Technical Information
Malicious functions
Modifies settings of Windows Internet Explorer
- [<HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyServer' = 'http=127.0.0.1:7788;https=127.0.0.1:7788;'
- [<HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyOverride' = '<-loopback>'
Modifies file system
Creates the following files
- %APPDATA%\fiddler\fd.vshost.exe
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\be24f11f2b5595cb535e8491c94d4bcf_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %APPDATA%\microsoft\systemcertificates\my\keys\a193d6ec943dbddb849c2aec821d04f4a5cd8cdb
- %APPDATA%\microsoft\systemcertificates\my\certificates\8d265e5e0519d31fe59b7c01b20472560c09f803
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\7b90a71bfc56f2582e916a51aed6df9a_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2h207o2d\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\8qvgoo56\desktop.ini
- %APPDATA%\microsoft\systemcertificates\my\certificates\512bcd822884882699619698b00fdc92e82280f0
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\td5p50s3\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %APPDATA%\fiddler\makecert.exe
- %APPDATA%\fiddler\fiddlercore.dll
- %APPDATA%\fiddler\fd.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\cbhbqdnf\desktop.ini
- %APPDATA%\microsoft\systemcertificates\my\keys\12ed96f8c5407b5c8af923e57ace7e64c4ff7e6e
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\cbhbqdnf\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\td5p50s3\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\8qvgoo56\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\2h207o2d\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Network activity
UDP
- 'localhost':2006
Miscellaneous
Searches for the following windows
- ClassName: 'UUMainFrame' WindowName: 'UU'
Creates and executes the following
- '%APPDATA%\fiddler\fd.exe'
- '%APPDATA%\fiddler\makecert.exe' -r -ss my -n "CN=DO_NOT_TRUST_FiddlerRoot, O=DO_NOT_TRUST, OU=Created by http://www.fi###er2.com" -sky signature -eku 1.3.6.1.5.5.7.3.1 -h 1 -cy authority -a sha256 -m 132 -b 06/07/2021
- '%APPDATA%\fiddler\makecert.exe' -pe -ss my -n "CN=localhost, O=DO_NOT_TRUST, OU=Created by http://www.fi###er2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha256 -m 132 -b 06/07/20...
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%APPDATA%\fiddler\fd.exe"
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\wininet.dll",DispatchAPICall 1
