Technical Information
Malicious functions
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
- ClassName: 'GBDYLLO', WindowName: ''
- ClassName: 'pediy06', WindowName: ''
Modifies file system
Creates the following files
- %TEMP%\yyhqcnxpmrwdlk.exe
- %TEMP%\_mei6442\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\_mei6442\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\_mei6442\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\_mei6442\cryptography-2.2.2-py3.7.egg-info\record
- %TEMP%\_mei6442\cryptography-2.2.2-py3.7.egg-info\metadata
- %TEMP%\_mei6442\cryptography-2.2.2-py3.7.egg-info\installer
- %TEMP%\_mei6442\base_library.zip
- %TEMP%\_mei6442\ca\client.key
- %TEMP%\_mei6442\ca\ca.key
- %TEMP%\_mei6442\ca\ca.crt
- %TEMP%\_mei6442\unicodedata.pyd
- %TEMP%\_mei6442\select.pyd
- %TEMP%\_mei6442\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\_mei6442\python37.dll
- %TEMP%\_mei6442\pyexpat.pyd
- %TEMP%\_mei6442\libssl-1_1.dll
- %TEMP%\_mei6442\libcrypto-1_1.dll
- %TEMP%\_mei6442\cryptography\hazmat\bindings\_openssl.cp37-win_amd64.pyd
- %TEMP%\_mei6442\cryptography\hazmat\bindings\_constant_time.cp37-win_amd64.pyd
- %TEMP%\_mei6442\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-memory-l1-1-0.dll
- C:\gecici_proje_klasoru\temp.vbs
- %TEMP%\aut7303.tmp
- C:\gecici_proje_klasoru\s.exe
- %TEMP%\aut72e3.tmp
- C:\gecici_proje_klasoru\licensemalwarebytes.exe
- %TEMP%\aut6f1b.tmp
- C:\gecici_proje_klasoru\h.exe
- %TEMP%\aut6eeb.tmp
- C:\gecici_proje_klasoru\e.exe
- %TEMP%\aut6eac.tmp
- C:\gecici_proje_klasoru\k.png
- %TEMP%\aut6eab.tmp
- C:\gecici_proje_klasoru\grey.gif
- %TEMP%\aut6e9a.tmp
- %ALLUSERSPROFILE%\mntemp
- %TEMP%\stiwatfjfdjmyb.exe
- %TEMP%\_mei6442\licensemalwarebytes.exe.manifest
- %TEMP%\_mei6442\vcruntime140.dll
- %TEMP%\76b5.tmp\s.bat
- %TEMP%\_mei6442\_bz2.pyd
- %TEMP%\_mei6442\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\_mei6442\_cffi_backend.cp37-win_amd64.pyd
- %TEMP%\_mei6442\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\_mei6442\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\_mei6442\ucrtbase.dll
- %TEMP%\_mei6442\cryptography-2.2.2-py3.7.egg-info\wheel
- %TEMP%\_mei6442\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\_mei6442\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\_mei6442\_ssl.pyd
- %TEMP%\_mei6442\_socket.pyd
- %TEMP%\_mei6442\_lzma.pyd
- %TEMP%\_mei6442\_hashlib.pyd
- %TEMP%\_mei6442\_decimal.pyd
- %TEMP%\_mei6442\_ctypes.pyd
- %TEMP%\_mei6442\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\_mei6442\cryptography-2.2.2-py3.7.egg-info\top_level.txt
Sets the 'hidden' attribute to the following files
- C:\gecici_proje_klasoru\s.exe
- C:\gecici_proje_klasoru\temp.vbs
- C:\gecici_proje_klasoru\licensemalwarebytes.exe
- C:\gecici_proje_klasoru\h.exe
- C:\gecici_proje_klasoru\e.exe
- C:\gecici_proje_klasoru\k.png
Deletes the following files
- %TEMP%\aut6e9a.tmp
- %TEMP%\aut6eab.tmp
- %TEMP%\aut6eac.tmp
- %TEMP%\aut6eeb.tmp
- %TEMP%\aut6f1b.tmp
- %TEMP%\aut72e3.tmp
- %TEMP%\aut7303.tmp
- %TEMP%\76b5.tmp\s.bat
Substitutes the following files
- %ALLUSERSPROFILE%\ntuser.pol
- %HOMEPATH%\ntuser.pol
Modifies the HOSTS file.
Network activity
TCP
HTTP GET requests
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
UDP
- DNS ASK ap#.#pify.org
- DNS ASK microsoft.com
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%TEMP%\yyhqcnxpmrwdlk.exe'
- '%TEMP%\stiwatfjfdjmyb.exe'
- 'C:\gecici_proje_klasoru\s.exe'
- 'C:\gecici_proje_klasoru\h.exe'
- 'C:\gecici_proje_klasoru\licensemalwarebytes.exe'
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\76B5.tmp\S.bat C:\gecici_proje_klasoru\S.exe"' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\76B5.tmp\S.bat C:\gecici_proje_klasoru\S.exe"
- '<SYSTEM32>\attrib.exe' +h +s "\gecici_proje_klasoru"
- '<SYSTEM32>\attrib.exe' +h +s "\gecici_proje_klasoru\S.exe"
- '<SYSTEM32>\attrib.exe' +h +s "\gecici_proje_klasoru\Temp.vbs"
- '<SYSTEM32>\attrib.exe' +h +s "\gecici_proje_klasoru\LicenseMalwareBytes.exe"
- '<SYSTEM32>\attrib.exe' +h +s "\gecici_proje_klasoru\H.exe"
- '<SYSTEM32>\attrib.exe' +h +s "\gecici_proje_klasoru\E.exe"
- '<SYSTEM32>\attrib.exe' +h +s "\gecici_proje_klasoru\K.png"
- '<SYSTEM32>\cmd.exe' /c gpupdate /force
- '<SYSTEM32>\gpupdate.exe' /force
- '<SYSTEM32>\gpscript.exe' /RefreshSystemParam
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "C:\gecici_proje_klasoru\licensem...
- '<SYSTEM32>\raserver.exe' /offerraupdate
