Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'nore' = '<SYSTEM32>\pcalua.exe -a %HOMEPATH%\dmgy.exe'
Malicious functions
Creates and executes the following (exploit)
- 'C:\users\public\svchost32.exe'
Injects code into
the following user processes:
- addinprocess32.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions\]
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
Modifies file system
Creates the following files
- C:\users\public\svchost32.exe
- %TEMP%\2fda\ucrtbase.dll
- %TEMP%\2fda\softokn3.dll
- %TEMP%\2fda\nssdbm3.dll
- %TEMP%\2fda\nss3.dll
- %TEMP%\2fda\msvcp140.dll
- %TEMP%\2fda\mozglue.dll
- %TEMP%\2fda\vcruntime140.dll
- %TEMP%\2fda\freebl3.dll
- %TEMP%\2fda\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-private-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\12671801469713224001164.tmp-shm
- %TEMP%\1267383901799651452486.tmp
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %TEMP%\1267352888427518152514.tmp
- %TEMP%\12673208246177513491887.tmp
- %TEMP%\12673057222589725224758.tmp
- %TEMP%\1267305341584322483809.tmp
- %TEMP%\12672748428328452945676.tmp
- %TEMP%\12672584202405463788245.tmp
- %TEMP%\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
- %TEMP%\12672271354653847468936.tmp
- %TEMP%\12671801469713224001164.tmp
- %TEMP%\12670867621722648672644.tmp
- %TEMP%\12670716855745826275.tmp
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %TEMP%\12641078789116218215382.tmp
- %TEMP%\1264200604137306571380.tmp
- %TEMP%\2fda\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-console-l1-1-0.dll
- %HOMEPATH%\dmgy.exe
- %TEMP%\addinprocess32.exe
- %TEMP%\a6a0b8a6-4761-4357-9a31-0eca6ad70093\f.dll
- %TEMP%\2fda\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\1267383901799651452486.tmp-shm
Deletes the following files
- %TEMP%\12641078789116218215382.tmp
- %TEMP%\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
- %TEMP%\2fda\ucrtbase.dll
- %TEMP%\2fda\api-ms-win-crt-private-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\2fda\freebl3.dll
- %TEMP%\2fda\mozglue.dll
- %TEMP%\2fda\msvcp140.dll
- %TEMP%\2fda\nss3.dll
- %TEMP%\2fda\nssdbm3.dll
- %TEMP%\2fda\softokn3.dll
- %TEMP%\2fda\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\1267383901799651452486.tmp
- %TEMP%\1264200604137306571380.tmp
- %TEMP%\12670716855745826275.tmp
- %TEMP%\12670867621722648672644.tmp
- %TEMP%\12671801469713224001164.tmp-shm
- %TEMP%\12671801469713224001164.tmp
- %TEMP%\12672271354653847468936.tmp
- %TEMP%\12672584202405463788245.tmp
- %TEMP%\12672748428328452945676.tmp
- %TEMP%\1267305341584322483809.tmp
- %TEMP%\12673057222589725224758.tmp
- %TEMP%\12673208246177513491887.tmp
- %TEMP%\1267352888427518152514.tmp
- %TEMP%\1267383901799651452486.tmp-shm
- %TEMP%\2fda\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\2fda\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\2fda\vcruntime140.dll
Network activity
TCP
HTTP GET requests
- http://18#.#3.85.52/FR/BDO-1218.jpg
HTTP POST requests
- http://bo###.#yscriptcase.com/index.php
UDP
- DNS ASK bo###.#yscriptcase.com
Miscellaneous
Creates and executes the following
- '%HOMEPATH%\dmgy.exe'
- '%TEMP%\addinprocess32.exe'
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nore /t REG_SZ /d <SYSTEM32>\pcalua.exe" -a %HOMEPATH%\dmgy.exe"
- '%WINDIR%\syswow64\reg.exe' ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nore /t REG_SZ /d <SYSTEM32>\pcalua.exe" -a %HOMEPATH%\dmgy.exe"
