Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 297472 KB
File Type : Portable Executable 32
File Name

AYPDATE.exe

MD5

a713c04489f469d9854b1ad3aa201974

SHA1

57ab05dce02be7bc13c81c6e17220fb2f0cd56a1

SHA256

5e690ca64166ca395de50d486a7d42daf10466a5ff988db6cf

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\a713c04489f469d9854b1ad3aa201974.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates value "SCRNSAVE.EXE="C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe"" in key HKEY_CURRENT_USER\Control Panel\Desktop
binary data=220043003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C007B00360041004300370032003300410030002D0038003500380035002D0037004100440030002D0036003500330030002D003100410037004600430045004200420041003800380033007D005C0065007800700061006E0064002E0065007800650022000000
* Creates value "Component_01=6333733376443945646F4A5553477658454E335036434645795239737463436B5636774A7569365662586752556C2B2B4E616864314C53787376545152577269556E7972567131386B376F476B4B2B3379456F324B4A4236347A79424A653638325635793476512F352F3064616F383753584967736F684F7863412B4C597376746D487545566D662F4F52456E74617956696D6B6261572F4439716E616A50566362427A516A375856774855732F575A6571454C7A32585252676457724F43744A64784233794534592F4F62673333455653776F4E484A4E55476D4C6A535A3773464B71624E4D762B70315637587447363076464B762F545353536739466861577449594338664E745330372B766F3049527A79316E454E4A6C2B6757674B327A524B35737064646635674355325831636D727A444564755631654D3548492B6D6D6D30487870717162335A343369666466635346773D3D" in key HKEY_CURRENT_USER\Printers\Defaults\{2E7BCB91-750C-1548-5948-054EED18180C}
* Creates value "Component_00=9A0401014E3E8B504002000001000000C2697C37BD020BF3FD7AF92F4C23198599BA781D1D28B9E98C75EF7FEC456950C43914EB7262A464255919724786D183BDC1DC5F30237FC779618909A7060F190A2642B9A3AD99A1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001" in key HKEY_CURRENT_USER\Printers\Defaults\{2E7BCB91-750C-1548-5948-054EED18180C}
* Creates value "AutoRun="C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe"" in key HKEY_CURRENT_USER\software\Microsoft\Command Processor
binary data=220043003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C007B00360041004300370032003300410030002D0038003500380035002D0037004100440030002D0036003500330030002D003100410037004600430045004200420041003800380033007D005C0065007800700061006E0064002E0065007800650022000000
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Creates value "Run="C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe"" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Explorer
binary data=220043003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C007B00360041004300370032003300410030002D0038003500380035002D0037004100440030002D0036003500330030002D003100410037004600430045004200420041003800380033007D005C0065007800700061006E0064002E0065007800650022000000
* Creates value "expand="C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe"" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run
binary data=220043003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C007B00360041004300370032003300410030002D0038003500380035002D0037004100440030002D0036003500330030002D003100410037004600430045004200420041003800380033007D005C0065007800700061006E0064002E0065007800650022000000
* Creates value "expand="C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe"" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\RunOnce
binary data=220043003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C007B00360041004300370032003300410030002D0038003500380035002D0037004100440030002D0036003500330030002D003100410037004600430045004200420041003800380033007D005C0065007800700061006E0064002E0065007800650022000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000
* Creates value "taskkill.exe=Terminates Processes" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=5400650072006D0069006E0061007400650073002000500072006F006300650073007300650073000000
* Creates value "vssadmin.exe=Command Line Interface for Microsoft Volume Shadow Copy Service " in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=43006F006D006D0061006E00640020004C0069006E006500200049006E007400650072006600610063006500200066006F00720020004D006900630072006F0073006F0066007400AE00200056006F006C0075006D006500200053006800610064006F007700200043006F00700079002000530065007200760069006300650020000000
* Creates value "WMIC.exe=WMI Commandline Utility" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32\wbem
binary data=57004D004900200043006F006D006D0061006E0064006C0069006E00650020005500740069006C006900740079000000

Changes to filesystem:

* Creates file C:\Users\cognus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\expand.lnk
* Creates hidden folder C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}
* Creates file C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe

Network services:

* Queries DNS "www.google.co.in".
* Queries DNS "clients4.google.com".
* Queries DNS "clients2.google.com".
* Queries DNS "safebrowsing.google.com".
* Queries DNS "alt1-safebrowsing.google.com".
* Queries DNS "ref.x86asm.net".
* Downloads file from "google.com/".
* Downloads file from "dlg-configs.buzzrin.de /config-from-production".
* Downloads file from "dlg-messages.buzzrin.de /1/dg/3/error".
* Downloads file from "dlg-messages.buzzrin.de /1/dg/3".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/shareware-de-flow-5-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/last.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/yessearches-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/progress.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/base.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/pcspeedup-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/opera-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/my-pc-backup-single-text-en-us.zip".
* Downloads file from "www.shareware.de/images/software_icon_large/spintires-icon-546ac4be44d75.png".
* Downloads file from "crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl".
* Downloads file from "ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQDKfgk4eFlnv9iV6q4yK2qS".
* Downloads file from "d3j30ujq5cgnz5.cloudfront.net/main/cos_setup.exe".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/gzi4nvrb?uid=B3A57DB7115B1E428081695633F67282&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/u2z5hyl2?uid=262929407_198339_B84975D2&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.1".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.1".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.start.010".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.start.010".
* Downloads file from "d3pa4xcf10sh05.cloudfront.net /i4/22".
* Downloads file from "d1139uuzpj6eq0.cloudfront.net/r6/22_4c47b1a5000031b75208dcf163ffc9fd/1.n.7z".
* Downloads file from "yahoo.com/setting.doc".
* Downloads file from "www.yahoo.com/setting.doc".
* Downloads file from "crl.usertrust.com/AddTrustExternalCARoot.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/microsoftrootcert.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl".
* Downloads file from "pki.google.com/GIAG2.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/WinPCA.crl".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.2".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.2".
* Downloads file from "kbfvzoboss.bid /alpha/gate.php".
* Uses POST methods in HTTP.

Process/window/string information:

* Gets user name information.
* Gets volume information.
* Gets computer name.
* Encrypts data.
* Checks for debuggers.
* Enables privilege SeDebugPrivilege.
* Creates process "C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe, null, null".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe".
* Creates process "C:\Windows\system32\cmd.exe, /d /c taskkill /t /f /im "a713c04489f469d9854b1ad3aa201974.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\a713c04489f469d9854b1ad3aa201974.exe" > NUL, null".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Creates an event named "shell.{6735EB11-09E2-00BD-CA91-B5F4B1548AC9}".
* Creates process "C:\Windows\system32\vssadmin.exe, "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet, C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}".
* Creates process "C:\Windows\system32\taskkill.exe, taskkill /t /f /im "a713c04489f469d9854b1ad3aa201974.exe" , C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample".
* Injects code into process "C:\Windows\System32\vssadmin.exe".
* Injects code into process "C:\Windows\System32\taskkill.exe".
* Enables privilege SeBackupPrivilege.
* Creates process "C:\Windows\system32\wbem\wmic.exe, "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete, C:\Users\cognus\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}".
* Injects code into process "C:\Windows\System32\wbem\WMIC.exe".
* Enables privilege SeIncreaseQuotaPrivilege.
* Enables privilege SeSecurityPrivilege.
* Enables privilege SeTakeOwnershipPrivilege.
* Enables privilege SeSystemProfilePrivilege.
* Enables privilege SeProfileSingleProcessPrivilege.
* Enumerates running processes.
* Terminates process "C:\Windows\System32\wbem\WMIC.exe".
* Terminates process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Roaming\{6AC723A0-8585-7AD0-6530-1A7FCEBBA883}\expand.exe".
* Terminates process "C:\Windows\System32\cmd.exe".
* Terminates process "C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\a713c04489f469d9854b1ad3aa201974.exe".
* Enables process privileges.
* Sleeps 180 seconds.

Additional Information:

How To Remove AYPDATE.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where AYPDATE.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top