Technical Information
Malicious functions
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: 'OllYDbg'
Modifies file system
Creates the following files
- %LOCALAPPDATA%\u8n1uje3lpdrcg0ioa4pbf75k.exe
- %WINDIR%\temp\tar288d.tmp
- %WINDIR%\temp\cab288c.tmp
- %WINDIR%\temp\tar26c7.tmp
- %WINDIR%\temp\cab26c6.tmp
- %WINDIR%\temp\tar2658.tmp
- %WINDIR%\temp\cab2657.tmp
- %WINDIR%\temp\tar2491.tmp
- %WINDIR%\temp\cab2490.tmp
- %WINDIR%\temp\tar2403.tmp
- %WINDIR%\temp\cab23f2.tmp
- %WINDIR%\temp\tar222d.tmp
- %WINDIR%\temp\cab222c.tmp
- %WINDIR%\temp\tar21be.tmp
- %WINDIR%\temp\cab21bd.tmp
- %WINDIR%\temp\tar2026.tmp
- %WINDIR%\temp\cab2025.tmp
- %WINDIR%\temp\tar1fd6.tmp
- %WINDIR%\temp\cab1fc6.tmp
- %WINDIR%\temp\tar1f48.tmp
- %WINDIR%\temp\cab1f47.tmp
- %WINDIR%\temp\tar1e3d.tmp
- %WINDIR%\temp\cab1e3c.tmp
- %WINDIR%\temp\tar1b7d.tmp
- %WINDIR%\temp\cab1b7c.tmp
- %WINDIR%\xclient.exe
- %WINDIR%\temp\cab3116.tmp
- %WINDIR%\temp\tar3117.tmp
Deletes the following files
- %WINDIR%\temp\cab1b7c.tmp
- %WINDIR%\temp\tar288d.tmp
- %WINDIR%\temp\cab288c.tmp
- %WINDIR%\temp\tar26c7.tmp
- %WINDIR%\temp\cab26c6.tmp
- %WINDIR%\temp\tar2658.tmp
- %WINDIR%\temp\cab2657.tmp
- %WINDIR%\temp\tar2491.tmp
- %WINDIR%\temp\cab2490.tmp
- %WINDIR%\temp\tar2403.tmp
- %WINDIR%\temp\cab23f2.tmp
- %WINDIR%\temp\tar222d.tmp
- %WINDIR%\temp\cab222c.tmp
- %WINDIR%\temp\tar21be.tmp
- %WINDIR%\temp\cab21bd.tmp
- %WINDIR%\temp\tar2026.tmp
- %WINDIR%\temp\cab2025.tmp
- %WINDIR%\temp\tar1fd6.tmp
- %WINDIR%\temp\cab1fc6.tmp
- %WINDIR%\temp\tar1f48.tmp
- %WINDIR%\temp\cab1f47.tmp
- %WINDIR%\temp\tar1e3d.tmp
- %WINDIR%\temp\cab1e3c.tmp
- %WINDIR%\temp\tar1b7d.tmp
- %WINDIR%\temp\cab3116.tmp
- %WINDIR%\temp\tar3117.tmp
Moves the following files
- from %LOCALAPPDATA%\u8n1uje3lpdrcg0ioa4pbf75k.exe to <Current directory>\4y4th8p8p62qaytakyohr2rt6.exe
Network activity
Connects to
- 'localhost':49186
- 'localhost':49188
- 'ke##uth.win':443
- 'x1.#.lencr.org':80
- 'x2.#.lencr.org':80
- 'ip##pi.com':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://x2.#.lencr.org/
- http://ip##pi.com/line/?fi############
Other
- 'localhost':49186
- 'localhost':49188
- 'localhost':49189
- 'ke##uth.win':443
UDP
- DNS ASK ke##uth.win
- DNS ASK x1.#.lencr.org
- DNS ASK x2.#.lencr.org
- DNS ASK ip##pi.com
Miscellaneous
Creates and executes the following
- '%LOCALAPPDATA%\u8n1uje3lpdrcg0ioa4pbf75k.exe'
- '%WINDIR%\xclient.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -EncodedCommand "PAAjAGMAeQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAaQBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwA...' (with hidden window)
- '%LOCALAPPDATA%\u8n1uje3lpdrcg0ioa4pbf75k.exe' ' (with hidden window)
- '%WINDIR%\xclient.exe' ' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -EncodedCommand "PAAjAGMAeQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAaQBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwA...
- '<SYSTEM32>\cmd.exe' /c certutil -hashfile "%LOCALAPPDATA%\U8N1UJE3LPDRCG0IOA4PBF75K.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
- '<SYSTEM32>\certutil.exe' -hashfile "%LOCALAPPDATA%\U8N1UJE3LPDRCG0IOA4PBF75K.exe" MD5
- '<SYSTEM32>\find.exe' /i /v "md5"
- '<SYSTEM32>\find.exe' /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
- '<SYSTEM32>\cmd.exe' /C "color b && title Error && echo SSL connect error && timeout /t 5"
- '<SYSTEM32>\timeout.exe' /t 5
