Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,"%TEMP%\rknrl.vbs"'
- [<HKCU>\software\microsoft\windows\currentversion\run] 'winstart' = 'wscript.exe //B "%TEMP%\rknrl.vbs"'
- [<HKLM>\software\microsoft\windows\currentversion\run] 'winstart' = 'wscript.exe //B "%TEMP%\rknrl.vbs"'
- [\REGISTRY\USER\S-1-5-18\software\microsoft\windows\currentversion\run] 'winstart' = 'wscript.exe //B "%TEMP%\rknrl.vbs"'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\rknrl.vbs
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\RemoteAccess] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\RemoteAccess] 'ImagePath' = '<SYSTEM32>\wscript.exe //B C:\autoexec.vbs'
- [<HKLM>\System\CurrentControlSet\Services\MsRkNrLwsf] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\MsRkNrLwsf] 'ImagePath' = '<SYSTEM32>\wscript.exe //B "C:\autoexec.wsf"'
Creates the following services
- 'MsRkNrLwsf' <SYSTEM32>\wscript.exe //B "C:\autoexec.wsf"
Creates the following files on removable media
- <Drive name for removable media>:\recycl\rkrl.vbs
- <Drive name for removable media>:\recycl\tmp.tmp
- <Drive name for removable media>:\recycl\rkrl.wsf
Malicious functions
Creates and executes the following
- '%TEMP%\explorer.exe' //B "%TEMP%\winstart.vbs"
- '%WINDIR%\temp\svchost.exe' //B "%WINDIR%\TEMP\winstart.vbs"
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\wscript.exe
Modifies file system
Creates the following files
- %TEMP%\winstart.vbs
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\winstart[1].wsf
- %WINDIR%\temp\win.wsf
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\winstart[1].wsf
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\tmp[1].tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\playback[1].php
- C:\tmp.tmp
- C:\autoexec.wsf
- %TEMP%\rad3cad3.tmp
- %TEMP%\~cmdscript.tmp
- %TEMP%\rade40c6.tmp
- %TEMP%\rad5fb81.tmp
- %TEMP%\radaa6b4.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\tmp[2].tmp
- %TEMP%\rad303e6.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
- %WINDIR%\temp\svchost.exe
- %WINDIR%\temp\winstart.vbs
- %TEMP%\winstart.wsf
- %TEMP%\win.wsf
- %TEMP%\tmp.tmp
- %TEMP%\rknrl.vbs
- %WINDIR%\temp\rknrl.tmp
- C:\autoexec.vbs
- %ProgramFiles%\microsoft office\office14\officeset.log
- %TEMP%\explorer.exe
- %TEMP%\rknrl.reg
- %TEMP%\rad09a49.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\winstart[1].wsf
Sets the 'hidden' attribute to the following files
- C:\autoexec.vbs
- C:\autoexec.wsf
- C:\tmp.tmp
Deletes the following files
- %TEMP%\rknrl.reg
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
- %TEMP%\dm7332.tmp
- %TEMP%\~cmdscript.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\0o42hqll\playback[1].php
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\winstart[1].wsf
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\tmp[1].tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\59o0eoqa\winstart[1].wsf
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\winstart[1].wsf
Moves the following files
- from %TEMP%\rad09a49.tmp to %TEMP%\dm7332.tmp
Substitutes the following files
- %TEMP%\dm7332.tmp
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\t5levnel\playback[1].php
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\content.ie5\jh3iwefd\winstart[1].wsf
Network activity
Connects to
- 'ai#####heworld.gicp.net':80
- 'ai########orld.airobotheworld.com':80
- 'a1.####botheworld.com':80
- 'ap#.##herscan.io':80
TCP
HTTP GET requests
- http://ai########orld.airobotheworld.com/ctrl/Normal.xls
- http://a1.####botheworld.com/ctrl/file/TMP.TMP
- http://a1.####botheworld.com/ctrl/file/winstart.wsf
- http://ap#.##herscan.io/api?mo#############################################################################
- http://10#.#73.153.173/ctrl/playback.php
- http://10#.#73.153.173/ctrl/pool.txt
- http://10#.#73.153.173/ctrl/Normal.doc
- http://10#.#73.153.173/ctrl/Book.xls
- http://a1.####botheworld.com/ctrl/url.html
- http://ai########orld.airobotheworld.com/ctrl/Normal.doc
HTTP POST requests
- http://ai#####heworld.gicp.net/ctrl/playback.php
- http://ai########orld.airobotheworld.com/ctrl/playback.php
UDP
- DNS ASK ai#####heworld.gicp.net
- DNS ASK ai########orld.airobotheworld.com
- DNS ASK a1.####botheworld.com
- DNS ASK ap#.##herscan.io
- DNS ASK ai########ill.aigoingtokill.club
- DNS ASK m.#####ngtokill.club
Miscellaneous
Searches for the following windows
- ClassName: 'RegEdit_RegEdit' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\wscript.exe' //B C:\autoexec.vbs
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\win.wsf"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\winstart.wsf"
- '<SYSTEM32>\wscript.exe' //B "%WINDIR%\TEMP\win.wsf"
- '<SYSTEM32>\cmd.exe' /c regedit /s /q %TEMP%\rknrl.reg' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc stop RemoteAccess' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc config RemoteAccess binpath= "<SYSTEM32>\wscript.exe //B C:\autoexec.vbs" start= auto' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc start RemoteAccess' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c nslookup a1.airobotheworld.com>>%TEMP%\~cmdscript.tmp' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c regedit /s /q %TEMP%\rknrl.reg
- '%WINDIR%\regedit.exe' /s /q %TEMP%\rknrl.reg
- '<SYSTEM32>\cmd.exe' /c sc stop RemoteAccess
- '<SYSTEM32>\cmd.exe' /c sc config RemoteAccess binpath= "<SYSTEM32>\wscript.exe //B C:\autoexec.vbs" start= auto
- '<SYSTEM32>\cmd.exe' /c sc start RemoteAccess
- '<SYSTEM32>\sc.exe' stop RemoteAccess
- '<SYSTEM32>\sc.exe' config RemoteAccess binpath= "<SYSTEM32>\wscript.exe //B C:\autoexec.vbs" start= auto
- '<SYSTEM32>\sc.exe' start RemoteAccess
- '<SYSTEM32>\cmd.exe' /c nslookup a1.airobotheworld.com>>%TEMP%\~cmdscript.tmp
- '<SYSTEM32>\nslookup.exe' a1.airobotheworld.com
