Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\DualDesk.lnk
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%PROGRAM_FILES%\DD20.4.8201306271732\DualDesk.exe' = '%PROGRAM_FILES%\DD20.4.8201306271732\DualDesk.exe:*:Enabled:DualDesk-Server'
Creates and executes the following:
- '%TEMP%\nsd5.tmp\nsF.tmp' REG.EXE DELETE "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DD_Service\Enum" /f
- '%TEMP%\nsd5.tmp\ns10.tmp' REG.EXE DELETE "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DD_Service" /f
- '%TEMP%\nsd5.tmp\nsD.tmp' "netsh.exe" firewall add allowedprogram "%PROGRAM_FILES%\DD20.4.8201306271732\DualDesk.exe" "DualDesk-Server" ENABLE
- '%TEMP%\nsd5.tmp\nsE.tmp' REG.EXE DELETE "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DD_Service\Security" /f
- '%TEMP%\nsd5.tmp\ns13.tmp' REG.EXE DELETE "SYSTEM\CurrentControlSet\Services\DD_Service" /f
- '%PROGRAM_FILES%\DD20.4.8201306271732\DualDesk.exe'
- '%TEMP%\nsd5.tmp\ns11.tmp' REG.EXE DELETE "SYSTEM\CurrentControlSet\Services\DD_Service\Description" /f
- '%TEMP%\nsd5.tmp\ns12.tmp' REG.EXE DELETE "SYSTEM\CurrentControlSet\Services\DD_Service\DependOnService" /f
- '%TEMP%\nsd5.tmp\ns7.tmp' "sc.exe" stop DD_CAD
- '%TEMP%\nsd5.tmp\ns8.tmp' "net.exe" stop DD_Service
- '%TEMP%\nsw3.tmp\DD_69.21.166.242_5122.exe' /189926712011958439020_televere Systems/0
- '%TEMP%\nsd5.tmp\ns6.tmp' "sc.exe" stop DD_Service
- '%TEMP%\nsd5.tmp\nsB.tmp' "sc.exe" delete DD_CAD
- '%TEMP%\nsd5.tmp\nsC.tmp' "netsh.exe" firewall add allowedprogram "%PROGRAM_FILES%\DD20.4.8201306271732\DualDesk.exe" "DualDesk-Server" ENABLE ALL
- '%TEMP%\nsd5.tmp\ns9.tmp' "net.exe" stop DD_CAD
- '%TEMP%\nsd5.tmp\nsA.tmp' "sc.exe" delete DD_Service
Executes the following:
- '<SYSTEM32>\reg.exe' DELETE "SYSTEM\CurrentControlSet\Services\DD_Service\Description" /f
- '<SYSTEM32>\reg.exe' DELETE "SYSTEM\CurrentControlSet\Services\DD_Service\DependOnService" /f
- '<SYSTEM32>\reg.exe' DELETE "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DD_Service" /f
- '<SYSTEM32>\reg.exe' DELETE "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DD_Service\Security" /f
- '<SYSTEM32>\reg.exe' DELETE "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DD_Service\Enum" /f
- '<SYSTEM32>\ipconfig.exe' /pid=3128
- '<SYSTEM32>\ipconfig.exe' /pid=3560
- '<SYSTEM32>\net1.exe' /pid=2796
- '<SYSTEM32>\reg.exe' DELETE "SYSTEM\CurrentControlSet\Services\DD_Service" /f
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\net1.exe' stop DD_Service
- '<SYSTEM32>\net.exe' stop DD_CAD
- '<SYSTEM32>\net.exe' stop DD_Service
- '<SYSTEM32>\sc.exe' stop DD_Service
- '<SYSTEM32>\sc.exe' stop DD_CAD
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%PROGRAM_FILES%\DD20.4.8201306271732\DualDesk.exe" "DualDesk-Server" ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%PROGRAM_FILES%\DD20.4.8201306271732\DualDesk.exe" "DualDesk-Server" ENABLE
- '<SYSTEM32>\sc.exe' delete DD_CAD
- '<SYSTEM32>\net1.exe' stop DD_CAD
- '<SYSTEM32>\sc.exe' delete DD_Service
Injects code into
the following system processes:
- <SYSTEM32>\ipconfig.exe
- <SYSTEM32>\netsh.exe
Modifies file system :
Creates the following files:
- %TEMP%\nsd5.tmp\cad.exe
- %TEMP%\nsd5.tmp\DualDesk.exe
- %PROGRAM_FILES%\DD20.4.8201306271732\UnDD.txt
- %TEMP%\nsw3.tmp\Configs\DD20.4.8.txt
- %PROGRAM_FILES%\DD20.4.8201306271732\DDuninst.exe
- %TEMP%\nsd5.tmp\ddUninst.exe
- %PROGRAM_FILES%\DD20.4.8201306271732\Flag.txt
- %TEMP%\nsd5.tmp\ns9.tmp
- %TEMP%\nsd5.tmp\ns8.tmp
- %TEMP%\nsd5.tmp\ns7.tmp
- %PROGRAM_FILES%\DD20.4.8201306271732\DD.txt
- %TEMP%\nsd5.tmp\nsB.tmp
- %TEMP%\nsd5.tmp\nsA.tmp
- %TEMP%\nsd5.tmp\ns12.tmp
- %TEMP%\nsd5.tmp\ns11.tmp
- %TEMP%\nsd5.tmp\ns10.tmp
- %TEMP%\11958439020.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\11958439020[1].txt
- %TEMP%\nsd5.tmp\ns13.tmp
- %TEMP%\nsd5.tmp\nsF.tmp
- %TEMP%\nsd5.tmp\nsD.tmp
- %TEMP%\nsd5.tmp\nsC.tmp
- %TEMP%\nsw3.tmp\ToolBox\DD20.4.8.txt
- %TEMP%\nsd5.tmp\nsE.tmp
- %PROGRAM_FILES%\DD20.4.8201306271732\ToolBox\DualDesk.lnk
- %PROGRAM_FILES%\DD20.4.8201306271732\StopDD.reg
- %TEMP%\nsd5.tmp\ns6.tmp
- %TEMP%\nsw3.tmp\Configs\Alex.txt
- %TEMP%\nsw3.tmp\Ring.wav
- %TEMP%\nsw3.tmp\Blank.bmp
- %TEMP%\nsw3.tmp\Configs\EricS.txt
- %TEMP%\nsw3.tmp\Configs\EricR.txt
- %TEMP%\nsw3.tmp\Configs\Barb.txt
- %TEMP%\nsw3.tmp\Icon2.ico
- %TEMP%\nsw3.tmp\DD.txt
- %TEMP%\nsw3.tmp\DD_69.21.166.242_5122.exe
- %TEMP%\nsb2.tmp
- %TEMP%\nsw3.tmp\Icon1.ico
- %TEMP%\nsw3.tmp\Logo.bmp
- %TEMP%\nsw3.tmp\Splash.bmp
- %PROGRAM_FILES%\DD20.4.8201306271732\Advantig.txt
- %TEMP%\nsisdt.dll
- %TEMP%\nsw3.tmp\DD-Done.txt
- %TEMP%\nsd5.tmp\nsExec.dll
- %HOMEPATH%\My Documents\My Videos\Desktop.ini
- %HOMEPATH%\Start Menu\Programs\Administrative Tools\desktop.ini
- %TEMP%\nsw3.tmp\Splash.dll
- %TEMP%\nsw3.tmp\Configs\Rhea.txt
- %TEMP%\nsw3.tmp\Configs\Kyle.txt
- %TEMP%\nsw3.tmp\Configs\Jeff.txt
- %TEMP%\nsw3.tmp\Configs\Stacy.txt
- %TEMP%\nsw3.tmp\Configs\Shane.txt
- %TEMP%\nsw3.tmp\Configs\Sam.txt
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\My Documents\My Videos\Desktop.ini
Deletes the following files:
- %TEMP%\nsd5.tmp\nsE.tmp
- %TEMP%\nsd5.tmp\nsF.tmp
- %TEMP%\nsd5.tmp\nsD.tmp
- %TEMP%\nsw3.tmp\DD-Done.txt
- %TEMP%\nsd5.tmp\nsC.tmp
- %TEMP%\nsd5.tmp\ns10.tmp
- %TEMP%\nsd5.tmp\cad.exe
- %TEMP%\nsd5.tmp\nsExec.dll
- %TEMP%\nsd5.tmp\ns13.tmp
- %TEMP%\nsd5.tmp\ns11.tmp
- %TEMP%\nsd5.tmp\ns12.tmp
- %TEMP%\nsd5.tmp\ns7.tmp
- %TEMP%\nsd5.tmp\ns8.tmp
- %TEMP%\nsd5.tmp\ns6.tmp
- %TEMP%\nsisdt.dll
- %PROGRAM_FILES%\DD20.4.8201306271732\Advantig.txt
- %TEMP%\nsd5.tmp\ns9.tmp
- %PROGRAM_FILES%\DD20.4.8201306271732\UnDD.txt
- %PROGRAM_FILES%\DD20.4.8201306271732\Flag.txt
- %PROGRAM_FILES%\DD20.4.8201306271732\DD.txt
- %TEMP%\nsd5.tmp\nsA.tmp
- %TEMP%\nsd5.tmp\nsB.tmp
Moves the following files:
- from %TEMP%\nsw3.tmp\DD.txt to %PROGRAM_FILES%\DD20.4.8201306271732\DD.txt
- from %TEMP%\nsw3.tmp\Ring.wav to %PROGRAM_FILES%\DD20.4.8201306271732\Ring.wav
- from %TEMP%\nsd5.tmp\DualDesk.exe to %PROGRAM_FILES%\DD20.4.8201306271732\DualDesk.exe
- from %TEMP%\nsd5.tmp\ddUninst.exe to %PROGRAM_FILES%\DD20.4.8201306271732\Uninst.exe
- from %TEMP%\nsw3.tmp\Icon1.ico to %PROGRAM_FILES%\DD20.4.8201306271732\icon1.ico
- from %TEMP%\nsw3.tmp\Logo.bmp to %PROGRAM_FILES%\DD20.4.8201306271732\Logo.bmp
- from %TEMP%\nsw3.tmp\Blank.bmp to %PROGRAM_FILES%\DD20.4.8201306271732\Blank.bmp
- from %TEMP%\nsw3.tmp\Icon2.ico to %PROGRAM_FILES%\DD20.4.8201306271732\icon2.ico
Network activity:
Connects to:
- '69.##.166.242':5122
- 'www.du###esk.net':80
- 'localhost':1039
TCP:
HTTP GET requests:
- www.du###esk.net/unreg/11958439020.txt
UDP:
- DNS ASK www.du###esk.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'DualDesk Tray Icon' WindowName: '(null)'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'SysListView32' WindowName: '(null)'
- ClassName: 'DualDesk desktop sink' WindowName: '(null)'
- ClassName: '#32770' WindowName: '(null)'
