Technical Information
Malicious functions
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
Modifies file system
Creates the following files
- %TEMP%\login data_chrome_default_1.temp
- %TEMP%\secure preferences_microsoft_edge_default_10.temp
- %TEMP%\web data_chrome_default_7.temp
- %TEMP%\web data_microsoft_edge_default_7.temp
- %TEMP%\places.sqlite_firefox-dnyauhh1.default-release_20.temp
- %TEMP%\web data_microsoft_edge_default_11.temp
- %TEMP%\web data_chrome_default_12.temp
- %TEMP%\web data_microsoft_edge_default_12.temp
- %TEMP%\places.sqlite_firefox-dnyauhh1.default-release_21.temp
- %TEMP%\secure preferences_chrome_default_10.temp
- %TEMP%\webappsstore.sqlite_firefox-dnyauhh1.default-release_24.temp
- %TEMP%\cookies.sqlite_firefox-dnyauhh1.default-release_18.temp
- %TEMP%\extensions.json_firefox-dnyauhh1.default-release_26.temp
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\current
- %TEMP%\session storage_chrome_default_9.temp\current
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\log
- %TEMP%\key4.db_firefox-dnyauhh1.default-release_16.temp
- %TEMP%\session storage_chrome_default_9.temp\log
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\manifest-000001
- %TEMP%\session storage_chrome_default_9.temp\manifest-000001
- %TEMP%\history_microsoft_edge_default_4.temp
- %TEMP%\places.sqlite_firefox-dnyauhh1.default-release_19.temp
- %TEMP%\web data_chrome_default_6.temp
- %TEMP%\history_microsoft_edge_default_5.temp
- %TEMP%\web data_microsoft_edge_default_6.temp
- %TEMP%\web data_chrome_default_11.temp
- %TEMP%\local state_microsoft_edge_default_0.temp
- %TEMP%\local state_chrome_default_0.temp
- %TEMP%\login data_microsoft_edge_default_1.temp
- %TEMP%\cookies_chrome_default_2.temp
- %TEMP%\history_chrome_default_4.temp
- %TEMP%\history_chrome_default_5.temp
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\manifest-000005
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\current.bak
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\current.5
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\000004.log
- %TEMP%\session storage_chrome_default_9.temp\manifest-000005
- %TEMP%\session storage_chrome_default_9.temp\current.bak
- %TEMP%\session storage_chrome_default_9.temp\current.5
- %TEMP%\session storage_chrome_default_9.temp\000004.log
Deletes following files that it created itself
- %TEMP%\key4.db_firefox-dnyauhh1.default-release_16.temp
- %TEMP%\local state_microsoft_edge_default_0.temp
- %TEMP%\web data_microsoft_edge_default_7.temp
- %TEMP%\local state_chrome_default_0.temp
- %TEMP%\web data_chrome_default_7.temp
- %TEMP%\cookies_chrome_default_2.temp
- %TEMP%\history_chrome_default_4.temp
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\manifest-000001
- %TEMP%\login data_chrome_default_1.temp
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\000004.log
- %TEMP%\web data_chrome_default_12.temp
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\current
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\current.bak
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\log
- %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\manifest-000005
- %TEMP%\history_microsoft_edge_default_5.temp
- %TEMP%\web data_microsoft_edge_default_6.temp
- %TEMP%\login data_microsoft_edge_default_1.temp
- %TEMP%\web data_microsoft_edge_default_11.temp
- %TEMP%\history_microsoft_edge_default_4.temp
- %TEMP%\secure preferences_microsoft_edge_default_10.temp
- %TEMP%\session storage_chrome_default_9.temp\manifest-000001
- %TEMP%\web data_microsoft_edge_default_12.temp
- %TEMP%\session storage_chrome_default_9.temp\000004.log
- %TEMP%\session storage_chrome_default_9.temp\current
- %TEMP%\session storage_chrome_default_9.temp\current.bak
- %TEMP%\session storage_chrome_default_9.temp\log
- %TEMP%\session storage_chrome_default_9.temp\manifest-000005
- %TEMP%\web data_chrome_default_11.temp
- %TEMP%\history_chrome_default_5.temp
- %TEMP%\secure preferences_chrome_default_10.temp
- %TEMP%\web data_chrome_default_6.temp
Moves the following files
- from %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\current.5 to %TEMP%\local storage\leveldb_microsoft_edge_default_8.temp\current
- from %TEMP%\session storage_chrome_default_9.temp\current.5 to %TEMP%\session storage_chrome_default_9.temp\current
Network activity
Connects to
- 'ap#.#pify.org':443
- 'ip##pi.com':80
- '51.##.99.224':443
TCP
HTTP GET requests
- http://ip##pi.com/json/185.93.40.66
Other
- 'ap#.#pify.org':443
UDP
- DNS ASK ap#.#pify.org
- DNS ASK ip##pi.com
Miscellaneous
Executes the following
- '<SYSTEM32>\systeminfo.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Invoke-CimMethod -ClassName Win32_ShadowCopy -MethodName Create -Arguments @{Volume=\"C:\\\"; Context=\"ClientAccessible\"}"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty NumberOfCores"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty TotalVisibleMemorySize"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-CimInstance Win32_VideoController | Where-Object { $_.CurrentHorizontalResolution -gt 0 -and $_.CurrentVerticalResolution -gt 0 } | Select-Object Name, CurrentHorizontalResolution...
- '<SYSTEM32>\curl.exe' -s http://ip-api.com/json/18#.#3.40.66
- '<SYSTEM32>\systeminfo.exe' ' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Invoke-CimMethod -ClassName Win32_ShadowCopy -MethodName Create -Arguments @{Volume=\"C:\\\"; Context=\"ClientAccessible\"}"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty Name"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty NumberOfCores"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-WmiObject Win32_OperatingSystem | Select-Object -ExpandProperty TotalVisibleMemorySize"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-CimInstance Win32_VideoController | Where-Object { $_.CurrentHorizontalResolution -gt 0 -and $_.CurrentVerticalResolution -gt 0 } | Select-Object Name, CurrentHorizontalResolution...' (with hidden window)
- '<SYSTEM32>\curl.exe' -s http://ip-api.com/json/18#.#3.40.66' (with hidden window)
