Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '1' = '"%TEMP%\9EA3.tmp.exe"'
Creates or modifies the following files
- <SYSTEM32>\tasks\nvngxupdatecheckdaily_{081131b0-31b0-31b0-31b0-081131b031b0}
Creates the following files on removable media
- <Drive name for removable media>:\correct.avi
- <Drive name for removable media>:\default.bmp
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\dashborder_96.bmp
- <Drive name for removable media>:\dashborder_144.bmp
- <Drive name for removable media>:\contoso.cer
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\dwm.exe
- <SYSTEM32>\taskhost.exe
the following user processes:
- iexplore.exe
Modifies file system
Creates the following files
- %TEMP%\ae7f.tmp
- C:\far2\documentation\rus\readme-warning.txt
- C:\far2\documentation\eng\readme-warning.txt
- C:\far2\addons\readme-warning.txt
- C:\far2\addons\xlat\readme-warning.txt
- C:\far2\addons\xlat\russian\readme-warning.txt
- C:\far2\addons\shell\readme-warning.txt
- C:\far2\addons\setup\readme-warning.txt
- C:\far2\addons\macros\readme-warning.txt
- C:\far2\addons\colors\readme-warning.txt
- C:\far2\addons\colors\default_highlighting\readme-warning.txt
- C:\far2\addons\colors\custom_highlighting\readme-warning.txt
- D:\readme-warning.txt
- %TEMP%\readme-warning.txt
- %TEMP%\webinstaller\qnzuposrqouvfisa\readme-warning.txt
- %TEMP%\temp1_fp_13.0.0.182_archive.zip\fp_13.0.0.182_archive\13_0_r0_182\readme-warning.txt
- %TEMP%\opera installer\readme-warning.txt
- %TEMP%\adobe_admlogs\readme-warning.txt
- %HOMEPATH%\desktop\readme-warning.txt
- C:\readme-warning.txt
- %TEMP%\9ea3.tmp.exe
- %APPDATA%\eaievws
- C:\far2\encyclopedia\tap\readme-warning.txt
- C:\far2\encyclopedia\readme-warning.txt
Sets the 'hidden' attribute to the following files
- %APPDATA%\eaievws
Moves the following files
- from %TEMP%\adobearm.log to %TEMP%\adobearm.log.kjhslgjkjdfg
- from %TEMP%\jusched.log to %TEMP%\jusched.log.kjhslgjkjdfg
- from %TEMP%\microsoft .net framework 4.5 setup_20150506_155317844.html to %TEMP%\microsoft .net framework 4.5 setup_20150506_155317844.html.kjhslgjkjdfg
- from %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt to %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215-msi_netfx_full_gdr_x64.msi.txt.kjhslgjkjdfg
- from %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215.html to %TEMP%\microsoft .net framework 4.5.2 setup_20151216_212237215.html.kjhslgjkjdfg
- from %TEMP%\microsoft visual c++ 2010 x86 redistributable setup_20150506_155226438.html to %TEMP%\microsoft visual c++ 2010 x86 redistributable setup_20150506_155226438.html.kjhslgjkjdfg
- from %TEMP%\msi1cfbe.log to %TEMP%\msi1cfbe.log.kjhslgjkjdfg
- from %TEMP%\msic204f.log to %TEMP%\msic204f.log.kjhslgjkjdfg
- from %TEMP%\msie45bf.log to %TEMP%\msie45bf.log.kjhslgjkjdfg
- from %TEMP%\wallpaper.bmp to %TEMP%\wallpaper.bmp.kjhslgjkjdfg
- from %TEMP%\msieb217.log to %TEMP%\msieb217.log.kjhslgjkjdfg
- from %TEMP%\rgie195.tmp to %TEMP%\rgie195.tmp.kjhslgjkjdfg
- from %TEMP%\rgie195.tmp-tmp to %TEMP%\rgie195.tmp-tmp.kjhslgjkjdfg
- from %TEMP%\setupexe(20151124155624744).log to %TEMP%\setupexe(20151124155624744).log.kjhslgjkjdfg
- from %TEMP%\setupexe(201603101200226dc).log to %TEMP%\setupexe(201603101200226dc).log.kjhslgjkjdfg
- from %TEMP%\setupexe(20160310140634718).log to %TEMP%\setupexe(20160310140634718).log.kjhslgjkjdfg
- from %TEMP%\user.bmp to %TEMP%\user.bmp.kjhslgjkjdfg
- from %TEMP%\jawshtml.html to %TEMP%\jawshtml.html.kjhslgjkjdfg
- from %TEMP%\msid38c.log to %TEMP%\msid38c.log.kjhslgjkjdfg
- from %TEMP%\javadeployreg.log to %TEMP%\javadeployreg.log.kjhslgjkjdfg
- from %TEMP%\dd_setuputility.txt to %TEMP%\dd_setuputility.txt.kjhslgjkjdfg
- from %TEMP%\adobearm_notlocked.log to %TEMP%\adobearm_notlocked.log.kjhslgjkjdfg
- from %TEMP%\adobesfx.log to %TEMP%\adobesfx.log.kjhslgjkjdfg
- from %TEMP%\ae7f.tmp to %TEMP%\ae7f.tmp.kjhslgjkjdfg
- from %TEMP%\aspnetsetup.log to %TEMP%\aspnetsetup.log.kjhslgjkjdfg
- from %TEMP%\aspnetsetup_00000.log to %TEMP%\aspnetsetup_00000.log.kjhslgjkjdfg
- from %TEMP%\aspnetsetup_00001.log to %TEMP%\aspnetsetup_00001.log.kjhslgjkjdfg
- from %TEMP%\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt to %TEMP%\dd_ndp452-kb2901907-x86-x64-allos-enu_decompression_log.txt.kjhslgjkjdfg
- from %TEMP%\dd_vcredist_amd64_20151216210341.log to %TEMP%\dd_vcredist_amd64_20151216210341.log.kjhslgjkjdfg
- from %TEMP%\dotnetfx.log to %TEMP%\dotnetfx.log.kjhslgjkjdfg
- from %TEMP%\dd_vcredist_amd64_20151216210341_000_vcruntimeminimum_x64.log to %TEMP%\dd_vcredist_amd64_20151216210341_000_vcruntimeminimum_x64.log.kjhslgjkjdfg
- from %TEMP%\dd_vcredist_amd64_20151216210341_001_vcruntimeadditional_x64.log to %TEMP%\dd_vcredist_amd64_20151216210341_001_vcruntimeadditional_x64.log.kjhslgjkjdfg
- from %TEMP%\dd_vcredist_x86_20151216210157.log to %TEMP%\dd_vcredist_x86_20151216210157.log.kjhslgjkjdfg
- from %TEMP%\dd_vcredist_x86_20151216210157_000_vcruntimeminimum_x86.log to %TEMP%\dd_vcredist_x86_20151216210157_000_vcruntimeminimum_x86.log.kjhslgjkjdfg
- from %TEMP%\dd_vcredist_x86_20151216210157_001_vcruntimeadditional_x86.log to %TEMP%\dd_vcredist_x86_20151216210157_001_vcruntimeadditional_x86.log.kjhslgjkjdfg
- from %TEMP%\dd_wcf_ca_smci_20151217_052858_840.txt to %TEMP%\dd_wcf_ca_smci_20151217_052858_840.txt.kjhslgjkjdfg
- from %TEMP%\dd_wcf_ca_smci_20151217_052908_497.txt to %TEMP%\dd_wcf_ca_smci_20151217_052908_497.txt.kjhslgjkjdfg
- from %TEMP%\dotnetfxsdk.log to %TEMP%\dotnetfxsdk.log.kjhslgjkjdfg
- from %TEMP%\wmsetup.log to %TEMP%\wmsetup.log.kjhslgjkjdfg
Deletes itself.
Creates ransom message files (Trojan.Encoder).
Network activity
TCP
HTTP GET requests
- http://gs#####netiplist.net/lok.exe
HTTP POST requests
- http://gs######etiplist.download/sub/index.php
UDP
- DNS ASK gs######etiplist.download
- DNS ASK gs#####netiplist.net
Miscellaneous
Creates and executes the following
- '%TEMP%\9ea3.tmp.exe'
- '%TEMP%\9ea3.tmp.exe' n2920
- '<SYSTEM32>\cmd.exe' ' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\sc.exe' delete "ReportServer$OPTIMA"
- '<SYSTEM32>\sc.exe' delete "msftesql$SQLEXPRESS"
- '<SYSTEM32>\sc.exe' delete "postgresql-x64-9.4"
- '<SYSTEM32>\sc.exe' delete WRSVC
- '<SYSTEM32>\sc.exe' delete ekrn
- '<SYSTEM32>\sc.exe' delete klim6
- '<SYSTEM32>\sc.exe' delete "AVP18.0.0"
- '<SYSTEM32>\sc.exe' delete KLIF
- '<SYSTEM32>\sc.exe' delete klpd
- '<SYSTEM32>\sc.exe' delete klflt
- '<SYSTEM32>\sc.exe' delete klbackupdisk
- '<SYSTEM32>\sc.exe' delete klbackupflt
- '<SYSTEM32>\sc.exe' delete klkbdflt
- '<SYSTEM32>\sc.exe' delete klmouflt
- '<SYSTEM32>\sc.exe' delete klhk
- '<SYSTEM32>\sc.exe' delete "KSDE1.0.0"
- '<SYSTEM32>\sc.exe' delete kltap
- '<SYSTEM32>\sc.exe' delete TmFilter
- '<SYSTEM32>\sc.exe' delete TMLWCSService
- '<SYSTEM32>\sc.exe' delete tmusa
- '<SYSTEM32>\sc.exe' delete TmPreFilter
- '<SYSTEM32>\sc.exe' delete TMSmartRelayService
- '<SYSTEM32>\sc.exe' delete TMiCRCScanService
- '<SYSTEM32>\sc.exe' delete VSApiNt
- '<SYSTEM32>\sc.exe' delete TmCCSF
- '<SYSTEM32>\sc.exe' delete tmlisten
- '<SYSTEM32>\sc.exe' delete TmProxy
- '<SYSTEM32>\sc.exe' delete ntrtscan
- '<SYSTEM32>\sc.exe' delete ofcservice
- '<SYSTEM32>\sc.exe' delete "SQLAgent$OPTIMA"
- '<SYSTEM32>\vssvc.exe'
- '<SYSTEM32>\sc.exe' delete "MSSQL$OPTIMA"
- '<SYSTEM32>\sc.exe' delete "SQLAgent$WOLTERSKLUWER"
- '<SYSTEM32>\sc.exe' delete vmickvpexchange
- '<SYSTEM32>\sc.exe' delete vmicguestinterface
- '<SYSTEM32>\sc.exe' delete vmicshutdown
- '<SYSTEM32>\sc.exe' delete vmicheartbeat
- '<SYSTEM32>\sc.exe' delete vmicrdv
- '<SYSTEM32>\sc.exe' delete storflt
- '<SYSTEM32>\sc.exe' delete vmictimesync
- '<SYSTEM32>\sc.exe' delete vmicvss
- '<SYSTEM32>\sc.exe' delete MSSQLFDLauncher
- '<SYSTEM32>\sc.exe' delete MSSQLSERVER
- '<SYSTEM32>\sc.exe' delete SQLSERVERAGENT
- '<SYSTEM32>\sc.exe' delete SQLBrowser
- '<SYSTEM32>\sc.exe' delete SQLTELEMETRY
- '<SYSTEM32>\sc.exe' delete MsDtsServer130
- '<SYSTEM32>\sc.exe' delete SSISTELEMETRY130
- '<SYSTEM32>\sc.exe' delete SQLWriter
- '<SYSTEM32>\sc.exe' delete "MSSQL$VEEAMSQL2012"
- '<SYSTEM32>\sc.exe' delete "SQLAgent$VEEAMSQL2012"
- '<SYSTEM32>\sc.exe' delete MSSQL
- '<SYSTEM32>\sc.exe' delete SQLAgent
- '<SYSTEM32>\sc.exe' delete MSSQLServerADHelper100
- '<SYSTEM32>\sc.exe' delete MSSQLServerOLAPService
- '<SYSTEM32>\sc.exe' delete MsDtsServer100
- '<SYSTEM32>\sc.exe' delete ReportServer
- '<SYSTEM32>\sc.exe' delete "SQLTELEMETRY$HL"
- '<SYSTEM32>\sc.exe' delete TMBMServer
- '<SYSTEM32>\sc.exe' delete "MSSQL$PROGID"
- '<SYSTEM32>\sc.exe' delete "MSSQL$WOLTERSKLUWER"
- '<SYSTEM32>\sc.exe' delete "SQLAgent$PROGID"
- '<SYSTEM32>\sc.exe' delete "MSSQLFDLauncher$OPTIMA"
- '<SYSTEM32>\svchost.exe' -k swprv
