Performs various changes to the file system. These changes can have various purposes from ensuring persistence and continuing the activities from an unknown location, storing information or modifying existing files to restrict access or destroying user data. Writes a new file and runs it. The file can be created for various reasons including continuing the sample's actions, ensuring persistence or doing malicious actions while the sample performs clean actions to confuse the user. For this sample, the original file %profile%\downloads\patch.zip\patch.exe writes the file %profile%\appdata\local\temp\_ir_sf_temp_0\irsetup.exe. Writes a new executable file on the system. This file can be a file on which the sample depends to accomplish its purpose or an executable that is intended to continue the sample's actions. For this sample, the original file %profile%\downloads\patch.zip\patch.exe writes the file %profile%\appdata\local\temp\_ir_sf_temp_0\lua5.1.dll. Writes several files on the system. The new files can have various uses including storing sensitive information gathered by the sample or being configuration files. For this sample, the dropped file %profile%\appdata\local\temp\_ir_sf_temp_0\irsetup.exe writes the files %profile%\appdata\local\temp\_ir_sf_temp_0\irsetup.dat, %profile%\appdata\local\temp\_ir_sf_temp_0\irimg1.jpg, %profile%\appdata\local\temp\_ir_sf_temp_0\irimg2.jpg, %profile%\appdata\local\temp\_ir_sf_temp_0\timy.png. Creates several temporary files on the system. For this sample, the dropped file %profile%\appdata\local\temp\_ir_sf_temp_0\irsetup.exe creates the files:
- %profile%\appdata\local\temp\irwb9eb.tmp
- %profile%\appdata\local\temp\irwcf60.tmp
- %profile%\appdata\local\temp\irwdbb2.tmp
- %profile%\appdata\local\temp\irwdbd2.tmp
- %profile%\appdata\local\temp\irwde43.tmp
- %profile%\appdata\local\temp\irwde44.tmp
- %profile%\appdata\local\temp\irwdf4e.tmp
- %profile%\appdata\local\temp\irwdf5f.tmp
- %profile%\appdata\local\temp\irwe115.tmp
The original file %profile%\downloads\patch.zip\patch.exe writes the registry key hklm\system\controlset001\control\session manager\pendingfilerenameoperations : \??\%profile%\appdata\local\temp\_ir_sf_temp_0\irsetup.exe.
To know when the registry keys are modified,the dropped file %profile%\appdata\local\temp\_ir_sf_temp_0\irsetup.exe asks to be notified when the registry key hklm\software\classes\wow6432node\clsid is changed.
Network accesses can be used for the following reasons: check for Internet connection, report a new infection to its author, receive configuration or other data, receive instructions, search for its location, upload information etc. Sends data to or reads data from different domains. Malware can do so to upload stolen information, receive instructions, report a successful infection, etc. The dropped file %profile%\appdata\local\temp\_ir_sf_temp_0\irsetup.exe communicates with the domains:
- bit.ly/2xTFwjD
- pastebin.com/raw/xSci3Yxu
- www.dropbox.com/s/nghf5dtjvmkylf9/E_IC.txt?dl=1
- pastebin.com/raw/aRZeJHZ2
- www.dropbox.com/s/muddcdupta01wfl/E_ICC.txt?dl=1