Goldun.RR drops the following files:
• C:\WINDOWS\system32\cabpck.dll
• C:\WINDOWS\system32\krnlcab.sys
The file called cabpck.dll is detected as Trojan-Spy.Win32.Goldun.axn.
The file called krnlcab.sys is detected as Trojan-Spy.Win32.Goldun.axr.
The main file create this process and terminate itself:
• C:\WINDOWS\system32\rundll32.exe cabpck.dll,cabpck
Network CommunicationsGoldun.RR attempts to connect to:
• social-bos.biz/jerken/data.php?trackid=706[...]
RegistryIt creates a launch point using winlogon event:
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck
DllName = cabpck.dll
Startup = cabpck
Impersonate = 00000001
Asynchronous = 00000001
MaxWait = 00000001
a950 = [2E09BF121A42171A6]
Goldun.RR registers itself as a service:
• HKLM\System\CurrentControlSet\Services\krnlcab
Type = 00000001
Start = 00000001
ErrorControl = 00000000
ImagePath = system32\krnlcab.sys
DisplayName = Cabinet Kernel Packer
• HKLM\System\CurrentControlSet\Services\krnlcab\Security
Security = \x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\[...]
Creates this entry so that it will load during safe boot mode:
• HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\krnlcab.sys
(default) = Driver
Adds its connection to the Windows firewall list so as by-pass it:
• HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
C:\WINDOWS\system32\rundll32.exe =
C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32