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial