Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\] 'CSRSS' = '"%ALLUSERSPROFILE%\Drivers\csrss.exe"'
Creates or modifies the following files
- <SYSTEM32>\tasks\firefox default browser agent 086f64bf7134fff9
Modifies master boot record (MBR).
Malicious functions
Injects code into
the following user processes:
- 6927.exe
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
- ClassName: 'GBDYLLO', WindowName: ''
- ClassName: 'pediy06', WindowName: ''
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
Modifies file system
Creates the following files
- %APPDATA%\gctiusa
- %LOCALAPPDATA%\weather widget\bin\x86\is-3v2j9.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-70bqj.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-0t1gf.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-4krk0.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-akaku.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-ois5t.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-55rnu.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-vd94d.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-gn1tu.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-j2j5r.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-rhrmk.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-4r9oq.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-3i9b0.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-2rda5.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-kllr0.tmp
- %LOCALAPPDATA%\weather widget\unins000.dat
- %LOCALAPPDATA%\weather widget\bin\x86\is-vpics.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-57q6k.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-2t68j.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\plugins\internal\is-to3om.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\plugins\internal\is-ft58c.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-7lqj0.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-tiild.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-kum3l.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-cj6m5.tmp
- %LOCALAPPDATA%\weather widget\stuff\is-f4ub0.tmp
- %LOCALAPPDATA%\weather widget\stuff\is-qlkcc.tmp
- %LOCALAPPDATA%\weather widget\stuff\is-r29hk.tmp
- %LOCALAPPDATA%\weather widget\stuff\is-85u31.tmp
- %LOCALAPPDATA%\weather widget\is-nd2ec.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-0lp1s.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\lessmsi\is-a47r8.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-ulg5e.tmp
- %TEMP%\is-nct10.tmp\_isetup\_shfoldr.dll
- %TEMP%\631e.exe
- %TEMP%\6927.exe
- %ALLUSERSPROFILE%\drivers\csrss.exe
- %TEMP%\86f5.exe
- %TEMP%\4kpv6a~1\state.tmp
- %TEMP%\acae.dll
- %TEMP%\4kpv6a~1\unverified-microdesc-consensus.tmp
- %TEMP%\bf45.exe
- %TEMP%\4kpv6a~1\cached-certs.tmp
- %TEMP%\4kpv6a~1\cached-microdesc-consensus.tmp
- %TEMP%\cf1e.exe
- %TEMP%\is-de9mc.tmp\cf1e.tmp
- %TEMP%\is-nct10.tmp\_isetup\_regdll.tmp
- %TEMP%\is-nct10.tmp\_isetup\_setup64.tmp
- %TEMP%\is-nct10.tmp\_isetup\_isdecmp.dll
- %LOCALAPPDATA%\weather widget\bin\x86\is-05jg6.tmp
- %TEMP%\is-nct10.tmp\_isetup\_iscrypt.dll
- %TEMP%\f757.exe
- %LOCALAPPDATA%\weather widget\is-qnuiu.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-ur0cq.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-idjfi.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-f4d3i.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-95o6p.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-u0ej2.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-2e0to.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-9fgld.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-rlbmu.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-ctomu.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-kvug4.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-84rc8.tmp
- %LOCALAPPDATA%\weather widget\bin\x86\is-4hqo6.tmp
- %TEMP%\c6e.exe
Sets the 'hidden' attribute to the following files
- %APPDATA%\gctiusa
- %ALLUSERSPROFILE%\drivers\csrss.exe
Deletes the following files
- %TEMP%\4kpv6a~1\unverified-microdesc-consensus
- %TEMP%\4kpv6a~1\cached-certs
- %LOCALAPPDATA%\weather widget\stuff\date.txt
- %LOCALAPPDATA%\weather widget\stuff\tagsreplace.txt
Moves the following files
- from %TEMP%\4kpv6a~1\state.tmp to %TEMP%\4kpv6a~1\state
- from %LOCALAPPDATA%\weather widget\bin\x86\is-vd94d.tmp to %LOCALAPPDATA%\weather widget\bin\x86\dsd2.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-gn1tu.tmp to %LOCALAPPDATA%\weather widget\bin\x86\lame_enc.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-j2j5r.tmp to %LOCALAPPDATA%\weather widget\bin\x86\da.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-rhrmk.tmp to %LOCALAPPDATA%\weather widget\bin\x86\daiso.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-4r9oq.tmp to %LOCALAPPDATA%\weather widget\bin\x86\dstt.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-3i9b0.tmp to %LOCALAPPDATA%\weather widget\bin\x86\dsd2pcmt.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-2rda5.tmp to %LOCALAPPDATA%\weather widget\bin\x86\pcm2dsd.exe
- from %LOCALAPPDATA%\weather widget\bin\x86\lessmsi\is-a47r8.tmp to %LOCALAPPDATA%\weather widget\bin\x86\lessmsi\lessmsi-v1.6.91.zip
- from %LOCALAPPDATA%\weather widget\bin\x86\is-ois5t.tmp to %LOCALAPPDATA%\weather widget\bin\x86\utils.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-55rnu.tmp to %LOCALAPPDATA%\weather widget\bin\x86\libdtsdec.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-kllr0.tmp to %LOCALAPPDATA%\weather widget\bin\x86\d_writer.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-2t68j.tmp to %LOCALAPPDATA%\weather widget\bin\x86\sd.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\plugins\internal\is-to3om.tmp to %LOCALAPPDATA%\weather widget\bin\x86\plugins\internal\peak_scanner_plugin_c.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\plugins\internal\is-ft58c.tmp to %LOCALAPPDATA%\weather widget\bin\x86\plugins\internal\raw_decode_plugin_c.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-7lqj0.tmp to %LOCALAPPDATA%\weather widget\bin\x86\copying
- from %LOCALAPPDATA%\weather widget\bin\x86\is-tiild.tmp to %LOCALAPPDATA%\weather widget\bin\x86\7z.exe
- from %LOCALAPPDATA%\weather widget\bin\x86\is-kum3l.tmp to %LOCALAPPDATA%\weather widget\bin\x86\takdec.exe
- from %LOCALAPPDATA%\weather widget\bin\x86\is-cj6m5.tmp to %LOCALAPPDATA%\weather widget\bin\x86\tak_deco_lib.dll
- from %LOCALAPPDATA%\weather widget\stuff\is-f4ub0.tmp to %LOCALAPPDATA%\weather widget\stuff\date.txt
- from %LOCALAPPDATA%\weather widget\bin\x86\is-vpics.tmp to %LOCALAPPDATA%\weather widget\bin\x86\libwebp.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-57q6k.tmp to %LOCALAPPDATA%\weather widget\bin\x86\libwinpthread-1.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-akaku.tmp to %LOCALAPPDATA%\weather widget\bin\x86\uchardet.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-4krk0.tmp to %LOCALAPPDATA%\weather widget\bin\x86\libsoxr.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-0t1gf.tmp to %LOCALAPPDATA%\weather widget\bin\x86\wavpackdll.dll
- from %TEMP%\4kpv6a~1\cached-certs.tmp to %TEMP%\4kpv6a~1\cached-certs
- from %TEMP%\4kpv6a~1\cached-microdesc-consensus.tmp to %TEMP%\4kpv6a~1\cached-microdesc-consensus
- from %LOCALAPPDATA%\weather widget\is-qnuiu.tmp to %LOCALAPPDATA%\weather widget\unins000.exe
- from %LOCALAPPDATA%\weather widget\bin\x86\is-ur0cq.tmp to %LOCALAPPDATA%\weather widget\bin\x86\basscd.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-idjfi.tmp to %LOCALAPPDATA%\weather widget\bin\x86\bassflac.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-f4d3i.tmp to %LOCALAPPDATA%\weather widget\bin\x86\bassmix.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-95o6p.tmp to %LOCALAPPDATA%\weather widget\bin\x86\bassopus.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-u0ej2.tmp to %LOCALAPPDATA%\weather widget\bin\x86\basswma.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-2e0to.tmp to %LOCALAPPDATA%\weather widget\bin\x86\basswv.dll
- from %TEMP%\4kpv6a~1\unverified-microdesc-consensus.tmp to %TEMP%\4kpv6a~1\unverified-microdesc-consensus
- from %LOCALAPPDATA%\weather widget\bin\x86\is-9fgld.tmp to %LOCALAPPDATA%\weather widget\bin\x86\bass_fx.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-ctomu.tmp to %LOCALAPPDATA%\weather widget\bin\x86\bass_tta.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-kvug4.tmp to %LOCALAPPDATA%\weather widget\bin\x86\copying.lgplv2.1
- from %LOCALAPPDATA%\weather widget\bin\x86\is-84rc8.tmp to %LOCALAPPDATA%\weather widget\bin\x86\ff_helper.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-05jg6.tmp to %LOCALAPPDATA%\weather widget\bin\x86\gain_analysis.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-4hqo6.tmp to %LOCALAPPDATA%\weather widget\bin\x86\libflac_dynamic.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-ulg5e.tmp to %LOCALAPPDATA%\weather widget\bin\x86\bass_ofr.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-0lp1s.tmp to %LOCALAPPDATA%\weather widget\bin\x86\optimfrog.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-3v2j9.tmp to %LOCALAPPDATA%\weather widget\bin\x86\mp3gain.exe
- from %LOCALAPPDATA%\weather widget\bin\x86\is-70bqj.tmp to %LOCALAPPDATA%\weather widget\bin\x86\rg_ebur128.dll
- from %LOCALAPPDATA%\weather widget\bin\x86\is-rlbmu.tmp to %LOCALAPPDATA%\weather widget\bin\x86\bassmidi.dll
- from %LOCALAPPDATA%\weather widget\stuff\is-qlkcc.tmp to %LOCALAPPDATA%\weather widget\stuff\tagsreplace.txt
- from %LOCALAPPDATA%\weather widget\is-nd2ec.tmp to %LOCALAPPDATA%\weather widget\weatherwidget.exe
Substitutes the following files
- %TEMP%\4kpv6a~1\cached-certs.tmp
- %TEMP%\4kpv6a~1\cached-certs
- %LOCALAPPDATA%\weather widget\stuff\date.txt
- %LOCALAPPDATA%\weather widget\stuff\tagsreplace.txt
Deletes itself.
Network activity
Connects to
- 'se####ation17io.io':80
- 'va##k.gr':443
- 'ec####ducts.com.my':443
- 'pk#.goog':80
- 'localhost':49191
- '13#.#49.185.176':9001
- '10#.#7.25.148':443
- '19#.#3.244.244':443
- 'hu##.##pteamlife.com':443
- '5.##.66.0':80
- 'ft###yager.cc':80
TCP
HTTP GET requests
- http://pk#.goog/gsr1/gsr1.crt
- http://5.##.66.0/288c47bbc187122b439df19ff4df68f076.exe
- http://ft###yager.cc/ftp/index.php
HTTP POST requests
- http://se####ation17io.io/index.php
Other
- 'va##k.gr':443
- 'ec####ducts.com.my':443
- '19#.#3.244.244':443
- '10#.#7.25.148':443
- 'hu##.##pteamlife.com':443
UDP
- DNS ASK se####ation17io.io
- DNS ASK va##k.gr
- DNS ASK ec####ducts.com.my
- DNS ASK pk#.goog
- DNS ASK hu##.##pteamlife.com
- DNS ASK ft###yager.cc
Miscellaneous
Searches for the following windows
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: '' WindowName: 'j30fd_WW1133FlashFixClass_j30fd'
Creates and executes the following
- '%TEMP%\631e.exe'
- '%TEMP%\6927.exe'
- '%TEMP%\86f5.exe'
- '%TEMP%\bf45.exe'
- '%TEMP%\cf1e.exe'
- '%TEMP%\is-de9mc.tmp\cf1e.tmp' /SL5="$160182,4599978,54272,%TEMP%\CF1E.exe"
- '%TEMP%\f757.exe'
- '%TEMP%\c6e.exe'
- '%LOCALAPPDATA%\weather widget\weatherwidget.exe' -i
- '%LOCALAPPDATA%\weather widget\weatherwidget.exe' -s
Executes the following
- '<SYSTEM32>\regsvr32.exe' /s %TEMP%\ACAE.dll
- '%WINDIR%\syswow64\net.exe' helpmsg 1132
- '%WINDIR%\syswow64\net1.exe' helpmsg 1132
