Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'f4e60386eb69c31709e28bbe3c45380d' = '"%TEMP%\windows registery.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'f4e60386eb69c31709e28bbe3c45380d' = '"%TEMP%\windows registery.exe" ..'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'VDATRP' = '"%APPDATA%\Windata\windows programs.exe"'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\f4e60386eb69c31709e28bbe3c45380d.exe
- %APPDATA%\microsoft\windows\start menu\programs\startup\vdatrp.lnk
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\windows registery.exe" "windows registery.exe" ENABLE
Modifies file system
Creates the following files
- %TEMP%\windows programs.exe
- %TEMP%\script.vbs
- %TEMP%\windows registery.exe
- %APPDATA%\windata\windows programs.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\a043thkv\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\lifpuvde\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\42b9maq6\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\dwcc600k\desktop.ini
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %TEMP%\vdatrp.vbs
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\a043thkv\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\lifpuvde\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\42b9maq6\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\dwcc600k\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Network activity
Connects to
- 'ma#######aq53-36866.portmap.io':36866
TCP
HTTP GET requests
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
UDP
- DNS ASK ip##i.co
- DNS ASK ma#######aq53-36866.portmap.io
- DNS ASK microsoft.com
Miscellaneous
Creates and executes the following
- '%TEMP%\windows programs.exe'
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\script.vbs" /elevate
- '%WINDIR%\syswow64\wscript.exe' %TEMP%\VDATRP.vbs
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\script.vbs"
- '%TEMP%\windows registery.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $true' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBehaviorMonitoring $true' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -LowThreatDefaultAction 6' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SevereThreatDefaultAction 6' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -HighThreatDefaultAction 6 -Force' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -ModerateThreatDefaultAction 6' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\windows registery.exe" "windows registery.exe" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $true
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBehaviorMonitoring $true
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -HighThreatDefaultAction 6 -Force
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -ModerateThreatDefaultAction 6
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -LowThreatDefaultAction 6
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SevereThreatDefaultAction 6
