Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\hardlock] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\hardlock] 'ImagePath' = '<DRIVERS>\hardlock.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\aksfridge] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\aksfridge] 'ImagePath' = '<DRIVERS>\aksfridge.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\hasplms] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\hasplms] 'ImagePath' = '<SYSTEM32>\hasplms.exe -run'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\hasplms.exe' = '<SYSTEM32>\hasplms.exe:*:Enabled:Sentinel L...
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram program=<SYSTEM32>\hasplms.exe "Sentinel License Manager" ENABLE ALL
Modifies file system:
Creates the following files:
- %TEMP%\RarSFX0\haspdinst_maticad.exe
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CAT
- %WINDIR%\inf\oem4.inf
- %WINDIR%\inf\oem4.PNF
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem5.CAT
- %WINDIR%\inf\oem5.inf
- %WINDIR%\inf\oem5.PNF
- <DRIVERS>\hardlock.sys
- %WINDIR%\Temp\hlktmp
- <DRIVERS>\aksfridge.sys
- <SYSTEM32>\hasplmv.exe
- <SYSTEM32>\aksllmtp.exe
- <SYSTEM32>\hasplms.exe
- %CommonProgramFiles%\Aladdin Shared\HASP\lmid\SSQWwG6WDK7AH0ku6fb6YSNM04GKagpdeVdSvecA.id
- %ALLUSERSPROFILE%\Application Data\SafeNet Sentinel\Sentinel LDK\7a98f103-afa1-0d7c-f8c6-427f01802a07\.434e4631\.hfhjbdja
- %CommonProgramFiles%\Aladdin Shared\HASP\lic_names.dat
- %ALLUSERSPROFILE%\Application Data\SafeNet Sentinel\Sentinel LDK\7a98f103-afa1-0d7c-f8c6-427f01802a07\.434e4631\.e68glf7k
- %ALLUSERSPROFILE%\Application Data\SafeNet Sentinel\Sentinel LDK\7a98f103-afa1-0d7c-f8c6-427f01802a07\.434e4631\.hlhf96e9
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem6.CAT
- %WINDIR%\inf\oem6.inf
- %WINDIR%\inf\oem6.PNF
- %TEMP%\app_maticad.v2c
- %CommonProgramFiles%\Aladdin Shared\HASP\haspvlib_95930.dll1
- %ALLUSERSPROFILE%\Application Data\SafeNet Sentinel\Sentinel LDK\3a472d98-ab75-04bf-c5af-d867eaba3c9b\.544f4b4e
- %ALLUSERSPROFILE%\Application Data\SafeNet Sentinel\Sentinel LDK\3a472d98-ab75-04bf-c5af-d867eaba3c9b\.434e4631\.hfhjbdja
- %ALLUSERSPROFILE%\Application Data\SafeNet Sentinel\Sentinel LDK\3a472d98-ab75-04bf-c5af-d867eaba3c9b\.434e4631\.e68glf7k
- %ALLUSERSPROFILE%\Application Data\SafeNet Sentinel\Sentinel LDK\3a472d98-ab75-04bf-c5af-d867eaba3c9b\.434e4631\.hlhf96e9
- %TEMP%\EMSUrl.properties
- %CommonProgramFiles%\SafeNet Sentinel\Sentinel LDK\installed\95930\1074227232892212438_provisional.v2c
- %WINDIR%\inf\oem3.PNF
- %ALLUSERSPROFILE%\Application Data\SafeNet Sentinel\Sentinel LDK\7a98f103-afa1-0d7c-f8c6-427f01802a07\.544f4b4e
- %WINDIR%\inf\oem3.inf
- <SYSTEM32>\Setup\aladdin\hasphl\akshhl.inf
- %TEMP%\haspds_windows.dll
- %WINDIR%\aksdrvsetup.log
- %TEMP%\srm.cab
- %TEMP%\hasp_windows.dll
- %TEMP%\haspdinst_x64.exe
- %TEMP%\hhl01.cab
- %TEMP%\0pdc.txt
- <SYSTEM32>\Setup\aladdin\hasphl\aksclass.sys
- <SYSTEM32>\Setup\aladdin\hasphl\aksfridge.sys
- <SYSTEM32>\Setup\aladdin\hasphl\akshasp.cat
- <SYSTEM32>\Setup\aladdin\hasphl\akshasp.inf
- <SYSTEM32>\Setup\aladdin\hasphl\akshasp.sys
- <SYSTEM32>\Setup\aladdin\hasphl\akshhl.cat
- <SYSTEM32>\Setup\aladdin\hasphl\akshhl.sys
- <SYSTEM32>\hlvdd.dll
- <SYSTEM32>\Setup\aladdin\hasphl\akshhl32.dll
- <SYSTEM32>\Setup\aladdin\hasphl\akshsp53.dll
- <SYSTEM32>\Setup\aladdin\akspccard.cat
- <SYSTEM32>\Setup\aladdin\akspccard.inf
- <SYSTEM32>\Setup\aladdin\akspccard.sys
- <SYSTEM32>\Setup\aladdin\hasphl\aksusb.cat
- <SYSTEM32>\Setup\aladdin\hasphl\aksusb.inf
- <SYSTEM32>\Setup\aladdin\hasphl\aksusb.sys
- <SYSTEM32>\Setup\aladdin\hasphl\aksusb5.dll
- <SYSTEM32>\Setup\aladdin\hasphl\hardlock.sys
- <SYSTEM32>\Setup\aladdin\hasphl\hasplms.exe
- <SYSTEM32>\Setup\aladdin\hasphl\hasplmv.exe
- <SYSTEM32>\Setup\aladdin\hlvdd.dll
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
- %CommonProgramFiles%\Aladdin Shared\HASP\hasplm.ini
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CAT
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem5.CAT
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem6.CAT
Deletes the following files:
- %TEMP%\0pdc.txt
- %TEMP%\app_maticad.v2c
- %TEMP%\EMSUrl.properties
- %TEMP%\hhl01.cab
- %TEMP%\srm.cab
- %TEMP%\haspdinst_x64.exe
- %TEMP%\hasp_windows.dll
Moves the following files:
- from %CommonProgramFiles%\Aladdin Shared\HASP\haspvlib_95930.dll1 to %CommonProgramFiles%\Aladdin Shared\HASP\haspvlib_95930.dll
Network activity:
Connects to:
- 'localhost':1947
UDP:
- '25#.#55.255.255':1947
- '<LOCALNET>.0.255':1947
- 'localhost':1039
- 'localhost':1040
Miscellaneous:
Searches for the following windows:
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following:
- '%TEMP%\RarSFX0\haspdinst_maticad.exe' -i
- '<SYSTEM32>\hasplms.exe' -run
- '<SYSTEM32>\hasplmv.exe' 37515
- '<SYSTEM32>\hasplmv.exe' 95930
