Tepfer.VM
is an infostealer that usually spreads via spam Emails with malicious attachments. Upon execution they mine the victim machine for vital inforamtion, they download and execute different trojan variants and execute them on the victim machine
Process Related Changes
It creates the following mutex(es):
- c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
- ZonesLockedCacheCounterMutex"
- c:!documents and settings!admin!local settings!history!history.ie5!"
- WininetConnectionMutex"
- CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- ZoneAttributeCacheCounterMutex"
- ZonesCacheCounterMutex"
- ZonesCounterMutex"
- CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- c:!documents and settings!admin!cookies!"
It creates the following process(es):
- C:\DOCUME1\Admin\LOCALS1\Temp\mp3updater.exe
- C:\WINDOWS\Temp\d1ca2dc1b6d1c8b32665fcfa36be810b.exe [ \c:\windows\temp\d1ca2dc1b6d1c8b32665fcfa36be810b.exe ]
Network Activity
We observed the following DNS query/queries:
- thelabelnashville.com
- yellowdevilgear.com
|
