Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Control\Print\Monitors\RunDllExe] 'Driver' = '%WINDIR%\Logs\RunDllExe.dll'
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\Spooler] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\KuGouMusic] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\KuGouMusic] 'ImagePath' = '%WINDIR%\Help\Winlogon.exe'
- [<HKLM>\System\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- <Current directory>\mssqls.exe
- <Current directory>\ms19_.exe
- %WINDIR%\cursors\wudfhosts.exe
- %WINDIR%\help\active_desktop_render.dll
- %WINDIR%\help\winlogon.exe
- <Current directory>\x64.exe
- <Current directory>\ms19.exe
- <Current directory>\ms18.exe
- <Current directory>\windows\system32\tapi3.dll
- %WINDIR%\help\active_desktop_render_new.dll
- <Current directory>\output.tlb
- <Current directory>\run.sct
- <Current directory>\ms17.exe
- %WINDIR%\logs\rundllexe_new
- %WINDIR%\logs\rundllexe_new.dll
- %WINDIR%\mpmgsvc.dll
- %WINDIR%\logs\rundllexe.dll
- %WINDIR%\logs\rundllexe
- %WINDIR%\logs\rundllexe.exe
- <Current directory>\aaaaaaaaaaaaaaaaaaaaaaaa
- %WINDIR%\syswow64\x64.exe
Deletes the following files
- %WINDIR%\logs\rundllexe_new.dll
- %WINDIR%\logs\rundllexe_new
- <Current directory>\windows\system32\tapi3.dll
- <Current directory>\run.sct
- <Current directory>\output.tlb
- <Current directory>\ms17.exe
- <Current directory>\ms18.exe
- <Current directory>\ms19.exe
- %WINDIR%\help\active_desktop_render.dll
Moves the following files
- from <Current directory>\x64.exe to %TEMP%\9876
Substitutes the following files
- %WINDIR%\logs\rundllexe_new.dll
- %WINDIR%\logs\rundllexe_new
- <Current directory>\x64.exe
- %WINDIR%\help\active_desktop_render.dll
Network activity
TCP
HTTP GET requests
- http://ms###.4i7i.com/MSSQL.exe
- http://wm#.#i7i.com/11.exe
- http://ms###.4i7i.com/MS19.exe
- http://22##h.com/Update.txt
UDP
- DNS ASK ms###.4i7i.com
- DNS ASK ss#.#i7i.com
- DNS ASK wm#.#i7i.com
- DNS ASK 22##h.com
- DNS ASK po##.#sa-138.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'DDEServerPoc'
- ClassName: '' WindowName: 'DDEClientPoc'
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'
Creates and executes the following
- '<Current directory>\mssqls.exe'
- '<Current directory>\x64.exe'
- '%WINDIR%\cursors\wudfhosts.exe' -o stratum+tcp://pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x
- '<Current directory>\ms19_.exe' DDEClient
- '<Current directory>\ms19_.exe'
- '%WINDIR%\logs\rundllexe.exe'
- '%WINDIR%\help\winlogon.exe'
- '<Current directory>\ms19_.exe' DDEServer
- '<Current directory>\ms18.exe' MSSQLS.exe
- '<Current directory>\ms17.exe' 1
- '<Current directory>\ms17.exe'
- '<Current directory>\ms19.exe' -l 6666 -p MSSQLS.exe -t *
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP' (with hidden window)
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\Fonts\*.exe /e /d system' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=Block assign=y' (with hidden window)
- '<Current directory>\x64.exe' ' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP' (with hidden window)
- '%WINDIR%\cursors\wudfhosts.exe' -o stratum+tcp://pool.usa-138.com:80 -u 4B7yFmYw2qvEtWZDDnZVeY16HHpwTtuYBg6EMn5xdDbM3ggSEnQFDWDHH6cqdEYaPx4iQvAwLNu8NLc21QxDU84GGxZEY7S -p x' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Filter1' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=Block' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP' (with hidden window)
- '<Current directory>\mssqls.exe' ' (with hidden window)
- '%WINDIR%\syswow64\werfault.exe' -u -p 2192 -s 212' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\cacls.exe' %WINDIR%\Fonts\*.exe /e /d system
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Current directory>\ms19.exe"
- '%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=Block
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Filter1
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block
- '%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
- '%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=Block assign=y
