Kaspersky_Lab_crouching_yeti_appendixes_eng_final
Kaspersky_Lab_crouching_yeti_appendixes_eng_final
Kaspersky_Lab_crouching_yeti_appendixes_eng_final
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
16<br />
Size: 251392<br />
Compiled:<br />
Fri, 16 May 2014 08:42:28 UTC<br />
SHA-256: 6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82<br />
Size: 251392<br />
Compiled: Fri, 16 May 2014 08:42:28 UTC<br />
Detailed analysis<br />
All currently known samples are completely identical in terms of code and differ only in the content<br />
of the resource.<br />
Code flow:<br />
• Decrypt config<br />
Config consists of RSA ID (29 bytes) and RSA key (1024 bit) and is stored inside resource TYU<br />
0215 (bzip compressed and xored with “1312312”)<br />
29<br />
39ee448cf196304cfe9c6b1c2e436<br />
344<br />
AATFfxXmUZl/j8JBAwHkk8BcwTIKDcex+0GQp/V9EX4nt64NGsGsTXFhuorwjKCRt6Av3v+hB+gT9mAP9kqY<br />
3TnN1x+MUHaoib1dw8SG9mW5YL+JNu3Kwud/bYGu916U/EGh8PFGruVE2PHXD8EII710gKm00lyi5+Ehjn5C<br />
SLLPKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br />
AAAAAQAB<br />
• Create lock file in %TEMP%\{rand}.tmp (empty)<br />
• Create debug log in %TEMP%\{rand}.tmp.dat<br />
Programm was started at %02i:%02i:%02i<br />
%02i:%02i:%02i.%04i:<br />
**************************************************************************<br />
Start finging of LAN hosts...<br />
Finding was fault. Unexpective error<br />
Was found %i hosts in LAN:<br />
Hosts was’t found.<br />
Start finging of OPC Servers...<br />
Was found %i OPC Servers.<br />
%i) [\]<br />
TLP: Green<br />
For any inquire please contact intelreports@kaspersky.com