Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Explorers' = '%WINDIR%\explorer.exe /root <SYSTEM32>\rundll32.exe ..\windows\system32\user32.dll.ShellExecute(%s), D:\System_VoIume_lnfor...
- [<HKCU>\Software\Classes\exefiles\shell\open\command] '' = '"D:\System_VoIume_lnformation\Jnt\mygymeuaq\explorers.exe" rts "%1"'
Modifies file system
Creates the following files
- C:\files .exe
- C:\show hidden files.bat
- D:\files .exe
- D:\show hidden files.bat
- D:\sefera\jnt\dolab\svcnost.exe
- D:\sefera\jnt\dolab\svcnosts.exe
- D:\sefera\jnt\dolab\gotera.bmp
- D:\system_voiume_lnformation\jnt\mygymeuaq\explorers.exe
- D:\system_voiume_lnformation\jnt\mygymeuaq\gotera.bmp
- D:\system_voiume_lnformation\jnt\mygymeuaq\bmz\explorer.exeВќ
- D:\sefera\desktop.ini
- D:\sefera\jnt\dolab\desktop.ini
Sets the 'hidden' attribute to the following files
- D:\sefera\desktop.ini
- D:\sefera\jnt\dolab\desktop.ini
Network activity
TCP
- 'cl######rch.firebaseapp.com':443
UDP
- DNS ASK cl######rch.firebaseapp.com
Miscellaneous
Creates and executes the following
- 'D:\sefera\jnt\dolab\svcnost.exe' nm
- 'D:\sefera\jnt\dolab\svcnosts.exe' fdrg
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d user /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d everyone /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d administrators /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\dolab\..\.. /d user /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\dolab\..\.. /d everyone /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\dolab\..\.. /d administrators /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\dolab\desktop.ini +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\dolab\..\..\desktop.ini +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\dolab\..\.. +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r user /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /r user /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /r administrators /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\dolab +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t' (with hidden window)
Executes the following
- '%WINDIR%\explorer.exe' <Full path to file>\..
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\dolab\desktop.ini +s +h
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\dolab\desktop.ini +s +h
- '<SYSTEM32>\cmd.exe' /c attrib D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. +r +s +h
- '<SYSTEM32>\attrib.exe' D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. +r +s +h
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\dolab\..\.. /d administrators /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\dolab\..\.. /d administrators /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\dolab\..\.. /d everyone /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d user /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\dolab\..\.. /d user /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\dolab\..\.. /d user /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d administrators /e
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d administrators /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d everyone /e
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d everyone /e
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\dolab +r +s +h
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\dolab\..\.. /d everyone /e
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\dolab +r +s +h
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cacls.exe' n:\sefera\Jnt\null\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /r administrators /e /t
- '<SYSTEM32>\cacls.exe' n:\sefera\Jnt\null\..\.. /r administrators /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /r user /e /t
- '<SYSTEM32>\cacls.exe' n:\sefera\Jnt\null\..\.. /r user /e /t
- '<SYSTEM32>\cacls.exe' n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\dolab\..\..\desktop.ini +s +h
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t
- '<SYSTEM32>\cacls.exe' n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r user /e /t
- '<SYSTEM32>\cacls.exe' n:\System_VoIume_lnformation\Jnt\null\..\.. /r user /e /t
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\dolab\..\.. +r +s +h
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\dolab\..\.. +r +s +h
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\dolab\..\..\desktop.ini +s +h
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\mygymeuaq\..\.. /d user /e
