Technical Information
Malicious functions
Executes the following
- '%WINDIR%\syswow64\taskkill.exe' /F /im iexplore.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /im firefox.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /im chrome.exe
Terminates or attempts to terminate
the following user processes:
- firefox.exe
- iexplore.exe
Modifies file system
Creates the following files
- %TEMP%\rarsfx0\1xne94pp879901.js
- %TEMP%\z8ewptju.dll
- %TEMP%\res2edd.tmp
- %TEMP%\csc2ecd.tmp
- %TEMP%\z8ewptju.out
- %TEMP%\z8ewptju.cmdline
- %TEMP%\z8ewptju.0.cs
- %TEMP%\wtp92amo.ps1
- %TEMP%\27dqwcuu.ps1
- %TEMP%\rescf70.tmp
- %TEMP%\csccf6f.tmp
- %TEMP%\a4l25m1u.out
- %TEMP%\a4l25m1u.cmdline
- %TEMP%\a4l25m1u.0.cs
- %TEMP%\h2vvwf12.ps1
- %TEMP%\a4l25m1u.dll
- %TEMP%\bcguhyeefw.log
Deletes the following files
- %TEMP%\rescf70.tmp
- %TEMP%\csccf6f.tmp
- %TEMP%\a4l25m1u.dll
- %TEMP%\a4l25m1u.pdb
- %TEMP%\a4l25m1u.cmdline
- %TEMP%\a4l25m1u.0.cs
- %TEMP%\a4l25m1u.out
- %TEMP%\res2edd.tmp
- %TEMP%\csc2ecd.tmp
- %TEMP%\z8ewptju.pdb
- %TEMP%\z8ewptju.dll
- %TEMP%\z8ewptju.cmdline
- %TEMP%\z8ewptju.0.cs
- %TEMP%\z8ewptju.out
- %TEMP%\h2vvwf12.ps1
- %TEMP%\27dqwcuu.ps1
Modifies the following files
- %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\cert8.db
- %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\key3.db
- %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\prefs.js
Network activity
Connects to
- 'ap#.#pify.org':80
- '<LOCALNET>.55.1':445
- '<LOCALNET>.55.31':445
TCP
HTTP GET requests
- http://ap#.#pify.org/
UDP
- DNS ASK ap#.#pify.org
Miscellaneous
Adds a root certificate
Modifies value of AutoConfigURL parameter to 'https://thlbsd334huntrrr.onion.link/RM5w3Lf8.js?ip=95.211.190.199'
Modifies value of AutoConfigURL parameter to 'https://thlbsd334huntrrr.onion.link/oTOmECfW.js?ip=95.211.190.199'
Modifies value of AutoConfigURL parameter to 'https://thlbsd334huntrrr.onion.link/JB3HX5kw.js?ip=95.211.190.199'
Modifies value of AutoConfigURL parameter to 'https://thlbsd334huntrrr.onion.link/JnKmFcEQ.js?ip=95.211.190.199'
Modifies value of AutoConfigURL parameter to 'https://thlbsd334huntrrr.onion.link/dENJ9Zoc.js?ip=95.211.190.199'
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
Creates and executes the following
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\RarSFX0\1XnE94pp879901.js"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ep Unrestricted -f "%TEMP%\H2vVwf12.ps1"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Unrestricted -File "%TEMP%\27dqwCuU.ps1"
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ep Unrestricted -f "%TEMP%\wtP92AmO.ps1"
- '%WINDIR%\syswow64\taskkill.exe' /F /im iexplore.exe' (with hidden window)
- '%WINDIR%\syswow64\taskkill.exe' /F /im firefox.exe' (with hidden window)
- '%WINDIR%\syswow64\taskkill.exe' /F /im chrome.exe' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ep Unrestricted -f "%TEMP%\H2vVwf12.ps1"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\a4l25m1u.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCF70.tmp" "%TEMP%\CSCCF6F.tmp"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Unrestricted -File "%TEMP%\27dqwCuU.ps1"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\z8ewptju.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2EDD.tmp" "%TEMP%\CSC2ECD.tmp"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ep Unrestricted -f "%TEMP%\wtP92AmO.ps1"' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\a4l25m1u.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCF70.tmp" "%TEMP%\CSCCF6F.tmp"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\z8ewptju.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2EDD.tmp" "%TEMP%\CSC2ECD.tmp"
