Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 179712 KB
File Type : Portable Executable 32
File Name

mys3ks.exe

MD5

a075610a69e196ab74f79508dbcf5eef

SHA1

feae65047d59e31bf562e12a198abe2f009359f5

SHA256

caa6e59e98c22a3f9159412a612ad170d2683640e1845afb6f

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\a075610a69e196ab74f79508dbcf5eef.exe

Changes to registry :

* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a075610a69e196ab74f79508dbcf5eef_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a075610a69e196ab74f79508dbcf5eef_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a075610a69e196ab74f79508dbcf5eef_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a075610a69e196ab74f79508dbcf5eef_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a075610a69e196ab74f79508dbcf5eef_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a075610a69e196ab74f79508dbcf5eef_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a075610a69e196ab74f79508dbcf5eef_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\a075610a69e196ab74f79508dbcf5eef_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=460000001D00000009000000000000000000000000000000040000000000000080312BAE91D3D101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B0000001000000000000000000000000000000000200000002000000010000001000000EA0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFA01A0FE78BABCF118CA300805F48A19202000000C0A8BD8400000000000000002073740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000003AEDF0000780E720098466B000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=460000001C00000009000000000000000000000000000000040000000000000080312BAE91D3D101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B0000001000000000000000000000000000000000200000002000000010000001000000EA0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFA01A0FE78BABCF118CA300805F48A19202000000C0A8BD8400000000000000002073740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000003AEDF0000780E720098466B000000000000000000"
* Creates Registry key HKEY_CURRENT_USER\software\qjF1s55qd
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Modifies file C:\Windows\system32\CatRoot2\edb.chk
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8AD4D714EFAB5D812E4B290C92FA5D0_8579924FA14BC0F0D2B4D9F73688B357
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
* Modifies file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD
* Modifies file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8AD4D714EFAB5D812E4B290C92FA5D0_8579924FA14BC0F0D2B4D9F73688B357
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Network services:

* Queries DNS "www.virustotal.com".
* Queries DNS "ssl.google-analytics.com".
* Queries DNS "stats.g.doubleclick.net".
* Queries DNS "virustotalcloud.appspot.com".
* Queries DNS "ocsp.godaddy.com".
* Queries DNS "clients4.google.com".
* Queries DNS "wpad.localdomain".
* Queries DNS "crl.microsoft.com".
* Queries DNS "mebixrah.su".
* Queries DNS "vurpsmoy.pw".
* Queries DNS "unchjdpdiuufw.ru".
* Queries DNS "mdxjgaeh.ru".
* Queries DNS "wctbkoedyh.org".
* Queries DNS "gttcxtcmaidu.biz".
* Queries DNS "ivgkyspgnkhrtslt.org".
* Queries DNS "ymjydrkbsn.su".
* Queries DNS "rtmthtco.work".
* Queries DNS "cqskkqofslauhgxt.click".
* Queries DNS "gdituela.xyz".
* Queries DNS "ttstnrvgavghdft.xyz".
* C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\a075610a69e196ab74f79508dbcf5eef.exe Connects to "176.114.3.173" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\a075610a69e196ab74f79508dbcf5eef.exe Connects to "107.170.20.33" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\a075610a69e196ab74f79508dbcf5eef.exe Connects to "146.185.155.126" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\a075610a69e196ab74f79508dbcf5eef.exe Connects to "146.185.155.126" on port 443 (TCP - HTTPS).
* C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\a075610a69e196ab74f79508dbcf5eef.exe Connects to "182.50.136.239" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\1 June 2016\New folder\a075610a69e196ab74f79508dbcf5eef.exe Connects to "139.59.166.196" on port 80 (TCP - HTTP).
* C:\Program Files\Sandboxie\SandboxieCrypto.exe Connects to "23.211.135.11" on port 80 (TCP - HTTP).
* Downloads file from "kbfvzoboss.bid /alpha/gate.php".
* Downloads file from "176.114.3.173 /userinfo.php".
* Downloads file from "107.170.20.33 /userinfo.php".
* Downloads file from "146.185.155.126 /userinfo.php".
* Downloads file from "ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D".
* Downloads file from "ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D".
* Downloads file from "ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCAOAWJVWSu%2FF".
* Downloads file from "139.59.166.196 /userinfo.php".
* Downloads file from "crl.microsoft.com/pki/crl/products/microsoftrootcert.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/WinPCA.crl".
* Uses POST methods in HTTP.

Process/window/string information:

* Gets user name information.
* Gets system default language ID.
* Encrypts data.
* Checks for debuggers.
* Opens a service named "Sens".
* Opens a service named "rasman".
* Creates a mutex "IESQMMUTEX_0_208".
* Injects code into process "C:\Program Files\Sandboxie\SandboxieCrypto.exe".
* Opens a service named "WinHttpAutoProxySvc".
* Opens a service named "CryptSvc".
* Contains string Checked for CCleaner software presence ("CCLEANER.EXE")
* Contains string Checked for The Cleaner software presence ("CLEANER.EXE")
* Sleeps 117 seconds.

Additional Information:

How To Remove mys3ks.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where mys3ks.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top