Home / malware Infostealer.Boyapki
First posted on 30 May 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Boyapki.
Explanation :
Once executed, the Trojan creates the following files:
%Windir%\[RANDOM FOLDER NAME]\MUpdate.exe%Windir%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].dll%System%\drivers\hosts.ics
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"CTFM0N" = "%Windir%\[RANDOM FOLDER NAME]\MUpdate.exe %Windir%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].dll,ALSTS_ExecuteAction"
The Trojan ends security-related processes on the compromised computer.
It then downloads a file containing a list of Korean banks from the following location:
[http://]192.74.241.115:805/plus[REMOVED]
Next, the Trojan then creates the following file in order to redirect network traffic on the compromised computer:
%System%\drivers\hosts.ics
The Trojan then searches all drives on the compromised computer for folders with the name NPKI. If a folder with this name is found, the Trojan checks for the following file:
u.dat
If u.dat is present, the Trojan copies the content of the NPKI folder and sends it to the following remote location:
[http://]192.74.241.115:805/[REMOVED]
The Trojan then downloads a list of command-and-control (C&C) servers from the following URL:
http://user.qzone.qq.com/190055271
It then connects to one or more of the following C&C servers:
142.4.119.183 on port 8761v1.krtedun.com on port 8086dns10.kodns.info on port 3666
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
Shutdown WindowsUpdate the list of C&C server addresses
Download and execute filesLast update 30 May 2014
