To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%APPDATA%\yaro5831.exe' = '00000000'
Creates and executes the following
- '' (downloaded from the Internet)
Creates and executes the following (exploit)
- '%APPDATA%\yaro5831.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath "%APPDATA%\yaro5831.exe" -Force
Injects code into
the following user processes:
Searches for registry branches where third party applications store passwords
- [<HKLM>\Software\Wow6432Node\ORL\WinVNC3]
- [<HKCU>\Software\ORL\WinVNC3]
- [<HKCU>\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
- [<HKCU>\Software\RimArts\B2\Settings]
Reads files which store third party applications passwords
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\thunderbird\profiles.ini
- %APPDATA%\mozilla\firefox\profiles.ini