Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\svchost.exe' -o pool.monero.hashvault.pro:5555 -u 45EtZzUs6WNGT2fKdStEzxKVNjEwwdoWD6RceQYyd2ce1s8rvivaBKKdN5UaxBCvQVhUSWhRZjfEp46XxbYS6eqvN3Pib25 -p x -k --donate-level=1 -B
- '<SYSTEM32>\schtasks.exe' /Create /TN "SDNKHD\SDNKHD" /XML "%APPDATA%\SDNKHD\aooooo.xml"
- '<SYSTEM32>\schtasks.exe' /Create /TN "GWOP\GWOP" /XML "%APPDATA%\GWOP\aBBBBB.xml"
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system:
Creates the following files:
- %APPDATA%\GWOP\YVVL.exe
- %APPDATA%\GWOP\aBBBBB.xml
- %APPDATA%\SDNKHD\SDNKHD.exe
- %APPDATA%\SDNKHD\aooooo.xml
Deletes the following files:
- %APPDATA%\GWOP\aBBBBB.xml
- %APPDATA%\SDNKHD\aooooo.xml
Network activity:
Connects to:
- 'po##.###ero.hashvault.pro':5555
UDP:
- DNS ASK po##.###ero.hashvault.pro
