Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Explorers' = '%WINDIR%\explorer.exe /root <SYSTEM32>\rundll32.exe ..\windows\system32\user32.dll.ShellExecute(%s), D:\System_VoIume_lnfor...
- [<HKCU>\Software\Classes\exefiles\shell\open\command] '' = '"D:\System_VoIume_lnformation\Jnt\keliduxuf\explorers.exe" rts "%1"'
- [<HKCU>\Software\Classes\exefiles\shell\open\command] '' = '"D:\System_VoIume_lnformation\Jnt\wunaz\explorers.exe" rts "%1"'
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /im svcnost.exe /im svcnosts.exe /f
Modifies file system
Creates the following files
- C:\files .exe
- D:\system_voiume_lnformation\jnt\wunaz\gotera.bmp
- D:\system_voiume_lnformation\jnt\wunaz\explorers.exe
- D:\sefera\jnt\xohejit\gotera.bmp
- D:\sefera\jnt\xohejit\svcnosts.exe
- D:\sefera\jnt\xohejit\svcnost.exe
- D:\sefera\jnt\yetybaoio\desktop.ini
- D:\sefera\desktop.ini
- D:\system_voiume_lnformation\jnt\wunaz\bmz\explorer.exeВќ
- D:\system_voiume_lnformation\jnt\keliduxuf\bmz\explorer.exeВќ
- D:\system_voiume_lnformation\jnt\keliduxuf\explorers.exe
- D:\sefera\jnt\yetybaoio\gotera.bmp
- D:\sefera\jnt\yetybaoio\svcnosts.exe
- D:\sefera\jnt\yetybaoio\svcnost.exe
- D:\show hidden files.bat
- D:\files .exe
- C:\show hidden files.bat
- D:\system_voiume_lnformation\jnt\keliduxuf\gotera.bmp
- D:\sefera\jnt\xohejit\desktop.ini
Sets the 'hidden' attribute to the following files
- D:\sefera\desktop.ini
- D:\sefera\jnt\yetybaoio\desktop.ini
- D:\sefera\jnt\xohejit\desktop.ini
Deletes the following files
- D:\sefera\jnt\yetybaoio\gotera.bmp
- D:\sefera\jnt\yetybaoio\svcnost.exe
- D:\sefera\jnt\yetybaoio\svcnosts.exe
- D:\sefera\jnt\yetybaoio\desktop.ini
- D:\system_voiume_lnformation\jnt\keliduxuf\explorers.exe
- D:\system_voiume_lnformation\jnt\keliduxuf\gotera.bmp
- D:\system_voiume_lnformation\jnt\keliduxuf\bmz\explorer.exeВќ
Network activity
TCP
- 'cl######rch.firebaseapp.com':443
UDP
- DNS ASK cl######rch.firebaseapp.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- 'D:\sefera\jnt\xohejit\svcnost.exe' nm
- 'D:\sefera\jnt\yetybaoio\svcnost.exe' nm
- 'D:\sefera\jnt\yetybaoio\svcnosts.exe' fdrg
- 'D:\sefera\jnt\xohejit\svcnosts.exe' fdrg
- '<SYSTEM32>\cmd.exe' /c cacls "D:\sefera\Jnt\yetybaoio" /g everyone:f /t /c /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib "D:\sefera\Jnt\yetybaoio*" -h -s -r /d' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del "D:\sefera\Jnt\yetybaoio" /f /s /q' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d user /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d everyone /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rd "D:\sefera\Jnt\yetybaoio" /s /q' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls "D:\System_VoIume_lnformation\Jnt\keliduxuf" /g everyone:f /t /c /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib "D:\System_VoIume_lnformation\Jnt\keliduxuf*" -h -s -r /d' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del "D:\System_VoIume_lnformation\Jnt\keliduxuf" /f /s /q' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /r user /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\xohejit\..\.. /d user /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\xohejit\..\..\desktop.ini +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\xohejit +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\xohejit\desktop.ini +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\System_VoIume_lnformation\Jnt\wunaz\..\.. +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\xohejit\..\.. /d administrators /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\xohejit\..\.. /d everyone /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d administrators /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rd "D:\System_VoIume_lnformation\Jnt\keliduxuf" /s /q' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /r administrators /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /r user /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /g everyone:f /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /r user /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r user /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\yetybaoio\..\.. +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\yetybaoio\..\..\desktop.ini +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\yetybaoio +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\yetybaoio\desktop.ini +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /d everyone /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /r administrators /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /d user /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d administrators /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d everyone /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d user /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c taskkill /im svcnost.exe /im svcnosts.exe /f' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /g everyone:f /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /r administrators /e /t' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /d administrators /e' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\xohejit\..\.. +r +s +h' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t' (with hidden window)
Executes the following
- '%WINDIR%\explorer.exe' <Full path to file>\..
- '<SYSTEM32>\cmd.exe' /c del "D:\System_VoIume_lnformation\Jnt\keliduxuf" /f /s /q
- '<SYSTEM32>\attrib.exe' "D:\System_VoIume_lnformation\Jnt\keliduxuf*" -h -s -r /d
- '<SYSTEM32>\cmd.exe' /c attrib "D:\System_VoIume_lnformation\Jnt\keliduxuf*" -h -s -r /d
- '<SYSTEM32>\cacls.exe' "D:\System_VoIume_lnformation\Jnt\keliduxuf" /g everyone:f /t /c /e
- '<SYSTEM32>\cmd.exe' /c cacls "D:\System_VoIume_lnformation\Jnt\keliduxuf" /g everyone:f /t /c /e
- '<SYSTEM32>\cmd.exe' /c rd "D:\sefera\Jnt\yetybaoio" /s /q
- '<SYSTEM32>\cmd.exe' /c del "D:\sefera\Jnt\yetybaoio" /f /s /q
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\xohejit\..\.. +r +s +h
- '<SYSTEM32>\cmd.exe' /c rd "D:\System_VoIume_lnformation\Jnt\keliduxuf" /s /q
- '<SYSTEM32>\cacls.exe' "D:\sefera\Jnt\yetybaoio" /g everyone:f /t /c /e
- '<SYSTEM32>\cmd.exe' /c cacls "D:\sefera\Jnt\yetybaoio" /g everyone:f /t /c /e
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /r user /e /t
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /r user /e /t
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /r administrators /e /t
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /r administrators /e /t
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /g everyone:f /e /t
- '<SYSTEM32>\attrib.exe' "D:\sefera\Jnt\yetybaoio*" -h -s -r /d
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\yetybaoio\desktop.ini +s +h
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\xohejit\..\.. +r +s +h
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d everyone /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d everyone /e
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d administrators /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d administrators /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\xohejit\..\.. /d user /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\xohejit\..\.. /d user /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\xohejit\..\.. /d everyone /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\xohejit\..\.. /d everyone /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\xohejit\..\.. /d administrators /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\xohejit\..\.. /d administrators /e
- '<SYSTEM32>\attrib.exe' D:\System_VoIume_lnformation\Jnt\wunaz\..\.. +r +s +h
- '<SYSTEM32>\cmd.exe' /c attrib D:\System_VoIume_lnformation\Jnt\wunaz\..\.. +r +s +h
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\xohejit\desktop.ini +s +h
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\xohejit\desktop.ini +s +h
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\xohejit +r +s +h
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\xohejit +r +s +h
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\xohejit\..\..\desktop.ini +s +h
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cmd.exe' /c attrib "D:\sefera\Jnt\yetybaoio*" -h -s -r /d
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\yetybaoio\..\.. /r user /e /t
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /r user /e /t
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\yetybaoio\..\.. /r administrators /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\yetybaoio\..\..\desktop.ini +s +h
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\yetybaoio\..\..\desktop.ini +s +h
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\yetybaoio\..\.. +r +s +h
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\yetybaoio\..\.. +r +s +h
- '<SYSTEM32>\cacls.exe' n:\System_VoIume_lnformation\Jnt\null\..\.. /r user /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /r user /e /t
- '<SYSTEM32>\cacls.exe' n:\System_VoIume_lnformation\Jnt\null\..\.. /r administrators /e /t
- '<SYSTEM32>\cacls.exe' n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t
- '<SYSTEM32>\attrib.exe' D:\sefera\Jnt\yetybaoio +r +s +h
- '<SYSTEM32>\cmd.exe' /c cacls n:\System_VoIume_lnformation\Jnt\null\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cacls.exe' n:\sefera\Jnt\null\..\.. /r user /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /r user /e /t
- '<SYSTEM32>\cacls.exe' n:\sefera\Jnt\null\..\.. /r administrators /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /r administrators /e /t
- '<SYSTEM32>\cacls.exe' n:\sefera\Jnt\null\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cmd.exe' /c cacls n:\sefera\Jnt\null\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d user /e
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\xohejit\..\..\desktop.ini +s +h
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\yetybaoio\desktop.ini +s +h
- '<SYSTEM32>\attrib.exe' D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. +r +s +h
- '<SYSTEM32>\cmd.exe' /c attrib D:\sefera\Jnt\yetybaoio +r +s +h
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /r administrators /e /t
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\yetybaoio\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /g everyone:f /e /t
- '<SYSTEM32>\cmd.exe' /c taskkill /im svcnost.exe /im svcnosts.exe /f
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d user /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d user /e
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d everyone /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d everyone /e
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d administrators /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. /d administrators /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\yetybaoio\..\.. /d user /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /d user /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\yetybaoio\..\.. /d everyone /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /d everyone /e
- '<SYSTEM32>\cacls.exe' D:\sefera\Jnt\yetybaoio\..\.. /d administrators /e
- '<SYSTEM32>\cmd.exe' /c cacls D:\sefera\Jnt\yetybaoio\..\.. /d administrators /e
- '<SYSTEM32>\cmd.exe' /c attrib D:\System_VoIume_lnformation\Jnt\keliduxuf\..\.. +r +s +h
- '<SYSTEM32>\cacls.exe' D:\System_VoIume_lnformation\Jnt\wunaz\..\.. /d user /e
