Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\minecraft update
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Modifies file system
Creates the following files
- %TEMP%\_mei11802\crypto\cipher\_arc4.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\util\_cpuid_c.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\util\_strxor.cp37-win_amd64.pyd
- %TEMP%\_mei11802\rat.exe.manifest
- %TEMP%\_mei11802\vcruntime140.dll
- %TEMP%\_mei11802\_bz2.pyd
- %TEMP%\_mei11802\_ctypes.pyd
- %TEMP%\_mei11802\_decimal.pyd
- %TEMP%\_mei11802\_hashlib.pyd
- %TEMP%\_mei11802\_lzma.pyd
- %TEMP%\_mei11802\_portaudio.cp37-win_amd64.pyd
- %TEMP%\_mei11802\_pytransform.dll
- %TEMP%\_mei11802\_queue.pyd
- %TEMP%\_mei11802\_socket.pyd
- %TEMP%\_mei11802\_sqlite3.pyd
- %TEMP%\_mei11802\_win32sysloader.pyd
- nul
- %TEMP%\_mei11802\libcrypto-1_1.dll
- %TEMP%\_mei11802\libssl-1_1.dll
- %TEMP%\_mei11802\pyexpat.pyd
- %TEMP%\_mei11802\python37.dll
- %TEMP%\_mei11802\pythoncom37.dll
- %TEMP%\_mei11802\pywintypes37.dll
- %TEMP%\_mei11802\select.pyd
- %TEMP%\_mei11802\sqlite3.dll
- %TEMP%\_mei11802\unicodedata.pyd
- %TEMP%\_mei11802\win32api.pyd
- %TEMP%\_mei11802\win32gui.pyd
- %TEMP%\_mei11802\include\pyconfig.h
- %TEMP%\_mei11802\base_library.zip
- %TEMP%\_mei11802\certifi\cacert.pem
- %TEMP%\_mei11802\crypto\publickey\_ec_ws.cp37-win_amd64.pyd
- %TEMP%\_mei11802\_ssl.pyd
- %TEMP%\_mei11802\crypto\protocol\_scrypt.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_ocb.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_salsa20.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_chacha20.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_aes.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_aesni.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_arc2.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_blowfish.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_cast.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_cbc.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_cfb.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_ctr.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_des.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_des3.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_ecb.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_eksblowfish.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\cipher\_raw_ofb.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_poly1305.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_blake2b.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_blake2s.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_md2.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_md4.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_md5.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_ripemd160.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_sha1.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_sha224.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_sha256.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_sha384.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_sha512.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_ghash_clmul.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_ghash_portable.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\hash\_keccak.cp37-win_amd64.pyd
- %TEMP%\_mei11802\crypto\math\_modexp.cp37-win_amd64.pyd
- %ALLUSERSPROFILE%\jucheck.exe
Sets the 'hidden' attribute to the following files
- %ALLUSERSPROFILE%\jucheck.exe
Network activity
Connects to
- 'ip##pi.com':80
- 'ap#.##legram.org':443
TCP
HTTP GET requests
- http://ip##pi.com/json/
Other
- 'ap#.##legram.org':443
UDP
- DNS ASK ip##pi.com
- DNS ASK ap#.##legram.org
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "@chcp 65001 1>nul"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "@chcp 65001 && @schtasks.exe /query /tn "Minecraft Update""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "schtasks /create /f /sc onlogon /rl highest /tn "Minecraft Update" /tr "%ALLUSERSPROFILE%\jucheck.exe""' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c "chcp 65001 && ipconfig | findstr /i "Default Gateway""
- '<SYSTEM32>\chcp.com' 65001
- '<SYSTEM32>\ipconfig.exe'
- '<SYSTEM32>\findstr.exe' /i "Default Gateway"
- '<SYSTEM32>\cmd.exe' /c "@chcp 65001 1>nul"
- '<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f"
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /c "@chcp 65001 && @schtasks.exe /query /tn "Minecraft Update""
- '<SYSTEM32>\schtasks.exe' /query /tn "Minecraft Update"
- '<SYSTEM32>\cmd.exe' /c "schtasks /create /f /sc onlogon /rl highest /tn "Minecraft Update" /tr "%ALLUSERSPROFILE%\jucheck.exe""
- '<SYSTEM32>\schtasks.exe' /create /f /sc onlogon /rl highest /tn "Minecraft Update" /tr "%ALLUSERSPROFILE%\jucheck.exe"
