Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,<SYSTEM32>\ResMs\PcManager.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\NetManagerSer] 'Start' = '00000002'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\ResMs\MONMANAGER.EXE' = '<SYSTEM32>\ResMs\MONMANAGER.EXE:*:Enabled:UDP'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\ResMs\PCMANAGER.EXE' = '<SYSTEM32>\ResMs\PCMANAGER.EXE:*:Enabled:TCP'
Creates and executes the following:
- '<SYSTEM32>\ResMs\SERMANAGER.EXE'
- '<SYSTEM32>\ResMs\PCMANAGER.EXE'
- '<SYSTEM32>\ResMs\MONMANAGER.EXE'
- '%TEMP%\RarSFX0\InstallManager.exe'
- '<SYSTEM32>\ResMs\SERMANAGER.EXE' -i
- '<SYSTEM32>\ResMs\SERMANAGER.EXE' -s
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall add portopening UDP 9099 UDP2 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 5051 TCP2 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 9055 TCP0 ENABLE ALL
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
- '<SYSTEM32>\arp.exe' -d
- '<SYSTEM32>\netsh.exe' firewall add portopening UDP 8099 UDP1 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram <SYSTEM32>\ResMs\PcManager.exe TCP ENABLE
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram <SYSTEM32>\ResMs\MonManager.exe UDP ENABLE
- '<SYSTEM32>\netsh.exe' firewall set icmpsetting 8 ENABLE
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 5050 TCP1 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add portopening TCP 8055 TCP3 ENABLE ALL
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram <SYSTEM32>\ResMs\rsvwin.exe PING ENABLE
Modifies file system :
Creates the following files:
- <SYSTEM32>\ResMs\PCMANAGER.EXE
- <SYSTEM32>\ResMs\MONOUTERCON.DLL
- <SYSTEM32>\ResMs\MONMANAGER.EXE
- <SYSTEM32>\ResMs\SERMANAGER.EXE
- %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_23ef5514-3059-436f-a4a7-4cefaab20eb1
- <SYSTEM32>\Microsoft\Protect\S-1-5-18\User\44c4c9ec-994f-4e54-a66a-4e72e8da6184
- <SYSTEM32>\ResBack\PcManager.exe
- <SYSTEM32>\ResMs\PcManager.config
- %TEMP%\RarSFX0\InstallManager.exe
- %TEMP%\RarSFX0\PcManager.config
- <SYSTEM32>\ResMs\CABXMLDLL.DLL
- <SYSTEM32>\ResMs\MONLANHOST.DLL
- <SYSTEM32>\ResMs\DOWNLOADTASK.DLL
- <SYSTEM32>\ResMs\DEVICEMANAGER.DLL
Deletes the following files:
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\ResBack\PcManager.exe
- %TEMP%\RarSFX0\InstallManager.exe
- %TEMP%\RarSFX0\PcManager.config
Network activity:
Connects to:
- '23#.0.0.10':8099
- '11.##.161.207':80
TCP:
HTTP POST requests:
- 11.##.161.207/Webser5/service.asmx/ClientTransData
UDP:
- DNS ASK 17.#.#.10.in-addr.arpa
- DNS ASK 18.#.#.10.in-addr.arpa
- DNS ASK 19.#.#.10.in-addr.arpa
- DNS ASK 14.#.#.10.in-addr.arpa
- DNS ASK 15.#.#.10.in-addr.arpa
- DNS ASK 16.#.#.10.in-addr.arpa
- DNS ASK 23.#.#.10.in-addr.arpa
- DNS ASK 24.#.#.10.in-addr.arpa
- DNS ASK 25.#.#.10.in-addr.arpa
- DNS ASK 20.#.#.10.in-addr.arpa
- DNS ASK 21.#.#.10.in-addr.arpa
- DNS ASK 22.#.#.10.in-addr.arpa
- DNS ASK 26.#.#.10.in-addr.arpa
- DNS ASK 3.#.#.#0.in-addr.arpa
- DNS ASK 4.#.#.#0.in-addr.arpa
- DNS ASK 6.#.#.#0.in-addr.arpa
- DNS ASK 13.#.#.10.in-addr.arpa
- DNS ASK 5.#.#.#0.in-addr.arpa
- DNS ASK 1.#.#.#0.in-addr.arpa
- DNS ASK 10.#.#.10.in-addr.arpa
- DNS ASK 11.#.#.10.in-addr.arpa
- DNS ASK 12.#.#.10.in-addr.arpa
- DNS ASK 7.#.#.#0.in-addr.arpa
- DNS ASK 8.#.#.#0.in-addr.arpa
- DNS ASK 9.#.#.#0.in-addr.arpa
- '23#.0.0.10':8099
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'EDIT' WindowName: ''
