Technical Information
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25006
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000
Modifies file system
Creates the following files
- <Current directory>\moscii\config\log.cfg
- %TEMP%\tmp_44091.6612427199
- %TEMP%\tmp_44091.6612221181
- %TEMP%\tmp_44091.6611911343
- %WINDIR%\moscii\inventory\89c7cf37-aed0-4811-9a49-f8969ab0ba0a_info.xml
- %WINDIR%\moscii\inventory\89c7cf37-aed0-4811-9a49-f8969ab0ba0a_hwinv.xml
- %WINDIR%\moscii\inventory\89c7cf37-aed0-4811-9a49-f8969ab0ba0a_swinv.xml
- %TEMP%\tmp_44091.661262662
- %WINDIR%\moscii\logs\vistamnt.exe.log
- %TEMP%\tmp_44091.661076331
- %WINDIR%\moscii\logs\<File name>.exe.log
- %WINDIR%\moscii\config\log.cfg
- %WINDIR%\<File name>.exe
- %TEMP%\tmp_44091.6610173611
- <Current directory>\moscii\logs\<File name>.exe.log
- %WINDIR%\vistamnt.exe
- %TEMP%\tmp_44091.6612814699
Deletes the following files
- %TEMP%\tmp_44091.6610173611
- %TEMP%\tmp_44091.661076331
- %TEMP%\tmp_44091.6611911343
- %TEMP%\tmp_44091.6612221181
- %TEMP%\tmp_44091.6612427199
- %TEMP%\tmp_44091.661262662
- %TEMP%\tmp_44091.6612814699
Network activity
Connects to
- 'localhost':33333
UDP
- '<LOCALNET>.53.41':25000
Miscellaneous
Creates and executes the following
- '%WINDIR%\<File name>.exe'
- '%WINDIR%\vistamnt.exe'
- '%WINDIR%\syswow64\cmd.exe' ^/C del %TEMP%\tmp_*.* >%TEMP%\\tmp_44091.6610173611' (with hidden window)
- '%WINDIR%\<File name>.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' ^/C del %TEMP%\tmp_*.* >%TEMP%\\tmp_44091.661076331' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall delete rule name="STARCAT TCP" >%TEMP%\\tmp_44091.6611911343' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall delete rule name="STARCAT UDP" >%TEMP%\\tmp_44091.6612221181' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall delete rule name="StarCat Agent" >%TEMP%\\tmp_44091.6612427199' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25006 >%TEMP%\\tmp_44091.661262662' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000 >%TEMP%\\tmp_44091.6612814699' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' ^/C del %TEMP%\tmp_*.* >%TEMP%\\tmp_44091.6610173611
- '%WINDIR%\syswow64\cmd.exe' ^/C del %TEMP%\tmp_*.* >%TEMP%\\tmp_44091.661076331
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\<File name>.exe"
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall delete rule name="STARCAT TCP" >%TEMP%\\tmp_44091.6611911343
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="STARCAT TCP"
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall delete rule name="STARCAT UDP" >%TEMP%\\tmp_44091.6612221181
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="STARCAT UDP"
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall delete rule name="StarCat Agent" >%TEMP%\\tmp_44091.6612427199
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="StarCat Agent"
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25006 >%TEMP%\\tmp_44091.661262662
- '%WINDIR%\syswow64\cmd.exe' ^/C netsh advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000 >%TEMP%\\tmp_44091.6612814699
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\vistamnt.exe"
