Home / malwarePDF  

Infostealer.Boyapki.D


First posted on 29 January 2016.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Boyapki.D.

Explanation :

Once executed, the Trojan creates the following file:
%Temp%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].dll
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"ipv4" = "%System%\rundll32.exe %Temp%\[RANDOM FOLDER NAME]\[RANDOM FILE NAME].dll\,CallWindows"
Next, the Trojan may connect to any of the following remote locations:
fuckbangzi.lofter.com100.43.160.70[http://]174.139.203.182:805/imag[REMOVED][http://]tast.ctp.or.kr/board/tj/coun[REMOVED]
The Trojan may steal files with the following extensions from the NPKI folder on the compromised computer:
.cer.der
Next, the Trojan modifies the following file to redirect the compromised computer from legitimate sites to sites under the attacker's control
%System%\drivers\etc\hosts
The Trojan specifies that the computer should be redirected from the following legitimate sites to the attacker's sites:
www.shinhan.comsearch.daum.netsearch.naver.comwww.kbstar.ccmwww.knbank.vo.kropenbank.cu.vo.krwww.busanbank.vo.krbamking.nonghyup.ccmwww.shinhan.ccmwww.wooribank.ccmwww.hanabank.ccmwww.epostbank.bo.krwww.ibk.vo.krwww.ibk.vo.krwww.keb.vo.krwww.kfcc.co.kr.irwww.lottirich.co.irwww.nlotto.co.irwww.gmarket.netnate.comwww.nate.comdaum.comwww.daum.netdaum.netwww.zum.comzum.comnaver.comwww.nonghyup.comwww.naver.comwww.nate.nethanmail.netwww.hanmail.netwww.hanacbs.comwww.kfcc.co.krwww.kfcc.vo.krwww.daum.netdaum.netwww.kbstir.comwww.nonghuyp.comwww.shinhon.comwww.wooribank.comwww.ibk.co.krwww.epostbenk.go.krwww.keb.co.krwww.citibank.co.krwww.citibank.vo.krwww.standardchartered.co.krwww.standardchartered.vo.krwww.suhyup-bank.ccmwww.suhyup-bank.comwww.kjbank.ccmwww.kjbank.comopenbank.cu.vo.kropenbank.cu.co.krwww.knbank.vo.krwww.knbank.co.krwww.busanbank.vo.krwww.busanbank.co.irwww.suhyup-bank.comwww.suhyup-bank.ccmwww.standardchartered.co.kr

Last update 29 January 2016

 

TOP