Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\firefox default browser agent 434f74e847fa28a7
- <SYSTEM32>\tasks\timer
Malicious functions
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="%WINDIR%\System\svchost.exe" enable=yes
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="%WINDIR%\System\svchost.exe" enable=yes
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\system\svchost.exe
Modifies file system
Creates the following files
- %APPDATA%\bdujvvf
- %TEMP%\144b.exe
- %TEMP%\2d48.exe
- %WINDIR%\system\svchost.exe
- %APPDATA%\tor\state.tmp
- %APPDATA%\tor\unverified-microdesc-consensus.tmp
- %APPDATA%\tor\cached-certs.tmp
- %APPDATA%\tor\cached-microdesc-consensus.tmp
- %APPDATA%\tor\cached-microdescs.new
Sets the 'hidden' attribute to the following files
- %APPDATA%\bdujvvf
Deletes the following files
- %APPDATA%\tor\unverified-microdesc-consensus
- %APPDATA%\tor\state
Moves the following files
- from %APPDATA%\tor\state.tmp to %APPDATA%\tor\state
- from %APPDATA%\tor\unverified-microdesc-consensus.tmp to %APPDATA%\tor\unverified-microdesc-consensus
- from %APPDATA%\tor\cached-certs.tmp to %APPDATA%\tor\cached-certs
- from %APPDATA%\tor\cached-microdesc-consensus.tmp to %APPDATA%\tor\cached-microdesc-consensus
Substitutes the following files
- %APPDATA%\tor\state
Deletes itself.
Network activity
Connects to
- 'fi#####in-host-12.com':80
- '10#.#44.76.184':443
- '21#.#1.136.243':9001
- '45.##0.180.71':1430
- '18#.#1.76.113':443
- '14#.#51.90.48':9001
- '51.##.73.194':9001
- '87.##0.36.212':443
- '66.##5.241.228':9001
- '18#.#2.222.237':9443
- '21#.#82.198.80':443
- '51.##1.35.113':9001
- '5.#.99.181':9001
- '18#.#20.101.239':9443
- '88.##8.224.82':443
- '17#.#54.26.11':8332
- '20#.#1.197.91':9001
- '13#.#1.174.201':9001
- '18#.#8.46.245':9001
- '2.##.35.45':9001
- 'localhost':49191
- 'localhost':9150
- '19#.#33.48.90':80
- '45.##.139.224':80
- '19#.#09.193.142':1194
- '95.#17.62.4':9001
TCP
HTTP GET requests
- http://45.##.139.224/futra.exe
- http://19#.#33.48.90/sloa.exe
HTTP POST requests
- http://fi#####in-host-12.com/
Other
- 'localhost':9150
- '10#.#44.76.184':443
- '21#.#1.136.243':9001
- '66.##5.241.228':9001
- '51.##1.35.113':9001
- '87.##0.36.212':443
- '18#.#2.222.237':9443
- '18#.#1.76.113':443
- '14#.#51.90.48':9001
- '45.##0.180.71':1430
- '51.##.73.194':9001
- '18#.#20.101.239':9443
- '88.##8.224.82':443
- '21#.#82.198.80':443
- '5.#.99.181':9001
- '20#.#1.197.91':9001
- '17#.#54.26.11':8332
- '13#.#1.174.201':9001
- '18#.#8.46.245':9001
- 'localhost':49190
- '19#.#09.193.142':1194
- '95.#17.62.4':9001
UDP
- DNS ASK ho#####ta-coin-11.com
- DNS ASK fi#####in-host-12.com
Miscellaneous
Creates and executes the following
- '%TEMP%\144b.exe'
- '%TEMP%\2d48.exe'
- '%WINDIR%\system\svchost.exe' formal
- '%APPDATA%\bdujvvf'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath %WINDIR%\' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath \\?\%WINDIR% \' (with hidden window)
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="%WINDIR%\System\svchost.exe" enable=yes' (with hidden window)
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="%WINDIR%\System\svchost.exe" enable=yes' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr %WINDIR%\system\svchost.exe /ru SYSTEM' (with hidden window)
- '%WINDIR%\system\svchost.exe' formal' (with hidden window)
- '%APPDATA%\bdujvvf' ' (with hidden window)
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath %WINDIR%\
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath \\?\%WINDIR% \
- '<SYSTEM32>\schtasks.exe' /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr %WINDIR%\system\svchost.exe /ru SYSTEM
- '<SYSTEM32>\taskeng.exe' {08D442C4-516E-4E4B-818F-23406345E9B2} S-1-5-21-1960123792-2022915161-3775307078-1001:djyxiew\user:Interactive:[1]
