Home / malwarePDF  

Infostealer.Boyapki.B


First posted on 06 December 2014.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Boyapki.B.

Explanation :

When the Trojan is executed, it creates the following file: %System%\drivers\etc\hosts.ics
The Trojan then creates the following registry entry so that it runs every time Windows starts: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"syetom" = "[PATH TO MALWARE]\[THREAT FILE NAME].exe"
Next, the Trojan connects to the following remote locations: 180.178.35.229[http://]r.qzone.qq.com/cgi-bin/user/cgi_pers[REMOVED][http://]user.qzone.qq.com/[USER ID[REMOVED]
The Trojan then creates the following mutex: "syetom"
The Trojan then searches for information in the following folders and sends this data to 180.178.35.229/upload.php: %DriveLetter%\NPKI%ProgramFiles%\NPKI%SystemDrive%\Documents and Settings\All Users\Application Data\LocalLow\NPKI
Next, the Trojan modifies the following file to redirect the compromised computer from legitimate sites to sites under the attacker's control %System%\drivers\etc\hosts
The Trojan specifies that the computer should be redirected from the following legitimate sites to the attacker's sites: kbstar.comww.kbstar.comopen.kbstar.comomoney.kbstar.comobank.kbstar.comobank1.kbstar.comnaver.comwww.naver.co.krnaver.co.krwww.gmarket.co.krnonghyup.comwww.nonghyup.com 7425banking.nonghyup.comibz.nonghyup.comwww.naver.comgmarket.co.krshinhan.comnaver.krwww.naver.krwww.gmarket.comgmarket.comkisa.kbstor.comkisa.nenghuyp.comkisa.shinhon.comkisa.wooribenk.comkisa.idk.co.krkisa.epostbenk.go.krkisa.honabenk.comkisa.kcb.co.krkisa.kfoc.co.krwww.nate.netwww.gmarket.netwww.nate.krnate.kr 30754gmarket.net 2263pharming.kisa.or.krwww.shinhan.combanking.shinhan.combizbank.shinhan.comopen.shinhan.comdaum.netibk.co.krwww.nate.co.krnate.co.krwww.ibk.co.krmybank.ibk.co.krkiup.ibk.co.kropen.ibk.co.krwww.daum.netwooribank.comwww.wooribank.compib.wooribank.comu.wooribank.comhanmail.netkeb.co.krwww.keb.co.krebank.keb.co.kronline.keb.co.kropen.keb.co.krwww.hanmail.nethanabank.comwww.hanabank.comopen.hanabank.comwww.hanacbs.comkfcc.co.krwww.kfcc.co.kribs.kfcc.co.krepostbank.go.krwww.epostbank.go.krnate.comkisa.kbstor.comkisa.nenghuyp.comkisa.shinhon.comkisa.wooribenk.comkisa.idk.co.krkisa.epostbenk.go.krkisa.honabenk.comkisa.kcb.co.krkisa.kfoc.co.kr
The Trojan may also perform the following actions: Open a back doorClear domain name system (DNS) cacheUpdate the list of command-and-control (C&C) server addressesDownload files

Last update 06 December 2014

 

TOP