Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'AutoUpdate' = '%APPDATA%\log\AutoUpdate.exe'
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
blocks the following features:
- System Restore (SR)
- User Account Control (UAC)
modifies the following system settings:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000001'
- Hides taskbar notifications
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
- '%WINDIR%\syswow64\taskkill.exe' /F /IM chrome.exe
Terminates or attempts to terminate
the following user processes:
- iexplore.exe
- firefox.exe
Modifies file system
Creates the following files
- %TEMP%\aut77ce.tmp
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012020112120201122\index.dat
- %APPDATA%\microsoft\windows\cookies\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\kq0eohhq\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\f0xdgs80\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\vuhfwz3t\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\p53402u4\desktop.ini
- %APPDATA%\log\info.txt
- %APPDATA%\log\passwords.txt
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\9mg8610l\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\sdurej20\desktop.ini
- %APPDATA%\microsoft\windows\iecompatcache\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2wqtwtvx\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %APPDATA%\log\scre.exe
- %TEMP%\aut78ab.tmp
- %APPDATA%\log\emai.exe
- %TEMP%\aut788b.tmp
- %APPDATA%\log\autoupdate.exe
- %TEMP%\aut785b.tmp
- %TEMP%\fbjiwiq
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\dsgabtv0\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\antiphishing\2cedbfbc-dba8-43aa-b1fd-cc8e6316e3e2.dat
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\dsgabtv0\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2wqtwtvx\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\sdurej20\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\9mg8610l\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\p53402u4\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\vuhfwz3t\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\f0xdgs80\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\kq0eohhq\desktop.ini
- %APPDATA%\microsoft\windows\cookies\desktop.ini
Deletes the following files
- %TEMP%\aut77ce.tmp
- %TEMP%\fbjiwiq
- %TEMP%\aut785b.tmp
- %TEMP%\aut788b.tmp
- %TEMP%\aut78ab.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\icanhazip_com[1].txt
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012020112120201122\index.dat
Substitutes the following files
- %LOCALAPPDATA%\Microsoft\Windows\<INETFILES>\Content.IE5\desktop.ini
- %LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\desktop.ini
- %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
Network activity
TCP
HTTP GET requests
- http://ic###azip.com/
UDP
- DNS ASK ed#####onaltools.info
- DNS ASK ic###azip.com
Miscellaneous
Searches for the following windows
- ClassName: 'BUTTON' WindowName: ''
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c %APPDATA%\log\pass.exe all' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /k systeminfo' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\cmd.exe' /c %APPDATA%\log\pass.exe all
- '%WINDIR%\syswow64\cmd.exe' /k systeminfo
- '%WINDIR%\syswow64\systeminfo.exe'
- '%WINDIR%\syswow64\rundll32.exe' InetCpl.cpl,ClearMyTracksByProcess 255
- '%ProgramFiles(x86)%\internet explorer\iexplore.exe' -ResetDestinationList
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /F /IM chrome.exe
