Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "%ALLUSERSPROFILE%\Start Menu\cmd.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'cmd' = '"%ALLUSERSPROFILE%\Start Menu\cmd.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'cmd' = '"%ALLUSERSPROFILE%\Start Menu\cmd.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "%ALLUSERSPROFILE%\Start Menu\cmd.exe", "%ProgramFiles(x86)%\Internet Explorer\jsdbgui\iexplore.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"%ProgramFiles(x86)%\Internet Explorer\jsdbgui\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"%ProgramFiles(x86)%\Internet Explorer\jsdbgui\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "%ALLUSERSPROFILE%\Start Menu\cmd.exe", "%ProgramFiles(x86)%\Internet Explorer\jsdbgui\iexplore.exe", "C:...
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\winlogon.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\winlogon.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'conhost' = '"C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\conhost.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'conhost' = '"C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\conhost.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'lsm' = '"C:\totalcmd\LANGUAGE\lsm.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'lsm' = '"C:\totalcmd\LANGUAGE\lsm.exe"'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'spoolsv' = '"%ProgramFiles%\fsample\spoolsv.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'spoolsv' = '"%ProgramFiles%\fsample\spoolsv.exe"'
Creates or modifies the following files
- <SYSTEM32>\tasks\cmd
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\winlogon
- <SYSTEM32>\tasks\conhost
- <SYSTEM32>\tasks\lsm
- <SYSTEM32>\tasks\spoolsv
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
Modifies file system
Creates the following files
- C:\reviewsaves\1rofni4pvhziamy0bsh72jlb21agk.bat
- C:\reviewsaves\tbg80nyfsj
- %ProgramFiles%\fsample\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4
- %ProgramFiles%\fsample\spoolsv.exe
- C:\totalcmd\language\101b941d020240259ca4912829b53995ad543df6
- C:\totalcmd\language\lsm.exe
- C:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\088424020bedd6b28ac7fd22ee35dcd7322895ce
- C:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\conhost.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\cc11b995f2a76da408ea6a601e682e64743153ad
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\winlogon.exe
- %ProgramFiles(x86)%\internet explorer\jsdbgui\9db6e019d4f04ef534d0f91b3462d805c40e9d20
- %ProgramFiles(x86)%\internet explorer\jsdbgui\iexplore.exe
- %ALLUSERSPROFILE%\start menu\ebf1f9fa8afd6d1932bd65bc4cc3af89a4c8e228
- %ALLUSERSPROFILE%\start menu\cmd.exe
- C:\reviewsaves\rkcardtjm28vncgd0lg4qoeyrf1.vbe
- C:\reviewsaves\reviewsaveswininto.exe
- C:\reviewsaves\dd44lvdwfn.bat
- nul
Deletes the following files
- C:\reviewsaves\tbg80nyfsj
Network activity
Connects to
- '92.##.105.254':80
- 'ip##fo.io':443
TCP
HTTP GET requests
- http://92.##.105.254/wp-content/linemultilinux.php?4z############################################################################################################################################...
Other
- 'ip##fo.io':443
UDP
- DNS ASK ip##fo.io
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\wscript.exe' "C:\reviewsaves\RKCArDTjm28vNCgd0Lg4qoeyrF1.vbe"
- 'C:\reviewsaves\reviewsaveswininto.exe'
- '%ProgramFiles%\fsample\spoolsv.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\reviewsaves\1rOfnI4pvHZiAmY0BSH72jlb21agk.bat" "' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C "C:\reviewsaves\Dd44LvdWFn.bat"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\reviewsaves\1rOfnI4pvHZiAmY0BSH72jlb21agk.bat" "
- '<SYSTEM32>\schtasks.exe' /create /tn "cmd" /sc ONLOGON /tr "'%ALLUSERSPROFILE%\Start Menu\cmd.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Internet Explorer\jsdbgui\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsm" /sc ONLOGON /tr "'C:\totalcmd\LANGUAGE\lsm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'%ProgramFiles%\fsample\spoolsv.exe'" /rl HIGHEST /f
- '<SYSTEM32>\cmd.exe' /C "C:\reviewsaves\Dd44LvdWFn.bat"
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\ping.exe' -n 5 localhost
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
