Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'services.exe' = '"%APPDATA%\Microsoft\Windows\services.exe" -start'
Creates the following files on removable media
- <Drive name for removable media>:\delete.avi
- <Drive name for removable media>:\gruenspecht_02172016.pptx
- <Drive name for removable media>:\middaugh_keynote.pptx
- <Drive name for removable media>:\stoc13_ml_quoc_le.pptx
- <Drive name for removable media>:\indogerman2010.pptx
- <Drive name for removable media>:\iso27k_isms_implementation_and_certification_process_overview_v2.pptx
- <Drive name for removable media>:\utorrent.exe
- <Drive name for removable media>:\jre-7u75-windows-i586-iftw.exe
- <Drive name for removable media>:\notepad.exe
- <Drive name for removable media>:\tcm851ax32.exe
- <Drive name for removable media>:\skypesetup.exe
- <Drive name for removable media>:\winmine.exe
- <Drive name for removable media>:\uep_form_786_bulletin_1726i602.doc
- <Drive name for removable media>:\roozenedowebinar.pptx
- <Drive name for removable media>:\508softwareandos.doc
- <Drive name for removable media>:\applicantform_en.doc
- <Drive name for removable media>:\february_catalogue__2015.doc
- <Drive name for removable media>:\fi51.doc
- <Drive name for removable media>:\pmd.cer
- <Drive name for removable media>:\contosoroot_1.cer
- <Drive name for removable media>:\contosoroot.cer
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\dashborder_192.bmp
- <Drive name for removable media>:\dial.bmp
- <Drive name for removable media>:\split.avi
- <Drive name for removable media>:\correct.avi
- <Drive name for removable media>:\join.avi
- <Drive name for removable media>:\hanni_umami_chapter.doc
- <Drive name for removable media>:\asaprojectcompetition.pptx
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\syswow64\notepad.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Martin Prikryl\WinSCP 2\Sessions]
Reads files which store third party applications passwords
- %ProgramFiles(x86)%\steam\config\config.vdf
- %ProgramFiles(x86)%\steam\config\dialogconfig.vdf
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\fkdfdgdf.exe
- %TEMP%\172789c7.zeppelin
- %APPDATA%\microsoft\windows\services.exe
- %TEMP%\edb7477f.zeppelin
Deletes the following files
- %TEMP%\172789c7.zeppelin
- %TEMP%\fkdfdgdf.exe
- %TEMP%\edb7477f.zeppelin
Changes user data files extensions (Trojan.Encoder).
Network activity
TCP
HTTP GET requests
- http://a3####6.mcdir.ru/zeppelin.exe
- http://ge###tool.com/
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://ip###ger.org/1D2XM6.tgz
- http://oc##.#ectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEGmjTouN%2FW5s3CDseaiw7qE%3D
HTTP POST requests
- http://45.##.200.120/cfg/
- http://45.##.200.120/log/
- http://45.##.200.120/loader/complete/
UDP
- DNS ASK a3####6.mcdir.ru
- DNS ASK ge###tool.com
- DNS ASK ge###tatool.com
- DNS ASK microsoft.com
- DNS ASK ip###ger.org
- DNS ASK oc##.#ectigo.com
Miscellaneous
Creates and executes the following
- '%TEMP%\fkdfdgdf.exe'
- '%APPDATA%\microsoft\windows\services.exe' -start
- '%APPDATA%\microsoft\windows\services.exe' -agent 0
- '%APPDATA%\microsoft\windows\services.exe' -agent 1
- '%APPDATA%\microsoft\windows\services.exe' -agent 2
- '%TEMP%\fkdfdgdf.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C %TEMP%\~temp001.bat' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\notepad.exe'
- '%WINDIR%\syswow64\cmd.exe' /C wmic shadowcopy delete
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} recoveryenabled no
- '%WINDIR%\syswow64\cmd.exe' /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
- '%WINDIR%\syswow64\cmd.exe' /C wbadmin delete catalog -quiet
- '%WINDIR%\syswow64\cmd.exe' /C vssadmin delete shadows /all /quiet
- '%WINDIR%\syswow64\cmd.exe' /C %TEMP%\~temp001.bat
