Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = '%APPDATA%\Anti Virus\Windows Security.exe'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\windows configs.vbs
Malicious functions
Injects code into
the following user processes:
- windows security.exe
Modifies file system
Creates the following files
- %APPDATA%\anti virus\windows security.exe
Sets the 'hidden' attribute to the following files
- %APPDATA%\anti virus\windows security.exe
Deletes itself.
Network activity
Connects to
- 're######res1209.ddns.net':2356
UDP
- DNS ASK re######res1209.ddns.net
Miscellaneous
Creates and executes the following
- '%APPDATA%\anti virus\windows security.exe' UP:192
- '%APPDATA%\anti virus\windows security.exe'
- '%WINDIR%\syswow64\cmd.exe' /k ping 0 & attrib +s +h "%APPDATA%\Anti Virus" & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /k ping 0 & attrib +s +h "%APPDATA%\Anti Virus\Windows Security.exe" & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /k ping 0 & del "<Full path to file>" & exit' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%APPDATA%\Anti Virus\Windows Security.exe" /f & exit' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /k ping 0 & attrib +s +h "%APPDATA%\Anti Virus" & exit
- '%WINDIR%\syswow64\cmd.exe' /k ping 0 & attrib +s +h "%APPDATA%\Anti Virus\Windows Security.exe" & exit
- '%WINDIR%\syswow64\cmd.exe' /k ping 0 & del "<Full path to file>" & exit
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%APPDATA%\Anti Virus\Windows Security.exe" /f & exit
- '%WINDIR%\syswow64\ping.exe' 0
- '%WINDIR%\syswow64\reg.exe' add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%APPDATA%\Anti Virus\Windows Security.exe" /f
- '%WINDIR%\syswow64\attrib.exe' +s +h "%APPDATA%\Anti Virus\Windows Security.exe"
- '%WINDIR%\syswow64\attrib.exe' +s +h "%APPDATA%\Anti Virus"
