SecurityHome.eu BrowserModifier:Win32/Linkhortry

Home / malware PDF

BrowserModifier:Win32/Linkhortry

First posted on 14 December 2016.
Source: Microsoft
Aliases :
There are no other names known for BrowserModifier:Win32/Linkhortry.
Explanation :
Installation

This browser modifier is installed in subfolders in the ProgramData folder, for example:

%ProgramData%\Affenpinscher\

%ProgramData%\Airtostrong\

%ProgramData%\AppxedtatS\

%ProgramData%\AppxeetouQ\

%ProgramData%\Doubleing\

%ProgramData%\idwna\

%ProgramData%\Konksolex\

%ProgramData%\ocep\

%ProgramData%\Quoteex\

%ProgramData%\Ronzap\

%ProgramData%\Statdex\

%ProgramData%\Tampstring\

%ProgramData%\Trescof\

%ProgramData%\Utatity\

%ProgramData%\Vaiafineco\

It installs files in the said folders, for example:

%ProgramData%\ocep\AlphaLam.dat

%ProgramData%\ocep\Alpharanis.dat

%ProgramData%\ocep\conf.config

%ProgramData%\ocep\Config.xml

%ProgramData%\ocep\Dentoit.dll

%ProgramData%\ocep\Eco-Home.bin

%ProgramData%\ocep\Hatair.bin

%ProgramData%\ocep\Hatlab.exe

%ProgramData%\ocep\Hatlab.exe.config

%ProgramData%\ocep\Hayjob.bin

%ProgramData%\ocep\Joblam.dll

%ProgramData%\ocep\Matplus.bin

%ProgramData%\ocep\md.xml

%ProgramData%\ocep\ocep.d.dat

%ProgramData%\ocep\ocep.dat

%ProgramData%\ocep\ocep.exe

%ProgramData%\ocep\OverSing.exe

%ProgramData%\ocep\OverSing.exe.config

%ProgramData%\ocep\Physin.exe

%ProgramData%\ocep\Physin.exe.config

%ProgramData%\ocep\Silvercore.dat

%ProgramData%\ocep\Solocore.bin

%ProgramData%\ocep\TampRunfix.bin

%ProgramData%\ocep\uninstall.dat

%ProgramData%\ocep\Zathlex.bin

%ProgramData%\oceps\ff.HP

%ProgramData%\oceps\ff.NT

%ProgramData%\oceps\snp.sc

It creates the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "LoadAppInit_DLLs"
With data: "0x00000001"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "AppInit_DLLs"
With data: "%ProgramData%\{installation folder}\Joblam.dll"

It also registers itself as a service by creating the following registry entries:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ocep
Sets value: Type
With data: 0x00000010

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ocep
Sets value: Start
With data: 0x00000002

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ocep
Sets value: ErrorControl
With data: 0x00000001

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ocep
Sets value: ImagePath
With data: "%ProgramData%\\{installation folder}\\ocep.exe -f "%ProgramData%\\{installation folder}\\ocep.dat" -l -a"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ocep
Sets value: DisplayName
With data: "ocep"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ocep
Sets value: ObjectName
With data: "LocalSystem"

Payload

Modifies Browser Shortcuts

This threat modifies the Internet Explorer shortcut:

%USERPROFILE% \AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

When launched using the shortcut, Internet Explorer starts and opens its homepage.

It creates the following registry entries to add global environment variables to load its homepage.

In subkey: HKCU\Environment
Sets value: SNF
With data: "C:\ProgramData\oceps\snp.sc"

In subkey: HKCU\Environment
Sets value: SNP
With data: hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D?publisher=apsnapdoam&co=US&userid=05c88f08-13ac-dfa5-3789-a2b27c8f3b3c&searchtype=sc&installDate=12/12/2016&barcodeid=50014888&channelid=888&av=windows

Modifies Internet Explorer settings

This threat modifies Internet Explorer's start and search settings by creating the following registry entries:

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: Search Page
With data: hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHL4RIg2FbgLooun_Y-HJkIplE-OS3mGRLkTd0uz7Daav9Ubo-ET5c_r86Kg7gNmz5dBtjIXgKf8I5W2YBKqFrSU10dLRD09kcdJ42n6db8rSajNUxchPhZeQMFpB4BXzdXlkDnMk98OX8OQeSJXmQcSWYxSJ4w,&q={searchTerms}

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: Start Page
With data: hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHL4RIg2FbgLooun_Y-HJkIplE-OS3mGRLkTd0uz7Daav9Ubo-ET5c_r86Kg7gNmz5tJIMKDME3mJlCAu4JLYZikSsqgJ8xEtMpw5iZxJ6U3hRpdu8gvegh8rlV0FmuBune7bU6-ujKgH1ZTrHwmLs9xgESiRik,

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: Search Bar
With data: "hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHL4RIg2FbgLooun_Y-HJkIplE-OS3mGRLkTd0uz7Daav9Ubo-ET5c_r86Kg7gNmz5dBtjIXgKf8I5W2YBKqFrSU10dLRD09kcdJ42n6db8rSajNUxchPhZeQMFpB4BXzdXlkDnMk98OX8OQeSJXmQcSWYxSJ4w,&q={searchTerms}"

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: SearchAssistant
With data: hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHL4RIg2FbgLooun_Y-HJkIplE-OS3mGRLkTd0uz7Daav9Ubo-ET5c_r86Kg7gNmz5dBtjIXgKf8I5W2YBKqFrSU10dLRD09kcdJ42n6db8rSajNUxchPhZeQMFpB4BXzdXlkDnMk98OX8OQeSJXmQcSWYxSJ4w,&q={searchTerms}

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Search
Sets value: Default_Search_URL
With data: "hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHL4RIg2FbgLooun_Y-HJkIplE-OS3mGRLkTd0uz7Daav9Ubo-ET5c_r86Kg7gNmz5dBtjIXgKf8I5W2YBKqFrSU10dLRD09kcdJ42n6db8rSajNUxchPhZeQMFpB4BXzdXlkDnMk98OX8OQeSJXmQcSWYxSJ4w,&q={searchTerms}"

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchUrl
Sets value: Default
With data: hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHL4RIg2FbgLooun_Y-HJkIplE-OS3mGRLkTd0uz7Daav9Ubo-ET5c_r86Kg7gNmz5dBtjIXgKf8I5W2YBKqFrSU10dLRD09kcdJ42n6db8rSajNUxchPhZeQMFpB4BXzdXlkDnMk98OX8OQeSJXmQcSWYxSJ4w,&q={searchTerms}

It also adds a search engine to Internet Explorer by creating the following registry entries:

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
Sets value: DefaultScope
With data: "{ielnksrch}"

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}
Sets value: DisplayName
With data: "Search the web"

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}
Sets value: URL
With data: "hxxp://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRYEqQao2TxTGptbOxpBNf02kLCqe19CEfHL4RIg2FbgLooun_Y-HJkIplE-OS3mGRLkTd0uz7Daav9Ubo-ET5c_r86Kg7gNmz5dBtjIXgKf8I5W2YBKqFrSU10dLRD09kcdJ42n6db8rSajNUxchPhZeQMFpB4BXzdXlkDnMk98OX8OQeSJXmQcSWYxSJ4w,&q={searchTerms}"

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}
Sets value: SuggestionsURLFallback
With data: "hxxp://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}
Sets value: SuggestionsURL_JSON
With data: "hxxp://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}"

It also contacts the following domains:

stats.hkijngy.me

svc-stats.linkury.com

Analysis by Jody Koo
Last update 14 December 2016

TOP

Malware :

Last 20