.: Yakoza 3.6 :.

Released 14 years, 3 months ago. Jun 2008

By Ali Moazemi

Additional Details

  • From: Iran
  • Coded by: Ali Moazemi
  • Version: Yakoza 3.6
  • Released date: Jun 2008, 14 years, 3 months ago.
  • Family: Yakoza
  • Category: Information Stealer

MegaSecurity Notes

Server
Dropped Files:
c:\WINDOWS\winlogon.exe                          Size: 110,592 bytes 
c:\WINDOWS\PCHealth\UploadLB\Config\csrss.exe    Size: 71,881 bytes 
c:\WINDOWS\system\sys.exe                        Size: 32,768 bytes 
c:\WINDOWS\system\trdy.txt                       Size: 4 bytes 
c:\WINDOWS\system32\svchot.exe                   Size: 71,881 bytes 
c:\WINDOWS\system32\config\svchost.exe           Size: 32,768 bytes 
c:\WINDOWS\system32\drivers\etc\rundll32.exe     Size: 110,592 bytes 
c:\WINDOWS\system32\drivers\etc\setup.txt        Size: 159 bytes 
c:\WINDOWS\system32\Restore\up.exe               Size: 71,881 bytes 

Added to Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SystemFile"
Data: winlogon.exe 
	
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stud "ImagePath"
Data: %SystemRoot%\System32\config\svchost.exe /service 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stud "ImagePath"
Data: %SystemRoot%\System32\config\svchost.exe /service 



Tested on Windows XP
August 04, 2008

URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at sub7crew@protonmail.com, thank you in advance.