Technical Information
Malicious functions
Injects code into
the following user processes:
- chrome.exe
Modifies file system
Creates the following files
- <Current directory>\lnktodesktop.vbs
- %TEMP%\lorca876153631\default\gpucache\data_0
- %TEMP%\lorca876153631\default\gpucache\data_1
- %TEMP%\lorca876153631\default\gpucache\data_2
- %TEMP%\lorca876153631\default\gpucache\data_3
- %TEMP%\lorca876153631\default\cache\index
- %TEMP%\lorca876153631\default\cache\data_0
- %TEMP%\lorca876153631\default\cache\data_1
- %TEMP%\lorca876153631\default\cache\data_2
- %TEMP%\lorca876153631\default\cache\data_3
- %TEMP%\lorca876153631\default\extension state\manifest-000001
- %TEMP%\lorca876153631\default\extension state\000001.dbtmp
- %TEMP%\lorca876153631\default\extension state\log
- %TEMP%\lorca876153631\default\232c.tmp
- %TEMP%\lorca876153631\default\readme
- %TEMP%\lorca876153631\default\235c.tmp
- %TEMP%\lorca876153631\default\extension state\000003.log
- %TEMP%\lorca876153631\default\cache\f_000001
- %TEMP%\lorca876153631\55f2.tmp
- %TEMP%\lorca876153631\default\5799.tmp
- %TEMP%\lorca876153631\default\cache\f_000002
- %TEMP%\lorca876153631\default\6da9.tmp
- %TEMP%\lorca876153631\8633.tmp
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
- %TEMP%\lorca876153631\default\web applications\aidesoft.gabia.io\http_80\b8db.tmp
- %TEMP%\lorca876153631\default\web applications\aidesoft.gabia.io\http_80\미디어에이드.ico.md5
- %TEMP%\lorca876153631\default\cookies
- %TEMP%\lorca876153631\231b.tmp
- %TEMP%\lorca876153631\default\gpucache\index
- %TEMP%\lorca876153631\default\top sites
- %HOMEPATH%\desktop\mediaaide.lnk
- %TEMP%\lorca876153631\default\extension rules\manifest-000001
- %TEMP%\lorca876153631\default\extension rules\000001.dbtmp
- %TEMP%\lorca876153631\default\extension rules\log
- %TEMP%\lorca876153631\default\history-journal
- %TEMP%\etilqs_t3dp1xqoefmob9x
- %TEMP%\lorca876153631\default\web data-journal
- %TEMP%\etilqs_nboffcbay1cthbx
- %TEMP%\lorca876153631\default\web data
- %TEMP%\lorca876153631\default\top sites-journal
- %TEMP%\etilqs_zcq6qvffkcvuzwk
- %TEMP%\lorca876153631\default\history
- %TEMP%\lorca876153631\default\favicons-journal
- %TEMP%\lorca876153631\default\cookies-journal
- %TEMP%\etilqs_y40fbdkwpflokmn
- %TEMP%\lorca876153631\default\favicons
- %TEMP%\lorca876153631\default\edf1.tmp
- %TEMP%\lorca876153631\devtoolsactiveport
- %TEMP%\lorca876153631\default\shortcuts-journal
- %TEMP%\lorca876153631\default\shortcuts
- %TEMP%\lorca876153631\default\network action predictor-journal
- %TEMP%\lorca876153631\default\network action predictor
- %TEMP%\lorca876153631\default\login data-journal
- %TEMP%\etilqs_zdiudvixcvsxvlf
- %TEMP%\lorca876153631\default\login data
- %TEMP%\lorca876153631\default\visited links
- %TEMP%\etilqs_fyhttwd30n8kkym
- %TEMP%\lorca876153631\default\197d.tmp
Deletes the following files
- <Current directory>\lnktodesktop.vbs
- %TEMP%\lorca876153631\default\edf1.tmp
- %TEMP%\lorca876153631\local state~rf105601.tmp
- %TEMP%\lorca876153631\default\secure preferences~rf105798.tmp
- %TEMP%\lorca876153631\local state~rf10861a.tmp
- %TEMP%\lorca876153631\default\transportsecurity~rf111932.tmp
Moves the following files
- from %TEMP%\lorca876153631\default\extension rules\000001.dbtmp to %TEMP%\lorca876153631\default\extension rules\current
- from %TEMP%\lorca876153631\default\extension state\000001.dbtmp to %TEMP%\lorca876153631\default\extension state\current
- from %TEMP%\lorca876153631\231b.tmp to %TEMP%\lorca876153631\local state
- from %TEMP%\lorca876153631\default\232c.tmp to %TEMP%\lorca876153631\default\secure preferences
- from %TEMP%\lorca876153631\default\235c.tmp to %TEMP%\lorca876153631\default\preferences
- from %TEMP%\lorca876153631\55f2.tmp to %TEMP%\lorca876153631\local state
- from %TEMP%\lorca876153631\local state to %TEMP%\lorca876153631\local state~rf105601.tmp
- from %TEMP%\lorca876153631\default\5799.tmp to %TEMP%\lorca876153631\default\secure preferences
- from %TEMP%\lorca876153631\default\secure preferences to %TEMP%\lorca876153631\default\secure preferences~rf105798.tmp
- from %TEMP%\lorca876153631\default\6da9.tmp to %TEMP%\lorca876153631\default\transportsecurity
- from %TEMP%\lorca876153631\8633.tmp to %TEMP%\lorca876153631\local state
- from %TEMP%\lorca876153631\local state to %TEMP%\lorca876153631\local state~rf10861a.tmp
- from %TEMP%\lorca876153631\default\web applications\aidesoft.gabia.io\http_80\b8db.tmp to %TEMP%\lorca876153631\default\web applications\aidesoft.gabia.io\http_80\미디어에이드.ico
- from %TEMP%\lorca876153631\default\197d.tmp to %TEMP%\lorca876153631\default\transportsecurity
- from %TEMP%\lorca876153631\default\transportsecurity to %TEMP%\lorca876153631\default\transportsecurity~rf111932.tmp
Substitutes the following files
- %TEMP%\lorca876153631\local state
- %TEMP%\lorca876153631\default\secure preferences
- %TEMP%\lorca876153631\default\transportsecurity
Network activity
TCP
HTTP GET requests
- http://ai####ft.gabia.io/benner3.html
- http://ai####ft.gabia.io/ott/Netflix.jpg
- http://ai####ft.gabia.io/ott/Wavve.jpg
- http://ai####ft.gabia.io/ott/TVing.jpg
- http://ai####ft.gabia.io/ott/Watcha.jpg
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://ai####ft.gabia.io/favicon.ico
- http://er####.gabia.net/404.html
UDP
- DNS ASK google.com
- DNS ASK ai####ft.gabia.io
- DNS ASK st######h.bootstrapcdn.com
- DNS ASK co##.jquery.com
- DNS ASK ta##.#lickmon.co.kr
- DNS ASK cd###.#loudflare.com
- DNS ASK st###.#lickmon.co.kr
- DNS ASK ad####.clickmon.co.kr
- DNS ASK microsoft.com
- DNS ASK js##ip.com
- DNS ASK er####.gabia.net
Miscellaneous
Searches for the following windows
- ClassName: 'Chrome_MessageWindow' WindowName: '%TEMP%\lorca876153631'
Executes the following
- '<SYSTEM32>\wscript.exe' lnkToDesktop.vbs
- '%ProgramFiles(x86)%\google\chrome\application\chrome.exe' --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-default-apps...
- '%ProgramFiles(x86)%\google\chrome\application\chrome.exe' --type=gpu-process --channel="2160.0.243953806\1931994448" --disable-breakpad --user-data-dir="%TEMP%\lorca876153631" --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,19,42 --gpu-vendo...
- '%ProgramFiles(x86)%\google\chrome\application\chrome.exe' --type=renderer --disable-breakpad --enable-deferred-image-decoding --lang=en-US --user-data-dir="%TEMP%\lorca876153631" --disable-client-side-phishing-detection --enable-offline-auto-reload --...
- '%ProgramFiles(x86)%\google\chrome\application\chrome.exe' --type=renderer --disable-breakpad --enable-deferred-image-decoding --lang=en-US --user-data-dir="%TEMP%\lorca876153631" --extension-process --enable-webrtc-hw-h264-encoding --disable-client-si...
