Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] '76D6.exe' = '<SYSTEM32>\76D6.exe'
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'XO1XADpO01' = '"%TEMP%\894E.exe"'
Creates or modifies the following files
- <SYSTEM32>\tasks\firefox default browser agent 013543504661c59e
- %APPDATA%\microsoft\windows\start menu\programs\startup\76d6.exe
- %WINDIR%\tasks\jdjgli.job
Creates the following files on removable media
- <Drive name for removable media>:\winmine.exe.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\delete.avi.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\applicantform_en.doc.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\split.avi.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\tcm851ax32.exe
- <Drive name for removable media>:\wrar520.exe
- <Drive name for removable media>:\sdksampleunprivdeveloper.cer.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\contosoroot.cer.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\february_catalogue__2015.doc.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\contoso_1.cer.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\sdkfailsafeemulator.cer.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\dashborder_144.bmp.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\dashborder_96.bmp.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\tileimage.bmp.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\coffee.bmp.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\dialmap.bmp.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\correct.avi.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\testee.cer.id-c224bec2.[pexdatax@gmail.com].roger
- <Drive name for removable media>:\hadac_newsletter_july_2010_final.docx
Modifies file system
Creates the following files
- %TEMP%\d47f.tmp
- %APPDATA%\hbtcces
- %APPDATA%\abdfedf
- %TEMP%\533e.exe
- %TEMP%\63f1.exe
- %TEMP%\76d6.exe
- <SYSTEM32>\76d6.exe
- %TEMP%\894e.exe
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\76d6.exe
- D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\desktop.ini.id-c224bec2.[pexdatax@gmail.com].roger
- D:\install.log.id-c224bec2.[pexdatax@gmail.com].roger
- %ALLUSERSPROFILE%\nlkigu\jdjgli.exe
- C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\desktop.ini.id-c224bec2.[pexdatax@gmail.com].roger
Sets the 'hidden' attribute to the following files
- %APPDATA%\hbtcces
- %APPDATA%\abdfedf
- D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\desktop.ini.id-c224bec2.[pexdatax@gmail.com].roger
- C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\desktop.ini.id-c224bec2.[pexdatax@gmail.com].roger
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://ns####serv639.xyz/socks111.exe
- http://ns####serv639.xyz/tau111.exe
- http://ns####serv639.xyz/lkx111.exe
- http://ns####serv639.xyz/lb777.exe
- http://45.##1.59.163/SnOoPy.exe%09
HTTP POST requests
- http://dm####serv275.xyz/cfg/
- http://at####t20cx.best/statweb577/
UDP
- DNS ASK re###at35xm.xyz
- DNS ASK de###ot2cx.club
- DNS ASK at####t20cx.best
- DNS ASK ns####serv639.xyz
- DNS ASK dm####serv275.xyz
Miscellaneous
Creates and executes the following
- '%TEMP%\533e.exe'
- '%TEMP%\63f1.exe'
- '%TEMP%\76d6.exe'
- '%TEMP%\894e.exe'
- '%APPDATA%\hbtcces'
- '<SYSTEM32>\cmd.exe' ' (with hidden window)
- '%APPDATA%\hbtcces' ' (with hidden window)
Executes the following
- '<SYSTEM32>\taskeng.exe' {B516B724-1D4A-4273-8059-C8AFAE9ABFE3} S-1-5-21-1960123792-2022915161-3775307078-1001:pjfolqkikm\user:Interactive:[1]
- '<SYSTEM32>\cmd.exe'
- '<SYSTEM32>\mode.com' con cp select=1251
