|
Remote Access
Reads terminal service related keys (often RDP related)
Persistence
Modifies auto-execute functionality by setting/creating a value in the registry
Modifies firewall settings
Spawns a lot of processes
Writes data to a remote process
Fingerprint
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date
Evasive
Marks file for deletion
Possibly tries to evade analysis by sleeping many times
Tries to sleep for a long time (more than two minutes)
Spreading
Opens the MountPointManager (often used to detect additional infection locations)
Remote Host (the one YOU use to spread your malware) 125.182.109.14
|
