Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\npcapwatchdog
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\npcap] 'ImagePath' = 'system32\DRIVERS\npcap.sys'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\npcap] 'Start' = '00000001'
- [<HKLM>\System\CurrentControlSet\Services\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d] 'ImagePath' = '"%ProgramFiles%\Rumble\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d-cdb1307b826b...
Creates the following services
- 'npcap' system32\DRIVERS\npcap.sys
- 'rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d' "%ProgramFiles%\Rumble\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d-cdb1307b826bb58c-1.11.9.exe"
- 'rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d' %ProgramFiles%\Rumble\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d-cdb1307b826bb58c-1.11.9.exe
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /F /IM rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d-cdb1307b826bb58c-1.11.9.exe
- '<SYSTEM32>\taskkill.exe' /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
Modifies file system
Creates the following files
- %LOCALAPPDATA%\.rumble\3c100a67-d3a8-45d9-a629-424a83a47e1d.agentid
- %WINDIR%\syswow64\npcap\wlanhelper.exe
- <SYSTEM32>\wpcap.dll
- <SYSTEM32>\packet.dll
- <SYSTEM32>\npcaphelper.exe
- <SYSTEM32>\wlanhelper.exe
- <SYSTEM32>\npcap\wpcap.dll
- <SYSTEM32>\npcap\packet.dll
- <SYSTEM32>\npcap\npcaphelper.exe
- <SYSTEM32>\npcap\wlanhelper.exe
- %WINDIR%\syswow64\npcap\packet.dll
- %WINDIR%\syswow64\npcap\npcaphelper.exe
- %TEMP%\nsg8518.tmp\insecure-ev.cer
- %WINDIR%\inf\oem1.pnf
- %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\seta2a4.tmp
- %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\seta3af.tmp
- %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\seta4d8.tmp
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
- %WINDIR%\inf\oem2.pnf
- <DRIVERS>\set195.tmp
- %TEMP%\nsg8518.tmp\simplesc.dll
- %WINDIR%\temp\udd9cf.tmp
- %TEMP%\nsg8518.tmp\insecure-ev-sha1.cer
- %WINDIR%\inf\oem0.pnf
- %WINDIR%\syswow64\npcap\wpcap.dll
- %WINDIR%\syswow64\wlanhelper.exe
- %WINDIR%\syswow64\npcaphelper.exe
- %ProgramFiles%\rumble\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d-cdb1307b826bb58c-1.11.9.exe
- %TEMP%\npcap-oem-766704767.exe
- %TEMP%\nsg8517.tmp
- %TEMP%\nsg8518.tmp\options.ini
- %TEMP%\nsg8518.tmp\final.ini
- %TEMP%\nsg8518.tmp\system.dll
- %ProgramFiles%\npcap\install.log
- %TEMP%\nsg8518.tmp\npfinstall.exe
- %TEMP%\nsg8518.tmp\nsexec.dll
- %ProgramFiles%\npcap\npfinstall.log
- nul
- %ProgramFiles%\npcap\license
- %ProgramFiles%\npcap\diagreport.ps1
- %ProgramFiles%\npcap\fixinstall.bat
- %ProgramFiles%\npcap\uninstall.exe
- %ProgramFiles%\npcap\npfinstall.exe
- %ProgramFiles%\npcap\npcap.sys
- %ProgramFiles%\npcap\npcap.cat
- %ProgramFiles%\npcap\npcap.inf
- %ProgramFiles%\npcap\npcap_wfp.inf
- %WINDIR%\syswow64\wpcap.dll
- %WINDIR%\syswow64\packet.dll
- %ProgramFiles%\npcap\diagreport.bat
- %ProgramFiles%\npcap\checkstatus.bat
- %ProgramFiles%\rumble\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d.log
Sets the 'hidden' attribute to the following files
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
Deletes the following files
- %TEMP%\nsg8518.tmp\insecure-ev.cer
- %TEMP%\nsg8518.tmp\insecure-ev-sha1.cer
- %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\npcap.cat
- %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\npcap.inf
- %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\npcap.sys
- %WINDIR%\temp\udd9cf.tmp
- %TEMP%\nsg8518.tmp\final.ini
- %TEMP%\nsg8518.tmp\npfinstall.exe
- %TEMP%\nsg8518.tmp\nsexec.dll
- %TEMP%\nsg8518.tmp\options.ini
- %TEMP%\nsg8518.tmp\simplesc.dll
- %TEMP%\nsg8518.tmp\system.dll
- %TEMP%\npcap-oem-766704767.exe
- %ProgramFiles%\rumble\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d-cdb1307b826bb58c-1.11.9.exe
Moves the following files
- from %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\seta2a4.tmp to %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\npcap.cat
- from %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\seta3af.tmp to %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\npcap.inf
- from %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\seta4d8.tmp to %TEMP%\{7e5ab48f-e200-4916-8cd8-07157e443170}\npcap.sys
- from <DRIVERS>\set195.tmp to <DRIVERS>\npcap.sys
Network activity
TCP
- 'co####e.rumble.run':443
UDP
- DNS ASK co####e.rumble.run
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '%TEMP%\npcap-oem-766704767.exe' "/S /npf_startup=yes /loopback_support=yes /dlt_null=no /admin_only=yes /dot11_support=yes /vlan_support=yes /winpcap_mode=no"
- '%TEMP%\nsg8518.tmp\npfinstall.exe' -n -check_dll
- '%ProgramFiles%\npcap\npfinstall.exe' -n -c
- '%ProgramFiles%\npcap\npfinstall.exe' -n -iw
- '%ProgramFiles%\npcap\npfinstall.exe' -n -i
- '%ProgramFiles%\rumble\rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d-cdb1307b826bb58c-1.11.9.exe'
- '%TEMP%\npcap-oem-766704767.exe' "/S /npf_startup=yes /loopback_support=yes /dlt_null=no /admin_only=yes /dot11_support=yes /vlan_support=yes /winpcap_mode=no"' (with hidden window)
- '%TEMP%\nsg8518.tmp\npfinstall.exe' -n -check_dll' (with hidden window)
- '%WINDIR%\syswow64\certutil.exe' -addstore -f "TrustedPublisher" "%TEMP%\nsg8518.tmp\Insecure-EV.cer"' (with hidden window)
- '%WINDIR%\syswow64\certutil.exe' -addstore -f "TrustedPublisher" "%TEMP%\nsg8518.tmp\Insecure-EV-sha1.cer"' (with hidden window)
- '%ProgramFiles%\npcap\npfinstall.exe' -n -c' (with hidden window)
- '<SYSTEM32>\pnputil.exe' -e' (with hidden window)
- '%ProgramFiles%\npcap\npfinstall.exe' -n -iw' (with hidden window)
- '%ProgramFiles%\npcap\npfinstall.exe' -n -i' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'%ProgramFiles%\Npcap\CheckStatus.bat'" /NP' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c "taskkill /F /IM rumble-agent-3c100a67-d3a8-45d9-a629-424a83a47e1d-cdb1307b826bb58c-1.11.9.exe 2>NUL"
- '%WINDIR%\syswow64\certutil.exe' -addstore -f "TrustedPublisher" "%TEMP%\nsg8518.tmp\Insecure-EV.cer"
- '%WINDIR%\syswow64\certutil.exe' -addstore -f "TrustedPublisher" "%TEMP%\nsg8518.tmp\Insecure-EV-sha1.cer"
- '<SYSTEM32>\pnputil.exe' -e
- '%WINDIR%\syswow64\schtasks.exe' /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'%ProgramFiles%\Npcap\CheckStatus.bat'" /NP
- '<SYSTEM32>\cmd.exe' /c taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
