Analysis
Drops one of the following drivers depending on the OS version information:
- undefinedSYSTEMundefined\drivers\netdtect.sys
- undefinedSYSTEMundefined\drivers\ip6fw.sys
- undefinedSYSTEMundefined\drivers\secdrv.sys
These files are all detected by Fortinet as W32/Pushu.A!tr.rkit.
Drops and loads a driver undefinedSYSTEMundefined\drivers\runtime.sys, then registers it as a service named runtime by adding the following registry entry:
- key: HKLM\SYSTEM\CurrentControlSet\Services\runtime
- value: ImagePath
- data: undefinedSYSTEMundefined\drivers\runtime.sys
It is used to hide processes whose Process ID is passed by its other component.
Attempts to inject malicious code into Internet Explorer, which will download the malicious file [Random Digits].exe into the Temporary folder. It then executes the downloaded file. The Internet Explorer process is hidden by calling the runtime.sys driver.
Deletes the dropped driver file undefinedSYSTEMundefined\drivers\runtime.sys.