SHA256 – 9ff1c8e6d80ebf5626714362cbc55a53ba17038e841773d24fdc018891adb52e
Tools used for analysis: Ollydbg, WireShark, PEExplorer,
I started debugging using Ollydbg. The first warning I received is
“Module ‘AutoRUN_’ has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breakpoints!”
The executable file extracts HelpMe.exe file and copy it to C:\Windows\System32
Also it got extracted AUTORUN_INF.exe file at C:\ location. same location it create files
AutoRun.exe file executes HelpMe.exe file.
This also adds HelpMe.exe file to Startup programs and rename shortcut icon to Soft
Behavior of this malware I observed is, this gets replicated itself and and creates/hides word, pdf, xsls and pages document files under RecycleBin folder.
I also observed the HelpMe.exe keep changing location from C:\Windows\System32 to C:\Windows\SysWow64