Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 'Client Server Runtime Subsystem' = '"%ALLUSERSPROFILE%\Application Data\Windows\csrss.exe"'
Malicious functions
Creates and executes the following
- '%TEMP%\rad28c18.tmp'
Modifies file system
Creates the following files
- %HOMEPATH%\local settings\<INETFILES>\content.ie5\z9pmdpek\1c[1].jpg
- %TEMP%\rad28c18.tmp
- %ALLUSERSPROFILE%\application data\windows\csrss.exe
- %TEMP%\6893a5~1\state.tmp
- %TEMP%\6893a5~1\unverified-microdesc-consensus.tmp
- %TEMP%\6893a5~1\cached-certs.tmp
- %TEMP%\6893a5~1\cached-microdesc-consensus.tmp
- %TEMP%\6893a5~1\cached-microdescs.new
Deletes the following files
- %TEMP%\6893a5~1\unverified-microdesc-consensus
- %TEMP%\6893a5~1\state
Moves the following files
- from %TEMP%\6893a5~1\state.tmp to %TEMP%\6893a5~1\state
- from %TEMP%\opera installer\opera_installer_20150820123618.log to %TEMP%\opera installer\wej3ohwfuqvzc+cem65bitiobx8lbrpmzjb3quxek5crdyocwpvg6useniegz2hh4mjcta6cl5ihj2l5fob2-o3md8wfrzqhvigua9euxsk=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\opera installer\opera_installer_20160310145355.log to %TEMP%\opera installer\+ayi4zytfkl5qcdbpdbvlk1hjpal7ijwknuk-yfida10famyh2tiwisurlgvqym6uc3o91eb4uvcheburftrysbvxhzmitxmcgxsdk2c8rk=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\opera installer\opera_installer_20160310145357.log to %TEMP%\opera installer\qxmffyemzes7nnjbp3k71qv1w09c-gnmc5vbyax8fe95twq6sfkxa2ovo58pbf7ilojrjxa-jab-zickdok2pm3k75rd4fjr6t9n53efn+c=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\isolist.ini to %TEMP%\pyl1.tmp\data\pvps+bmhf8wp40smeqll7ye0fzwm2908nlw0ccefvsu=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\desktop.bmp to %TEMP%\pyl1.tmp\data\images\ndnp4umgey3kextazzgp4vtj6sghaw8esdgzpgrd+au=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\disksize.bmp to %TEMP%\pyl1.tmp\data\images\uet+iozyykov-2zgzrwal0kbazllnwt+8op0kxr4qxs=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\edubuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\s4riqy8usmugukk4p4r04rssosciquqauxroghnyr3yh8v2qmvskrrmtbt3qyuz8.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\edubuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\dgq29cmxzmxubphclvtlv4rppxrbmmlzv-7jm0bcm1wsu7jhxg4genpedu7gojtd.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\install.bmp to %TEMP%\pyl1.tmp\data\images\zw0shoz-ohh6i+jlulsvfotkyuu04hspstkhdqh96r4=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\kubuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\fliq76nt+dlco8sjcq-qvifdkftv3zeoku6shxml12v-bailzmcfineddwtywhnl.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\kubuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\vwkkougdgixdk2pxn19uiuagoitzobnbzodv9ky9wjs7aup0n0j3ijgnb9obrcu1.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\language.bmp to %TEMP%\pyl1.tmp\data\images\wgxrgtexpwwliacjbflcq9xbeyiib-776c3oaz9wziy=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\lock.bmp to %TEMP%\pyl1.tmp\data\images\dw9molf08gca1qorvogp6g==.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\lubuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\4kfmjlmysvgtowb4mtaekrn4fquo68qirrs05evkbkiqnyvk7v4peduvzjck8myu.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\opera installer\opera_installer_20150820123555.log to %TEMP%\opera installer\nsgsv128rkjbawmieqafggptkkbu0jhrkb5p6mnwnvtkrzm4sre7vm5+u8x3jfreyrgkodoac33nvmpmcttcmtpu-fvx1ljztdm+hjx6o2a=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\lubuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\thlqdw4h3yxy1mwikvs-v9stxx93o7ro-qgcoiofe0ayvkjfylnioync4aehzfgi.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\mythbuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\qs5sy4oxsqh4wv7dpzvc6torg5mypoh2+0fbu38ju6voutxshdft7n3o02cwdgaz.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\preferences-desktop-locale.png to %TEMP%\pyl1.tmp\data\images\2bi7-koaqewxuijrfphlatj9qzsezekojvaqt3v3rchcu3nyjldjyor0u1irkifxxmsgwidcr3z99zfy76jmsw==.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\ubuntu studio-header.bmp to %TEMP%\pyl1.tmp\data\images\cqjdav1rkxfsyl2z0veebwkqp14wfxsyn+dtbwsvhhzdlcsup5sedlonxfr5n7ra.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\ubuntu studio-vertical.bmp to %TEMP%\pyl1.tmp\data\images\75me023ihfloubzcwvnpjuewsh-c4mkczrgoync6lkibtaxruhqgusyf11egwik7nz7dnd-ft0zvqj2ha5b6vg==.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\ubuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\sqcrjo-+7piwvylesprgxz6alxirlmluvg7blebsg9lfbt34yxvl1eje7ax5uwzk.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\ubuntu-vertical.bmp to %TEMP%\pyl1.tmp\data\images\ivqauigdtfenu6s2i63gx7lw88fedmbwbhcbcz3hm1etrqqyt+0ow5blc5rhqz2l.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\data\images\user.bmp to %TEMP%\pyl1.tmp\data\images\evfpctt4qoferu2imfetog==.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\pyl1.tmp\winboot\wubildr.tar to %TEMP%\pyl1.tmp\winboot\papyiw1lomugru3cdu6k1mrprmx00oby6yn-b+cmwds=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\<INETFILES>\content.ie5\index.dat to %TEMP%\<INETFILES>\content.ie5\cjklsgo0hpa0ta+elupndi6fu-b9jsywhmgicj0x+80=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\outlook logging\firstrun.log to %TEMP%\outlook logging\m69reqpkh5yihjm+yifzex2jeefq4tju0zlawxu0ro0=.ba341a4b9ff33f628e40.crypted000007
- from %HOMEPATH%\local settings\<INETFILES>\content.ie5\z9pmdpek\1c[1].jpg to %HOMEPATH%\local settings\<INETFILES>\content.ie5\z9pmdpek\lcynnkzbj7tkowq4zcusgwniicjcaorr3to30nczrok=.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\6893a5~1\cached-microdesc-consensus.tmp to %TEMP%\6893a5~1\cached-microdesc-consensus
- from %TEMP%\6893a5~1\cached-certs.tmp to %TEMP%\6893a5~1\cached-certs
- from %TEMP%\6893a5~1\unverified-microdesc-consensus.tmp to %TEMP%\6893a5~1\unverified-microdesc-consensus
- from %TEMP%\pyl1.tmp\data\images\mythbuntu-header.bmp to %TEMP%\pyl1.tmp\data\images\dh2dixvydakk3ituw7kw2c51zmfgokb7n2rx6b14k20qviarbnbnaxiaavjszkt0.ba341a4b9ff33f628e40.crypted000007
- from %TEMP%\opera installer\opera_installer_20150820123553.log to %TEMP%\opera installer\hvh+wax0z7-28qakqytysbvsszas2xq9duh6zzpfeqgh3nfhgpgj9lxvavelyqyw3j4katg1dkc62ynfxpstebyhtioxoviksu0rfl8ioqy=.ba341a4b9ff33f628e40.crypted000007
Substitutes the following files
- %TEMP%\6893a5~1\state.tmp
- %TEMP%\6893a5~1\state
Deletes itself.
Network activity
Connects to
- 'localhost':1040
- '19#.#3.244.244':443
- '76.##.17.194':9090
- '20#.#3.223.34':80
- '13#.#88.40.189':443
- '54.##.164.176':9001
- '46.#.102.254':9001
- '19#.#89.96.147':443
- 'localhost':58270
TCP
HTTP GET requests
- http://ev###stars.nl/wp-content/themes/Divi/images/1c.jpg
- http://gl####turkey.com/wp-admin/css/colors/blue/1c.jpg
UDP
- DNS ASK ev###stars.nl
- DNS ASK gl####turkey.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /c %TEMP%\rad28C18.tmp' (with hidden window)
- '<SYSTEM32>\cmd.exe' ' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c %TEMP%\rad28C18.tmp
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\chcp.com'
