Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\lmhosts] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\RpcLocator] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\LanmanServer] 'Start' = '00000002'
Malicious functions
Executes the following
- '%WINDIR%\syswow64\net.exe' stop SharedAccess
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
Modifies file system
Creates the following files
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\navcancl[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagetemplate[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\background_gradient[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\info_48[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\bullet[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\navcancl[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\errorpagetemplate[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\background_gradient[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\info_48[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\bullet[1]
Deletes the following files
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\navcancl[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagetemplate[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\background_gradient[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\info_48[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\bullet[1]
Network activity
UDP
- DNS ASK ly##av.cn
- DNS ASK lo####n.ccav2.cn
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'Microsoft Internet Explorer'
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\net.exe' start LmHosts' (with hidden window)
- '%WINDIR%\syswow64\net.exe' start RpcLocator' (with hidden window)
- '%WINDIR%\syswow64\net.exe' start NtlmSsp' (with hidden window)
- '%WINDIR%\syswow64\net.exe' start lanmanserver' (with hidden window)
- '%WINDIR%\syswow64\net.exe' stop SharedAccess' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config LmHosts start= auto' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config RpcLocator start= auto' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config NtlmSsp start= auto' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= auto' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config SharedAccess start= disabled' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\net.exe' start LmHosts
- '%WINDIR%\syswow64\net1.exe' start LmHosts
- '%WINDIR%\syswow64\net.exe' start RpcLocator
- '%WINDIR%\syswow64\net1.exe' start RpcLocator
- '<SYSTEM32>\locator.exe'
- '%WINDIR%\syswow64\net.exe' start NtlmSsp
- '%WINDIR%\syswow64\net1.exe' start NtlmSsp
- '%WINDIR%\syswow64\net.exe' start lanmanserver
- '%WINDIR%\syswow64\net1.exe' start lanmanserver
- '%WINDIR%\syswow64\net1.exe' stop SharedAccess
- '%WINDIR%\syswow64\sc.exe' config LmHosts start= auto
- '%WINDIR%\syswow64\sc.exe' config RpcLocator start= auto
- '%WINDIR%\syswow64\sc.exe' config NtlmSsp start= auto
- '%WINDIR%\syswow64\sc.exe' config lanmanserver start= auto
- '%WINDIR%\syswow64\sc.exe' config SharedAccess start= disabled
