Technical Information
Malicious functions
Modifies settings of Windows Internet Explorer
- [HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyServer' = 'http=127.0.0.1:49186;https=127.0.0.1:49186;socks=127.0.0.1:49185'
- [HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyOverride' = '<local>'
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dyps348i\main[1]
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\32kdepse\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\v8la6gsc\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\ot87v63z\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\gysl1qkl\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\zmuktniv\logo[1]
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\datastore\psiphon.boltdb
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.181.part.etag
- %TEMP%\psiphon-tunnel-core.exe
- %APPDATA%\psiphon3\psiphon.config
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod.temp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\i3nmat9z\flag_unknown_32[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dyps348i\banner[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\ea09503g\flags32[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\zmuktniv\rocket[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\i3nmat9z\psicash_coin_grey[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\dyps348i\psicash_coin[1]
- %LOCALAPPDATA%\microsoft\internet explorer\msimgsiz.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\ea09503g\turtle[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\zmuktniv\logo-bw[1]
- %TEMP%\dat6a27.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\i3nmat9z\icomoon[1]
- %APPDATA%\psiphon3\server_list.dat
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.181.part
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\gysl1qkl\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\ot87v63z\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\v8la6gsc\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\32kdepse\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Deletes the following files
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.181.part.etag
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade
Moves the following files
- from %APPDATA%\psiphon3\psicash\psicashdatastore.prod.temp to %APPDATA%\psiphon3\psicash\psicashdatastore.prod.commit
- from %APPDATA%\psiphon3\psicash\psicashdatastore.prod.commit to %APPDATA%\psiphon3\psicash\psicashdatastore.prod
- from %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.181.part to %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.181
- from %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.181 to %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade
Substitutes the following files
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod.temp
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod.commit
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod
Network activity
Connects to
- 'a6##.#.akamai.net':443
- '18#.#89.114.77':443
- '10#.#28.55.39':554
- '37.##0.193.26':443
- '18#.#45.84.118':22
- '82.##3.55.74':22
- '10#.#8.155.190':443
- 'a1###.q.akamai.net':80
- 'a1###.na.akamai.net':80
- '86.##7.104.118':443
- 'localhost':49186
TCP
HTTP GET requests
- http://x.##2.us/x.cer
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
- http://pk#.goog/gsr1/gsr1.crt
HTTP POST requests
- http://www.tx######okerinfinite.com/
- http://www.eq#####ntcmgrowkc.com/
Other
- 'a6##.#.akamai.net':443
- '10#.#28.55.39':554
- '18#.#45.84.118':22
- '37.##0.193.26':443
- '18#.#89.114.77':443
- '10#.#8.155.190':443
- '82.##3.55.74':22
- 'localhost':49198
- 'localhost':49186
- 'localhost':49199
- 'localhost':49200
- 'localhost':49201
UDP
- DNS ASK a6##.#.akamai.net
- DNS ASK a1###.q.akamai.net
- DNS ASK a1###.na.akamai.net
- '77.#8.8.150':443
Miscellaneous
Searches for the following windows
- ClassName: 'Internet Explorer_Server' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%TEMP%\psiphon-tunnel-core.exe' --config "%APPDATA%\Psiphon3\psiphon.config" --serverList "%APPDATA%\Psiphon3\server_list.dat"
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%ProgramFiles(x86)%\opera\launcher.exe' -noautoupdate -- "https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=NL&client_asn=60781&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7P...
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' -noautoupdate --ran-launcher -- https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=NL&client_asn=60781&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdc...
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera_crashreporter.exe' -noautoupdate --ran-launcher -- https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=NL&client_asn=60781&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdc...
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=gpu-process --channel="1992.0.1230066056\973442423" --enable-proprietary-media-types-playback --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,19,42 --gpu-vendor-id=0x0000 --gpu...
