Joke.Rickroll.1

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

C:\programsx64\filestack\temp.bat
%APPDATA%\microsoft\windows\start menu\programs\startup\nibba.bat

Malicious functions

Executes the following

'<SYSTEM32>\net.exe' user R hacked /ADD
'<SYSTEM32>\net.exe' user 2652 13177 /ADD
'<SYSTEM32>\net.exe' user 31794 22417 /ADD
'<SYSTEM32>\net.exe' user 27330 4689 /ADD
'<SYSTEM32>\net.exe' user 32316 10343 /ADD
'<SYSTEM32>\net.exe' user 28655 30337 /ADD
'<SYSTEM32>\net.exe' user 28682 6517 /ADD
'<SYSTEM32>\net.exe' user 26845 30576 /ADD
'<SYSTEM32>\net.exe' user 23934 13352 /ADD
'<SYSTEM32>\net.exe' user 10679 19549 /ADD
'<SYSTEM32>\net.exe' user 18094 23497 /ADD
'<SYSTEM32>\net.exe' user 27309 5596 /ADD
'<SYSTEM32>\net.exe' user 24782 6928 /ADD
'<SYSTEM32>\net.exe' user 26260 31729 /ADD
'<SYSTEM32>\net.exe' user 5374 30572 /ADD
'<SYSTEM32>\net.exe' user 25222 31598 /ADD
'<SYSTEM32>\net.exe' user 870 8099 /ADD
'<SYSTEM32>\net.exe' user 794 17661 /ADD
'<SYSTEM32>\net.exe' user 3053 30946 /ADD
'<SYSTEM32>\net.exe' user 30917 31105 /ADD
'<SYSTEM32>\net.exe' user 28726 14186 /ADD
'<SYSTEM32>\net.exe' user 11756 32513 /ADD
'<SYSTEM32>\net.exe' user 13073 13115 /ADD
'<SYSTEM32>\net.exe' user 10003 12824 /ADD
'<SYSTEM32>\net.exe' user 18841 25652 /ADD
'<SYSTEM32>\net.exe' user 379 2976 /ADD
'<SYSTEM32>\net.exe' user 30707 5222 /ADD
'<SYSTEM32>\net.exe' user 6841 10169 /ADD
'<SYSTEM32>\net.exe' user 28925 2156 /ADD
'<SYSTEM32>\net.exe' user 21996 15370 /ADD
'<SYSTEM32>\net.exe' user 20896 14649 /ADD
'<SYSTEM32>\net.exe' user 11198 469 /ADD
'<SYSTEM32>\net.exe' user 28403 7653 /ADD
'<SYSTEM32>\net.exe' user 29634 21147 /ADD
'<SYSTEM32>\net.exe' user 4536 26403 /ADD
'<SYSTEM32>\net.exe' user 22157 24868 /ADD
'<SYSTEM32>\net.exe' user 11992 18294 /ADD
'<SYSTEM32>\net.exe' user 26836 23162 /ADD
'<SYSTEM32>\net.exe' user 18140 32495 /ADD
'<SYSTEM32>\net.exe' user 23322 12875 /ADD
'<SYSTEM32>\net.exe' user 3651 7273 /ADD
'<SYSTEM32>\net.exe' user 30332 20124 /ADD
'<SYSTEM32>\net.exe' user 17034 24861 /ADD
'<SYSTEM32>\net.exe' user 8722 10520 /ADD
'<SYSTEM32>\net.exe' user 15157 7463 /ADD
'<SYSTEM32>\net.exe' user L hacked /ADD
'<SYSTEM32>\net.exe' user O hacked /ADD
'<SYSTEM32>\net.exe' user K hacked /ADD
'<SYSTEM32>\net.exe' user C hacked /ADD
'<SYSTEM32>\net.exe' user I hacked /ADD
'<SYSTEM32>\net.exe' user 10662 7643 /ADD
'<SYSTEM32>\net.exe' user 14209 12328 /ADD
'<SYSTEM32>\net.exe' user 1651 4857 /ADD
'<SYSTEM32>\net.exe' user 23593 14839 /ADD
'<SYSTEM32>\net.exe' user 19697 10580 /ADD
'<SYSTEM32>\net.exe' user 30203 1785 /ADD
'<SYSTEM32>\net.exe' user 14890 21600 /ADD
'<SYSTEM32>\net.exe' user 31013 1817 /ADD
'<SYSTEM32>\net.exe' user 6594 25234 /ADD
'<SYSTEM32>\net.exe' user 13629 6054 /ADD
'<SYSTEM32>\net.exe' user 19012 18454 /ADD
'<SYSTEM32>\net.exe' user 14400 15958 /ADD
'<SYSTEM32>\net.exe' user 25445 11509 /ADD
'<SYSTEM32>\net.exe' user 20492 16513 /ADD
'<SYSTEM32>\net.exe' user 3894 28217 /ADD
'<SYSTEM32>\net.exe' user 18574 16461 /ADD
'<SYSTEM32>\net.exe' user 10730 31984 /ADD
'<SYSTEM32>\net.exe' user 17925 7411 /ADD
'<SYSTEM32>\net.exe' user 4227 5057 /ADD
'<SYSTEM32>\net.exe' user 21364 14418 /ADD
'<SYSTEM32>\net.exe' user 19415 11873 /ADD
'<SYSTEM32>\net.exe' user 13455 10577 /ADD

Launches a large number of processes

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\cmd.exe

Modifies file system

Creates the following files

%TEMP%\e771.tmp\e772.tmp\e773.bat
%TEMP%\f21b.tmp\f21c.tmp\f21d.bat
C:\programsx64\filestack\hackmsg.vbs
C:\programsx64\filestack\extra's.bat
C:\programsx64\filestack\taskverify.bat
C:\programsx64\filestack\helphack.bat
C:\programsx64\filestack\hackstore.bat
C:\programsx64\filestack\temp.bat

Deletes the following files

%TEMP%\e771.tmp\e772.tmp\e773.bat
%TEMP%\f21b.tmp\f21c.tmp\f21d.bat

Miscellaneous

Creates and executes the following

'<SYSTEM32>\cscript.exe' "C:\Programsx64\Filestack\hackmsg.vbs"

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "%TEMP%\E771.tmp\E772.tmp\E773.bat <Full path to file>"
'<SYSTEM32>\net1.exe' user 27330 4689 /ADD
'<SYSTEM32>\net1.exe' user 32316 10343 /ADD
'<SYSTEM32>\net1.exe' user 28655 30337 /ADD
'<SYSTEM32>\net1.exe' user 28682 6517 /ADD
'<SYSTEM32>\net1.exe' user 23934 13352 /ADD
'<SYSTEM32>\net1.exe' user 25222 31598 /ADD
'<SYSTEM32>\net1.exe' user 10679 19549 /ADD
'<SYSTEM32>\net1.exe' user 18094 23497 /ADD
'<SYSTEM32>\net1.exe' user 27309 5596 /ADD
'<SYSTEM32>\net1.exe' user 24782 6928 /ADD
'<SYSTEM32>\net1.exe' user 26260 31729 /ADD
'<SYSTEM32>\net1.exe' user 5374 30572 /ADD
'<SYSTEM32>\net1.exe' user 870 8099 /ADD
'<SYSTEM32>\net1.exe' user 26845 30576 /ADD
'<SYSTEM32>\net1.exe' user 4536 26403 /ADD
'<SYSTEM32>\net1.exe' user 31794 22417 /ADD
'<SYSTEM32>\net1.exe' user 794 17661 /ADD
'<SYSTEM32>\net1.exe' user 19415 11873 /ADD
'<SYSTEM32>\net1.exe' user 30707 5222 /ADD
'<SYSTEM32>\net1.exe' user 30917 31105 /ADD
'<SYSTEM32>\net1.exe' user 28726 14186 /ADD
'<SYSTEM32>\net1.exe' user 11756 32513 /ADD
'<SYSTEM32>\net1.exe' user 13073 13115 /ADD
'<SYSTEM32>\net1.exe' user 10003 12824 /ADD
'<SYSTEM32>\net1.exe' user 18841 25652 /ADD
'<SYSTEM32>\net1.exe' user 29634 21147 /ADD
'<SYSTEM32>\net1.exe' user 3053 30946 /ADD
'<SYSTEM32>\net1.exe' user 6841 10169 /ADD
'<SYSTEM32>\net1.exe' user 28925 2156 /ADD
'<SYSTEM32>\net1.exe' user 21996 15370 /ADD
'<SYSTEM32>\net1.exe' user 20896 14649 /ADD
'<SYSTEM32>\net1.exe' user 11198 469 /ADD
'<SYSTEM32>\net1.exe' user 28403 7653 /ADD
'<SYSTEM32>\net1.exe' user 379 2976 /ADD
'<SYSTEM32>\net1.exe' user 22157 24868 /ADD
'<SYSTEM32>\net1.exe' user 2652 13177 /ADD
'<SYSTEM32>\net1.exe' user 11992 18294 /ADD
'<SYSTEM32>\net1.exe' user 1651 4857 /ADD
'<SYSTEM32>\net1.exe' user 18140 32495 /ADD
'<SYSTEM32>\net1.exe' user 23322 12875 /ADD
'<SYSTEM32>\net1.exe' user 3651 7273 /ADD
'<SYSTEM32>\net1.exe' user 30332 20124 /ADD
'<SYSTEM32>\net1.exe' user 8722 10520 /ADD
'<SYSTEM32>\net1.exe' user 10662 7643 /ADD
'<SYSTEM32>\net1.exe' user 15157 7463 /ADD
'<SYSTEM32>\net1.exe' user L hacked /ADD
'<SYSTEM32>\net1.exe' user O hacked /ADD
'<SYSTEM32>\net1.exe' user K hacked /ADD
'<SYSTEM32>\net1.exe' user C hacked /ADD
'<SYSTEM32>\net1.exe' user I hacked /ADD
'<SYSTEM32>\net1.exe' user R hacked /ADD
'<SYSTEM32>\cmd.exe' /c "%TEMP%\F21B.tmp\F21C.tmp\F21D.bat <Full path to file> am_admin"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Start-Process -Verb RunAs -FilePath '<Full path to file>' -ArgumentList 'am_admin'"
'<SYSTEM32>\net1.exe' user 26836 23162 /ADD
'<SYSTEM32>\net1.exe' user 17034 24861 /ADD
'<SYSTEM32>\net1.exe' user 14890 21600 /ADD
'<SYSTEM32>\net1.exe' user 14209 12328 /ADD
'<SYSTEM32>\net1.exe' user 31013 1817 /ADD
'<SYSTEM32>\net1.exe' user 6594 25234 /ADD
'<SYSTEM32>\net1.exe' user 13629 6054 /ADD
'<SYSTEM32>\net1.exe' user 19012 18454 /ADD
'<SYSTEM32>\net1.exe' user 14400 15958 /ADD
'<SYSTEM32>\net1.exe' user 30203 1785 /ADD
'<SYSTEM32>\net1.exe' user 25445 11509 /ADD
'<SYSTEM32>\net1.exe' user 3894 28217 /ADD
'<SYSTEM32>\net1.exe' user 18574 16461 /ADD
'<SYSTEM32>\net1.exe' user 10730 31984 /ADD
'<SYSTEM32>\net1.exe' user 17925 7411 /ADD
'<SYSTEM32>\net1.exe' user 4227 5057 /ADD
'<SYSTEM32>\net1.exe' user 21364 14418 /ADD
'<SYSTEM32>\net1.exe' user 20492 16513 /ADD
'<SYSTEM32>\net1.exe' user 23593 14839 /ADD
'<SYSTEM32>\net1.exe' user 19697 10580 /ADD
'<SYSTEM32>\net1.exe' user 13455 10577 /ADD

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial