Trojan.TinyNuke.80

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] 'Debugger' = 'systray.exe'

Creates or modifies the following files

<SYSTEM32>\tasks\<File name>

Creates the following files on removable media

<Drive name for removable media>:\system\update.exe

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true -DisableIOAVProtection $true -DisableBehaviorMonitoring $true -DisableBlockAtF...

Patches code

in AMSI dll

ydzo.exe process, Amsi.dll module

in NTDLL dll

ydzo.exe process, ntdll.dll module

Modifies file system

Creates the following files

%APPDATA%\microsoft\windows\templates\servicehub\<File name>.exe
%TEMP%\7326ed6c446d44d39b19ce3bc9fbec10.xml
%TEMP%\fa42663363c0465aafc79e3d444ecabf.xml
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\appxprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\assocprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\cbsprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\dismcore.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\dismcoreps.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\dismhost.exe
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\dismprov.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\dmiprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\appxprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\assocprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\cbsprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\dismcore.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\dismprov.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\dmiprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\ffuprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\folderprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\genericprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\ibsprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\imagingprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\intlprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\logprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\msiprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\offlinesetupprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\osprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\provprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\setupplatformprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\smiprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\sysprepprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\transmogprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\unattendprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\vhdprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\en-us\wimprovider.dll.mui
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\ffuprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\folderprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\genericprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\ibsprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\imagingprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\intlprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\logprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\msiprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\offlinesetupprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\osprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\provprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\setupplatformprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\smiprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\sysprepprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\transmogprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\unattendprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\vhdprovider.dll
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\wimprovider.dll
%TEMP%\68412665c8a347b0b1a801a52d460b93.xml
%TEMP%\24304dd6a4174f2c90e468137df54f51.xml
%TEMP%\7ca5fcea35d2454b85a7bb0cc0429ffe.xml
%TEMP%\48f6874a34404610a5a43ddfebaee9c4.xml
%TEMP%\d8dc349f3e3143048f910ece748bd1fe.xml
%TEMP%\2f0ab761f55e403f9a73ec807eb3e6f6.xml
%TEMP%\bd6daea8723249c8bcddb2994b7b9cce.xml
%TEMP%\0a3ab0853bdf48359110b89ab68a551e.xml

Sets the 'hidden' attribute to the following files

<Full path to file>
%APPDATA%\microsoft\windows\templates\servicehub\<File name>.exe
<Drive name for removable media>:\system\update.exe

Deletes following files that it created itself

%TEMP%\fa42663363c0465aafc79e3d444ecabf.xml
%TEMP%\7326ed6c446d44d39b19ce3bc9fbec10.xml
%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\dismhost.exe
%TEMP%\68412665c8a347b0b1a801a52d460b93.xml
%TEMP%\24304dd6a4174f2c90e468137df54f51.xml
%TEMP%\7ca5fcea35d2454b85a7bb0cc0429ffe.xml
%TEMP%\48f6874a34404610a5a43ddfebaee9c4.xml
%TEMP%\d8dc349f3e3143048f910ece748bd1fe.xml
%TEMP%\2f0ab761f55e403f9a73ec807eb3e6f6.xml
%TEMP%\bd6daea8723249c8bcddb2994b7b9cce.xml
%TEMP%\0a3ab0853bdf48359110b89ab68a551e.xml

Miscellaneous

Creates and executes the following

'%TEMP%\6cb3a135-8236-4617-91cd-2516a788eaa2\dismhost.exe' {DB075936-E117-4298-BB4D-704EDAA48E34}

Executes the following

'<SYSTEM32>\dism.exe' /online /disable-feature /featurename:Windows-Defender /Remove /NoRestart
'<SYSTEM32>\sc.exe' delete WinDefend
'<SYSTEM32>\sc.exe' delete WdNisSvc
'<SYSTEM32>\sc.exe' delete Sense
'<SYSTEM32>\sc.exe' delete WdBoot
'<SYSTEM32>\sc.exe' delete WdFilter
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\7326ed6c446d44d39b19ce3bc9fbec10.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\fa42663363c0465aafc79e3d444ecabf.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\68412665c8a347b0b1a801a52d460b93.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\24304dd6a4174f2c90e468137df54f51.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\7ca5fcea35d2454b85a7bb0cc0429ffe.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\48f6874a34404610a5a43ddfebaee9c4.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\d8dc349f3e3143048f910ece748bd1fe.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\2f0ab761f55e403f9a73ec807eb3e6f6.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\bd6daea8723249c8bcddb2994b7b9cce.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\0a3ab0853bdf48359110b89ab68a551e.xml" /F
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\83903403028048ac91dca73c36dc1cdd.xml" /F
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true -DisableIOAVProtection $true -DisableBehaviorMonitoring $true -DisableBlockAtF...' (with hidden window)
'<SYSTEM32>\dism.exe' /online /disable-feature /featurename:Windows-Defender /Remove /NoRestart' (with hidden window)
'<SYSTEM32>\sc.exe' delete WinDefend' (with hidden window)
'<SYSTEM32>\sc.exe' delete WdNisSvc' (with hidden window)
'<SYSTEM32>\sc.exe' delete Sense' (with hidden window)
'<SYSTEM32>\sc.exe' delete WdBoot' (with hidden window)
'<SYSTEM32>\sc.exe' delete WdFilter' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\7326ed6c446d44d39b19ce3bc9fbec10.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\fa42663363c0465aafc79e3d444ecabf.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\68412665c8a347b0b1a801a52d460b93.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\24304dd6a4174f2c90e468137df54f51.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\7ca5fcea35d2454b85a7bb0cc0429ffe.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\48f6874a34404610a5a43ddfebaee9c4.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\d8dc349f3e3143048f910ece748bd1fe.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\2f0ab761f55e403f9a73ec807eb3e6f6.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\bd6daea8723249c8bcddb2994b7b9cce.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\0a3ab0853bdf48359110b89ab68a551e.xml" /F' (with hidden window)
'<SYSTEM32>\schtasks.exe' /Create /TN "<File name>" /XML "%TEMP%\83903403028048ac91dca73c36dc1cdd.xml" /F' (with hidden window)

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial