Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'StartupKey' = '"%APPDATA%\StartupKey.exe"'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Tjvbb' = '%APPDATA%\wL6VK\Tjvbb.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'KamSS' = '%APPDATA%\bWIgV\KamSS.exe'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '%TEMP%\BUTTPLUGS.EXE'
- '%TEMP%\HAX.EXE'
- '%TEMP%\WINDOWS COMMAND SHELL.EXE'
Executes the following:
- '%TEMP%\WINDOWS COMMAND SHELL.EXE'
- '%TEMP%\BUTTPLUGS.EXE'
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe'
- '<SYSTEM32>\notepad.exe'
Injects code into
the following system processes:
- <SYSTEM32>\notepad.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
the following user processes:
- BUTTPLUGS.EXE
Modifies file system:
Creates the following files:
- %APPDATA%\StartupKey.exe
- %TEMP%\WINDOWS COMMAND SHELL.EXE
- %TEMP%\BUTTPLUGS.EXE
- %TEMP%\HAX.EXE
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
- %APPDATA%\bWIgV\KamSS.exe
- %APPDATA%\wL6VK\Tjvbb.exe
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
Deletes the following files:
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3008.167515
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3008.167109
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3008.167093
Moves the following files:
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3252.180109
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3264.180656
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3252.180109
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3252.180250
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3264.180953
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3276.181375
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3276.181078
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3264.180671
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3276.181046
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3008.167093
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.3008.167515
- from %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch to %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.2992.164546
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2992.164390
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3008.167109
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2992.164390
Substitutes the following files:
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
- %APPDATA%\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new
Network activity:
Connects to:
- 'le#####ol.duckdns.org':911
- 'gr#####s.duckdns.org':1999
UDP:
- DNS ASK le#####ol.duckdns.org
- DNS ASK gr#####s.duckdns.org
