Troj/Sysfade-A exhibits the following behaviour:
File Information
- Size
- 72K
- SHA-1
- f9c5070a55ee9349c031bb9d065299c76abcea1c
- MD5
- fff28d9b301f03fb5c23661686313dfe
- CRC-32
- 12516a5e
- File type
- application/x-ms-dos-executable
- First seen
- 2010-08-15
Runtime Analysis
Dropped Files
- C:\Documents and Settings\support\Local Settings\Temp\set.bat
- Size
- 1.6K
- SHA-1
- c76f05f2c248ffb29b2876a8cfabecdf05eeafdf
- MD5
- 5a0e69917aee632c5696ece200b4bfc7
- CRC-32
- f24d6129
- File type
- application/octet-stream
- First seen
- 2010-08-20
- C:\Documents and Settings\support\Local Settings\Temp\wj.reg
- Size
- 12K
- SHA-1
- 81f49aa0c916b34a18aaa9be20fee8a23cfb62d8
- MD5
- e661573800b83640b6cced9f872b4511
- CRC-32
- f9dd61e6
- File type
- application/octet-stream
- First seen
- 2010-08-06
- C:\Documents and Settings\support\Local Settings\Temp\de.vbs
- Size
- 2.2K
- SHA-1
- 59cafd653dbaa74e371ca42832d0f6ed7738d21c
- MD5
- efdd4a67985880f2a519dfb66d9ca324
- CRC-32
- e6cfe7de
- File type
- application/octet-stream
- First seen
- 2010-07-15
- C:\Program Files\windsupdate\369safe.exe
- C:\Documents and Settings\support\Local Settings\Temp\360safe.vbs
- Size
- 14K
- SHA-1
- a550948244caff723fa07821cf4c83a6b5be22b9
- MD5
- 8d9caa791a5539372795fc1cdede0c24
- CRC-32
- f0b4845c
- File type
- application/octet-stream
- First seen
- 2010-08-20
- C:\Documents and Settings\support\Local Settings\Temp\ie.reg
- Size
- 6.2K
- SHA-1
- f19ca27c42e855fe2c1dad66165973212784de8e
- MD5
- 783cd7377f943e4be86423897938532a
- CRC-32
- 025d1dc4
- File type
- application/octet-stream
- First seen
- 2010-08-10
- C:\Documents and Settings\support\Desktop\Internet Exp1orer.ieie
- Size
- 197
- SHA-1
- 5b13eda61b36742e8a9ace3ea015ceceb54c35b2
- MD5
- 54cfd8f5683d2fed14543a965b9171a4
- CRC-32
- db22bf6f
- File type
- application/octet-stream
- First seen
- 2010-07-29
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zq\OpenWithList
- MRUList
- ab
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tao\OpenWithList
- a
- 369safe.exe
- HKCR\xyxfile
- NeverShowExt
- HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder
- HideOnDesktopPerUser
- HKCR\tptpfile\CLSID
- (Default)
- {FBF23B40-E3F0-101B-8488-00AA003E56F8}
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoDesktopCleanupWizard
- 0x00000001
- HKCU\Software\Microsoft\Internet Explorer\International\CpMRU
- Factor
- 0x00000014
- HKCR\.dy
- (Default)
- dyfile
- HKCR\.zq
- (Default)
- zqfile
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xyx\OpenWithList
- b
- NOTEPAD.EXE
- HKCR\xyxfile\shell\open\Command
- (Default)
- %ProgramFiles%\windsupdate\369safe.exe "%1" %*
- CurrentVersion\Explorer\FileExts\.ieie\OpenWithList
- MRUList
- ab
- HKCR\zqfile\shell\open\Command
- (Default)
- %ProgramFiles%\windsupdate\369safe.exe "%1" %*
- HKCR\taofile
- NeverShowExt
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskmgr
- 0x00000001
- HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder
- Attributes
- 0x00000000
- HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32
- (Default)
- HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon
- (Default)
- shdoclc.dll,-190
- HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}
- LocalizedString
- Internet Explorer
Processes Created
- c:\program files\internet explorer\iexplore.exe
- c:\windows\regedit.exe
- c:\windows\system32\wscript.exe
HTTP Requests
- http://dy26.19884.info/ad.js
- http://dy5.19884.info/go/360safe.vbs
- http://dy5.19884.info/go/de.vbs
- http://dy5.19884.info/go/ie.txt
- http://dy5.19884.info/go/set.txt
- http://dy5.19884.info/go/wj.txt
- http://dy5.19884.info/ico/1.ico
- http://dy5.19884.info/ico/2.ico
- http://dy5.19884.info/ico/3.ico
- http://dy5.19884.info/ico/4.ico
- http://dy5.19884.info/ico/5.ico
- http://dy5.19884.info/ico/6.ico
- http://dy5.19884.info/kuai/Internet%20Exp1orer.txt
- http://dy5.19884.info/kuai/\xb3\xc9\xc8\xcb\xd0\xa1\xd3\xce\xcf\xb7.txt
- http://dy5.19884.info/kuai/\xbc\xa4\xc7\xe9\xc3\xc0\xc5\xae\xcd\xbc\xc6\xac.txt
- http://dy5.19884.info/kuai/\xc1\xbd\xd0\xd4\xbd\xcc\xd3\xfd\xd6\xaa\xca\xb6.txt
- http://dy5.19884.info/kuai/\xcc\xd4\xb1\xa6\xc8\xc8\xc2\xf4.txt
- http://dy5.19884.info/kuai/\xcd\xf8\xc9\xcf\xc8\xd5\xd7\xac\xb0\xd9\xd4\xaa\xbd\xcc\xb3\xcc.txt
- http://dy5.19884.info/kuai/\xd4\xda\xcf\xdfA\xc6\xac.txt
- http://js.users.51.la/4024968.js
- http://www.7thlink.com/code/adview_pic.php
- http://www.7thlink.com/pic/0/16.jpg
- http://www.7thlink.com/pic/0/2.jpg
- http://www.7thlink.com/pic/0/22.jpg
- http://www.7thlink.com/pic/0/31.jpg
- http://www.7thlink.com/pic/0/36.jpg
- http://www.7thlink.com/pic/0/5.jpg
- http://www.gupiao1.info/index4.htm
- http://www.gupiao1.info/t.html
- http://www.qwxyx.com/
- http://www.qwxyx.com/2.files/common.css
- http://www.qwxyx.com/2.files/index.css
- http://www.qwxyx.com/2.files/logo.gif
- http://www.qwxyx.com/2.files/top1.png
- http://www.qwxyx.com/2.files/topbg.png
- http://www.qwxyx.com/2.files/topbg1.png
- http://www.xsp5.info/index.files/c.css
DNS Requests
- 3.58lian.com
- code.123456790.com
- code.2bj.cc
- dy26.19884.info
- dy5.19884.info
- js.users.51.la
- neirong.funshion.com
- pagead2.googlesyndication.com
- web1.51.la
- www.7thlink.com
- www.gupiao1.info
- www.qwxyx.com
- www.xsp5.info