Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\software\Microsoft\Windows\CurrentVersion\Run] 'a132593f0cd47968c02e0e1ff0beb4ad' = '"%TEMP%\server.exe" ..'
- [<HKLM>\software\Microsoft\Windows\CurrentVersion\Run] 'a132593f0cd47968c02e0e1ff0beb4ad' = '"%TEMP%\server.exe" ..'
Creates or modifies the following files
- %HOMEPATH%\start menu\programs\startup\a132593f0cd47968c02e0e1ff0beb4ad.exe
Creates the following files on removable media
- <Drive name for removable media>:\a132593f0cd47968c02e0e1ff0beb4ad.exe
- <Drive name for removable media>:\autorun.inf
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\server.exe' = '%TEMP%\server.exe:*:Enabled:server.exe'
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
Executes the following
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE
Modifies file system
Creates the following files
- %TEMP%\server.exe
Sets the 'hidden' attribute to the following files
- <Drive name for removable media>:\a132593f0cd47968c02e0e1ff0beb4ad.exe
- <Drive name for removable media>:\autorun.inf
- %TEMP%\server.exe
- %HOMEPATH%\start menu\programs\startup\a132593f0cd47968c02e0e1ff0beb4ad.exe
Network activity
Connects to
- 'localhost':5557
UDP
- DNS ASK ba####22.ddns.net
Miscellaneous
Creates and executes the following
- '%TEMP%\server.exe'
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE' (with hidden window)
