Technical Information
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25010
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000
Modifies file system
Creates the following files
- <Current directory>\moscii\config\log.cfg
- <Current directory>\moscii\logs\<File name>.exe.log
- %TEMP%\tmp_44091.6621055556
- %WINDIR%\<File name>.exe
- %WINDIR%\moscii\config\log.cfg
- %WINDIR%\moscii\logs\<File name>.exe.log
- %TEMP%\tmp_44091.6621591782
- %WINDIR%\vistamnt.exe
- %WINDIR%\moscii\logs\vistamnt.exe.log
- %TEMP%\tmp_44091.6622296875
- %WINDIR%\moscii\inventory\46b3ca58-2286-4284-9f05-3bf58e2e2eff_swinv.xml
- %WINDIR%\moscii\inventory\46b3ca58-2286-4284-9f05-3bf58e2e2eff_hwinv.xml
- %WINDIR%\moscii\inventory\46b3ca58-2286-4284-9f05-3bf58e2e2eff_info.xml
Deletes the following files
- %TEMP%\tmp_44091.6621055556
- %TEMP%\tmp_44091.6621591782
- %TEMP%\tmp_44091.6622296875
Network activity
Connects to
- 'localhost':33333
UDP
- '<LOCALNET>.62.40':25000
Miscellaneous
Creates and executes the following
- '%WINDIR%\<File name>.exe'
- '%WINDIR%\vistamnt.exe'
- '%WINDIR%\syswow64\cmd.exe' ^/C del %TEMP%\tmp_*.* >%TEMP%\\tmp_44091.6621055556' (with hidden window)
- '%WINDIR%\<File name>.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' ^/C del %TEMP%\tmp_*.* >%TEMP%\\tmp_44091.6621591782' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' ^/C hostname >%TEMP%\\tmp_44091.6622296875' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C hostname' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="RMC9"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="StarCat Agent"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="STARCAT TCP"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="STARCAT TCP"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25010' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="STARCAT UDP"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="STARCAT UDP"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' ^/C del %TEMP%\tmp_*.* >%TEMP%\\tmp_44091.6621055556
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="STARCAT UDP"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall show rule name="STARCAT UDP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="STARCAT UDP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25010
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="STARCAT TCP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="STARCAT TCP"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall show rule name="STARCAT TCP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="STARCAT TCP"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall show rule name="StarCat Agent"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="StarCat Agent"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall show rule name="RMC9"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="RMC9"
- '%WINDIR%\syswow64\cmd.exe' /C hostname
- '%WINDIR%\syswow64\hostname.exe'
- '%WINDIR%\syswow64\cmd.exe' ^/C hostname >%TEMP%\\tmp_44091.6622296875
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\<File name>.exe"
- '%WINDIR%\syswow64\cmd.exe' ^/C del %TEMP%\tmp_*.* >%TEMP%\\tmp_44091.6621591782
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="STARCAT UDP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000
