Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Aventail VPN Connection.lnk
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\NgVpnMgr] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '<SYSTEM32>\ngvpnmgr.exe'
Executes the following:
- '<SYSTEM32>\msiexec.exe' -Embedding A7FC74B2D463DC865FE11881ADA4CFC0
- '<SYSTEM32>\runonce.exe' -r
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\msiexec.exe' /Y "%WINDIR%\ngwinx.dll"
Modifies file system :
Creates the following files:
- <SYSTEM32>\nglocenu.dll
- %WINDIR%\ngwinx.dll
- %WINDIR%\ngmsgs.dll
- %WINDIR%\Temp\Top.bmp
- <SYSTEM32>\ngvpnmgr.exe
- <SYSTEM32>\ngmonitor.exe
- %WINDIR%\inf\ngvpn.inf
- <SYSTEM32>\ngclient.dll
- C:\Config.Msi\1f134.rbs
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\RestorePointSize
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
- <DRIVERS>\ngvpn.sys
- <SYSTEM32>\ngras.dll
- <DRIVERS>\nglog.sys
- <SYSTEM32>\ngdial.exe
- <SYSTEM32>\ngupdate.exe
- <DRIVERS>\SET5.tmp
- %WINDIR%\inf\oem3.PNF
- %WINDIR%\inf\oem3.inf
- %ALLUSERSPROFILE%\Application Data\Aventail\nglog.lgf
- %ALLUSERSPROFILE%\Start Menu\Programs\Aventail\Aventail VPN Connection.lnk
- %ALLUSERSPROFILE%\Desktop\Aventail VPN Connection.lnk
- %ALLUSERSPROFILE%\Application Data\Microsoft\Network\Connections\Pbk\aventail.pbk
- %WINDIR%\ngmsi.dll
- <SYSTEM32>\nglogon.dll
- <DRIVERS>\ngfilter.sys
- %WINDIR%\ngutil.exe
- <SYSTEM32>\ngcommon.dll
- %PROGRAM_FILES%\Aventail Connect\ngvpn.cat
- %WINDIR%\ngevent.dll
- <SYSTEM32>\nghelp.chm
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\rp.log
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
- %ALLUSERSPROFILE%\Application Data\Aventail\ngsetup.ini
- %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.msi
- %ALLUSERSPROFILE%\Application Data\Aventail\ngsetup.log
- %WINDIR%\Installer\1f131.msi
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
- %WINDIR%\Installer\MSI1.tmp
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
Deletes the following files:
- %WINDIR%\Installer\1f131.msi
- %WINDIR%\Installer\1f133.ipi
- %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.msi
- C:\Config.Msi\1f134.rbs
- %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.inf
- %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.sys
- %WINDIR%\Installer\MSI1.tmp
Moves the following files:
- from <DRIVERS>\SET5.tmp to <DRIVERS>\NgVpn.sys
- from <DRIVERS>\ngvpn.sys to %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.sys
- from %WINDIR%\inf\ngvpn.inf to %ALLUSERSPROFILE%\Application Data\Aventail\ngvpn.inf
Network activity:
Connects to:
- 'cr#.#hawte.com':80
- 'wp#d':80
TCP:
HTTP GET requests:
- cr#.#hawte.com/ThawteCodeSigningCA.crl
- cr#.#hawte.com/ThawtePremiumServerCA.crl
- wp#d/wpad.dat
UDP:
- DNS ASK cr#.#hawte.com
- DNS ASK wp#d
Miscellaneous:
Searches for the following windows:
- ClassName: 'MsiDialogCloseClass' WindowName: 'Aventail Connect Setup Wizard'
- ClassName: 'Shell_TrayWnd' WindowName: ''
