Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Host Process for Windows Services' = 'C:\svchost.exe'
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name=OCX program=%WINDIR%\SysWOW64\IFHUOD\ocx.exe protocol=tcp dir=out enable=yes action=allow profile=public
Modifies file system
Creates the following files
- C:\svchost.exe
- C:\ps0.ps1
- C:\7.ps1
- C:\ps.ps1
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\dnserrordiagoff_weboc[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\errorpagetemplate[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\errorpagestrings[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\httperrorpagesscripts[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\background_gradient[2]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\info_48[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\bullet[1]
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\down[1]
Sets the 'hidden' attribute to the following files
- C:\svchost.exe
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' powershell -ExecutionPolicy ByPass -File c:\Ps0.ps1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' powershell -ExecutionPolicy ByPass -File c:\7.ps1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' powershell -ExecutionPolicy ByPass -File c:\PS.ps1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy ByPass -File c:\PS.ps1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy ByPass -File c:\7.ps1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy ByPass -File c:\Ps0.ps1
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionExtension .exe' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionExtension .rar' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionExtension .sys' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionExtension .zip' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -enablecontrolledfolderaccess disabled' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' powershell -ExecutionPolicy ByPass -File c:\Ps0.ps1' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' powershell -ExecutionPolicy ByPass -File c:\7.ps1' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' powershell -ExecutionPolicy ByPass -File c:\PS.ps1' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionExtension .exe
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionExtension .rar
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionExtension .sys
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionExtension .zip
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Set-MpPreference -enablecontrolledfolderaccess disabled
