Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\s3cr3ts3rvic3] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\s3cr3ts3rvic3] 'ImagePath' = '<PATH_SAMPLE>_2.exe'
Creates the following services
- 's3cr3ts3rvic3' <PATH_SAMPLE>_2.exe
- 's3cr3ts3rvic3' <SYSTEM32>\svchost.exe -k s3cr3ts3rvic3
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
Installs hooks to intercept notifications
on keystrokes:
- Handler for the 'explorer.exe' process: <PATH_SAMPLE>_0.dll
Modifies file system
Creates the following files
- <Current directory>\writefile.tmp
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\sendto\desktop (create shortcut).desklink
- C:\users\testcaseuser1\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\sendto\mail recipient.mapimail
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\sendto\desktop.ini
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\sendto\compressed (zipped) folder.zfsendtotarget
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\sendto\fax recipient.lnk
- C:\users\testcaseuser1\ntuser.ini
- C:\users\testcaseuser1\appdata\local\microsoft\windows\usrclass.dat.log1
- C:\users\testcaseuser1\ntuser.dat.log1
- <PATH_SAMPLE>_2.exe
- C:\users\testcaseuser1\appdata\roaming\microsoft\protect\credhist
- C:\users\testcaseuser1\appdata\roaming\microsoft\protect\synchist
- <SYSTEM32>\microsoft\protect\recovery\recovery.dat
- <SYSTEM32>\microsoft\protect\recovery\recovery.dat.log1
- <Current directory>\writefile2.tmp
- <Current directory>\tmp1.txt
- <PATH_SAMPLE>_0.dll
- <PATH_SAMPLE>_1.dll
- C:\users\testcaseuser1\appdata\roaming\microsoft\internet explorer\quick launch\shows desktop.lnk
- C:\users\testcaseuser1\appdata\local\microsoft\windows\usrclass.dat
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\desktop.ini
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\command prompt.lnk
- <Current directory>\writefileex.tmp
- <Current directory>\createfiletransacted.tmp
- <Current directory>\tmp.txt
- C:\users\testcaseuser1\ntuser.dat
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\maintenance\help.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\maintenance\desktop.ini
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\private character editor.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\computer.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\on-screen keyboard.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\magnify.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\run.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\control panel.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\narrator.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\desktop.ini
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\windows explorer.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\desktop.ini
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\notepad.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\ease of access.lnk
- C:\users\testcaseuser1\appdata\roaming\microsoft\internet explorer\quick launch\window switcher.lnk
- <SYSTEM32>\s3cr3ts3rvic3.dll
Sets the 'hidden' attribute to the following files
- C:\users\testcaseuser1\ntuser.dat
- C:\users\testcaseuser1\appdata\local\microsoft\windows\usrclass.dat
Deletes the following files
- <Current directory>\tmp.txt
- <Current directory>\writefile.tmp
- <Current directory>\writefile2.tmp
- <Current directory>\tmp1.txt
- %WINDIR%\win.ini
Substitutes the following files
- <Current directory>\tmp.txt
- <Current directory>\tmp1.txt
Network activity
Connects to
- 'localhost':445
- 'ft#.##.#uhr-uni-bochum.de':21
- 'vm###.firma.cc':21
- 'vm#####otexist.firma.cc':21
- 'ft#.##.#uhr-uni-bochum.de':46267
- 'ft#.##.#uhr-uni-bochum.de':41327
- 'ft#.##.#uhr-uni-bochum.de':33021
- 'ft#.##.#uhr-uni-bochum.de':40225
- 'localhost':20006
- 'microsoft.com':80
- 'microsoft.com':443
- 'ft#.##.#uhr-uni-bochum.de':43539
- 'ft#.##.#uhr-uni-bochum.de':40501
- 'ft#.##.#uhr-uni-bochum.de':44147
- 'ft#.##.#uhr-uni-bochum.de':40435
- 'vm##y.com':443
- 'vm##y.com':80
- 'localhost':20013
- 'localhost':20012
- 'localhost':20011
- 'localhost':20010
- 'localhost':20009
- 'localhost':20008
- 'localhost':20007
- 'ft#.##.#uhr-uni-bochum.de':41429
- 'localhost':20005
- 'localhost':20004
- 'localhost':20003
- 'localhost':20002
- 'localhost':20001
- 'localhost':20000
- 'localhost':135
- 'ft#.gsn.de':21
- 'ft#.##.#uhr-uni-bochum.de':80
TCP
HTTP GET requests
- http://www.vm##y.com/team/
- http://www.vm##y.com/not-exists
- http://www.vm##y.com/not_exist
- http://www.vm##y.com/contact/
- http://www.my#####n_at_powweb.com/team/
- http://www.microsoft.com/
- http://www.my#####n_at_powweb.com/inteam/
Other
- 'localhost':445
- 'vm#####otexist.firma.cc':21
- 'vm###.firma.cc':21
- 'ft#.##.#uhr-uni-bochum.de':21
- 'vm##y.com':443
- 'localhost':20013
- 'localhost':49196
- 'localhost':20012
- 'localhost':20011
- 'localhost':20010
- 'localhost':20009
- 'microsoft.com':443
- 'localhost':20008
- 'localhost':20006
- 'localhost':20005
- 'localhost':20004
- 'localhost':20003
- 'localhost':20002
- 'localhost':20001
- 'localhost':20000
- 'localhost':49183
- 'localhost':135
- 'localhost':49182
- 'localhost':20007
- 'ft#.gsn.de':21
UDP
- DNS ASK 49.##.##.49.in-addr.arpa
- DNS ASK vm###.not-exists
- DNS ASK vm###.firma.cc
- DNS ASK ft#.##.#uhr-uni-bochum.de
- DNS ASK ft#.gsn.de
- DNS ASK vm#####otexist.firma.cc
- DNS ASK vm##y.com
- DNS ASK microsoft.com
- DNS ASK google.com
- DNS ASK vm####notexist.com
- 'localhost':21000
- 'localhost':21005
- 'localhost':21004
- 'localhost':21003
- 'localhost':21002
- 'localhost':21001
- 'localhost':21006
Miscellaneous
Creates and executes the following
- '<PATH_SAMPLE>_2.exe'
- '<SYSTEM32>\cmd.exe' ' (with hidden window)
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\svchost.exe' -k defragsvc
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
