Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'jUJdAfR' = '%APPDATA%\jUJdAfR\jUJdAfR.exe'
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Defender
blocks the following features:
- User Account Control (UAC)
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] 'C:\Users\Public\69577.exe' = '00000000'
Creates and executes the following
- '' (downloaded from the Internet)
Creates and executes the following (exploit)
- 'C:\users\public\69577.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath "C:\Users\Public\69577.exe" -Force
Injects code into
the following user processes:
- 69577.exe
Searches for registry branches where third party applications store passwords
- [<HKLM>\Software\Wow6432Node\ORL\WinVNC3]
- [<HKCU>\Software\ORL\WinVNC3]
- [<HKCU>\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions]
- [<HKCU>\Software\RimArts\B2\Settings]
- [<HKCU>\Software\FTPWare\COREFTP\Sites]
Reads files which store third party applications passwords
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\thunderbird\profiles.ini
- %APPDATA%\mozilla\firefox\profiles.ini
Modifies file system
Creates the following files
- C:\users\public\69577.exe
- %LOCALAPPDATA%\蝼螀蝲螙蝹螙螝蝨螓蝼螔蝿螑蝪螜_inc\69577.exe_url_sn2510xzumrt3pxrjh1ebmtm531qwn1e\3.54.628.738\mjwbye2m.newcfg
- %TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\advancedrun.exe
- %TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\test.bat
- %APPDATA%\jujdafr\jujdafr.exe
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
Deletes the following files
- %TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\advancedrun.exe
- %TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\test.bat
Moves the following files
- from %LOCALAPPDATA%\蝼螀蝲螙蝹螙螝蝨螓蝼螔蝿螑蝪螜_inc\69577.exe_url_sn2510xzumrt3pxrjh1ebmtm531qwn1e\3.54.628.738\mjwbye2m.newcfg to %LOCALAPPDATA%\蝼螀蝲螙蝹螙螝蝨螓蝼螔蝿螑蝪螜_inc\69577.exe_url_sn2510xzumrt3pxrjh1ebmtm531qwn1e\3.54.628.738\user.config
Network activity
Connects to
- 'bi#.ly':80
- 'la####g.yetiapp.ec':80
- 'li########abestteamoftheworld.com':80
- 'li########abestteamoftheworld.com':443
TCP
HTTP GET requests
- http://li########abestteamoftheworld.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-DD4D37EC2398DF4D4F5ED60C617DC794.html
UDP
- DNS ASK bi#.ly
- DNS ASK la####g.yetiapp.ec
- DNS ASK li########abestteamoftheworld.com
Miscellaneous
Creates and executes the following
- '%TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\advancedrun.exe' /EXEFilename "%TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
- '%TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\advancedrun.exe' /SpecialRun 4101d8 1976
- '%TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\advancedrun.exe' /EXEFilename "%TEMP%\b0ceb50e-1a5c-4b93-95e0-135c8f765e10\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath "C:\Users\Public\69577.exe" -Force' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c timeout 1' (with hidden window)
Executes the following
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\cmd.exe' /c timeout 1
- '%WINDIR%\syswow64\timeout.exe' 1
