Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /F /IM cmd.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
Modifies file system
Creates the following files
- %TEMP%\77f1.tmp\7801.bat
- %TEMP%\5198.tmp\findhash64.exe
- %TEMP%\5198.tmp\51a8.bat
- <Current directory>\update64.exe
- <Current directory>\update32.exe
- %TEMP%\updateup.bat
- %TEMP%\update64.exe
- %TEMP%\update32.exe
- %TEMP%\77f1.tmp\updating current tool......#
- %TEMP%\77f1.tmp\current update tool version is not latest.#
- %TEMP%\77f1.tmp\checking current update tool version......#
- %TEMP%\77f1.tmp\the latest versions is as below.#
- %TEMP%\5198.tmp\findhash32.exe
- %TEMP%\ver.txt
- %TEMP%\77f1.tmp\download config file from server......#
- nul
- %TEMP%\sertestlog3.txt
- %TEMP%\sertestlog2.txt
- %TEMP%\i641.exe
- %TEMP%\sertestlog1.txt
- %TEMP%\77f1.tmp\testing the speed of server......#
- %TEMP%\currentdir.txt
- %TEMP%\77f1.tmp\findhash32.exe
- %TEMP%\77f1.tmp\wget.exe
- %TEMP%\77f1.tmp\findhash64.exe
- %TEMP%\desc_hdi_pn.txt
- %TEMP%\5198.tmp\wget.exe
Deletes the following files
- %TEMP%\77f1.tmp\testing the speed of server......#
- %TEMP%\5198.tmp\findhash32.exe
- %TEMP%\5198.tmp\findhash64.exe
- %TEMP%\update64.exe
- %TEMP%\update32.exe
- %TEMP%\77f1.tmp\7801.bat
- %TEMP%\77f1.tmp\findhash32.exe
- %TEMP%\77f1.tmp\wget.exe
- %TEMP%\77f1.tmp\findhash64.exe
- %TEMP%\77f1.tmp\updating current tool......#
- %TEMP%\77f1.tmp\current update tool version is not latest.#
- %TEMP%\77f1.tmp\checking current update tool version......#
- %TEMP%\77f1.tmp\the latest versions is as below.#
- %TEMP%\77f1.tmp\download config file from server......#
- %TEMP%\sertestlog2.txt
- %TEMP%\sertestlog1.txt
- %TEMP%\5198.tmp\wget.exe
- %TEMP%\5198.tmp\51a8.bat
Moves the following files
- from %TEMP%\i641.exe to %TEMP%\i64.exe
Deletes itself.
Network activity
TCP
- 'tw.##.getac.com':443
UDP
- DNS ASK tw.##.getac.com
- DNS ASK ps###.getac.com.cn
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '%TEMP%\77f1.tmp\wget.exe' --http-use=gtkservice --http-passwd=Gtk20171122 --no-check-certificate --tries=1 --output-file=%TEMP%\SerTestlog1.txt -O %TEMP%\I641.exe "https://tw.hd.getac.com/remote.php/webdav/Share/WinPE_H...
- '%TEMP%\77f1.tmp\wget.exe' --ftp-user=customer --ftp-password=123 --tries=1 --output-file=%TEMP%\SerTestlog2.txt -O %TEMP%\I642.exe "ftp://ps###.getac.com.cn/WinPE_HDD/I64.exe"
- '%TEMP%\77f1.tmp\wget.exe' --ftp-user=customer --ftp-password=123 --tries=1 --output-file=%TEMP%\SerTestlog3.txt -O %TEMP%\I643.exe "ftp://10.#3.33.29/WinPE_HDD/I64.exe"
- '%TEMP%\77f1.tmp\wget.exe' --http-use=gtkservice --http-passwd=Gtk20171122 --no-check-certificate --ftp-user=customer --ftp-password=123 --tries=1 -q -O %TEMP%\Desc_HDI_PN.txt "https://tw.hd.getac.com/remote.php/webdav/S...
- '%TEMP%\77f1.tmp\wget.exe' --http-use=gtkservice --http-passwd=Gtk20171122 --no-check-certificate --ftp-user=customer --ftp-password=123 --tries=1 -q -O %TEMP%\Ver.txt "https://tw.hd.getac.com/remote.php/webdav/Share/Win...
- '%TEMP%\77f1.tmp\wget.exe' --http-use=gtkservice --http-passwd=Gtk20171122 --no-check-certificate --ftp-user=customer --ftp-password=123 --tries=1 -q -O %TEMP%\Update32.exe "https://tw.hd.getac.com/remote.php/webdav/Shar...
- '%TEMP%\77f1.tmp\wget.exe' --http-use=gtkservice --http-passwd=Gtk20171122 --no-check-certificate --ftp-user=customer --ftp-password=123 --tries=1 -q -O %TEMP%\Update64.exe "https://tw.hd.getac.com/remote.php/webdav/Shar...
- '<Current directory>\update64.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\77F1.tmp\7801.bat <Full path to file>"
- '<SYSTEM32>\findstr.exe' /a:0d .* "Updating Current Tool......#"*
- '<SYSTEM32>\findstr.exe' /a:0d .* "Current Update Tool Version is not latest.#"*
- '<SYSTEM32>\findstr.exe' /a:0f .* "Checking Current Update Tool Version......#"*
- '<SYSTEM32>\wbem\wmic.exe' DataFile Where Name="C:\\Users\\user\\AppData\\Local\\Temp\\I64.exe" Get Version/value
- '<SYSTEM32>\cmd.exe' /c Wmic DataFile Where Name="C:\\Users\\user\\AppData\\Local\\Temp\\I64.exe" Get Version/value
- '<SYSTEM32>\findstr.exe' /a:0f .* "The Latest Versions is as below.#"*
- '<SYSTEM32>\findstr.exe' /a:0f .* "Download config file from server......#"*
- '<SYSTEM32>\findstr.exe' "(*)" %TEMP%\SerTestlog3.txt
- '<SYSTEM32>\findstr.exe' "(*)" %TEMP%\SerTestlog2.txt
- '<SYSTEM32>\findstr.exe' "\."
- '<SYSTEM32>\cmd.exe' /S /D /c" echo 595 "
- '<SYSTEM32>\cmd.exe' /c echo 595 KB/s
- '<SYSTEM32>\cmd.exe' /c echo 1.1M
- '<SYSTEM32>\cmd.exe' /c findstr "(*)" %TEMP%\SerTestlog1.txt
- '<SYSTEM32>\findstr.exe' "(*)" %TEMP%\SerTestlog1.txt
- '<SYSTEM32>\findstr.exe' /a:0f .* "Testing the speed of server......#"*
- '<SYSTEM32>\wbem\wmic.exe' DataFile Where Name="C:\\jwdhmy\\<File name>.exe" Get Version/value
- '<SYSTEM32>\cmd.exe' /c Wmic DataFile Where Name="C:\\jwdhmy\\<File name>.exe" Get Version/value
- '<SYSTEM32>\wbem\wmic.exe' os Get OSArchitecture/value
- '<SYSTEM32>\cmd.exe' /c Wmic os Get OSArchitecture/value
- '<SYSTEM32>\mode.com' con cols=100 lines=32
- '<SYSTEM32>\cmd.exe' /K %TEMP%\UpdateUP.bat
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\5198.tmp\51A8.bat <Current directory>\Update64.exe"
