Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'SysHelper' = '"%LOCALAPPDATA%\4ae6bcfc-19af-494a-87a9-0b5d98c8ce8c\F20B.exe" --AutoStart'
Creates or modifies the following files
- <SYSTEM32>\tasks\nvngxupdatecheckdaily_{2a68f03e-f03e-f03e-f03e-2a68f03ef03e}
- <SYSTEM32>\tasks\time trigger task
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\grbbotxx] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\grbbotxx] 'ImagePath' = '%WINDIR%\SysWOW64\grbbotxx\riqoytao.exe /d"%TEMP%\FA27.exe"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\grbbotxx] 'ImagePath' = '%WINDIR%\SysWOW64\grbbotxx\riqoytao.exe'
Creates the following services
- 'grbbotxx' %WINDIR%\SysWOW64\grbbotxx\riqoytao.exe /d"%TEMP%\FA27.exe"
- 'grbbotxx' %WINDIR%\SysWOW64\grbbotxx\riqoytao.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\grbbotxx' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
Terminates or attempts to terminate
the following user processes:
- firefox.exe
Reads files which store third party applications passwords
- %ProgramFiles(x86)%\steam\config\config.vdf
- %ProgramFiles(x86)%\steam\config\dialogconfig.vdf
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
Modifies file system
Creates the following files
- %TEMP%\1105.tmp
- %LOCALAPPDATA%\e92f74a1-d4df-4c66-a35b-b4aba8c27882\updatewin1.exe
- %LOCALAPPDATA%\bowsakkdestx.txt
- C:\systemid\personalid.txt
- %TEMP%\cc4f.tmp
- %LOCALAPPDATA%\e92f74a1-d4df-4c66-a35b-b4aba8c27882\updatewin2.exe
- %TEMP%\6cdc.exe
- %LOCALAPPDATA%\e92f74a1-d4df-4c66-a35b-b4aba8c27882\updatewin.exe
- %ALLUSERSPROFILE%\nss3.dll
- %LOCALAPPDATA%\e92f74a1-d4df-4c66-a35b-b4aba8c27882\5.exe
- %ALLUSERSPROFILE%\r2w2y3x0v3w2y3x0v3\gecayxuroa95.gec
- %ALLUSERSPROFILE%\softokn3.dll
- %ALLUSERSPROFILE%\vcruntime140.dll
- %ALLUSERSPROFILE%\i0vant5izezb35jl879v1w4lh\files\c
- %ALLUSERSPROFILE%\i0vant5izezb35jl879v1w4lh\files\c-shm
- %ALLUSERSPROFILE%\i0vant5izezb35jl879v1w4lh\files\cookies\cookies_mozilla firefox_gn7ryp3k.default.txt
- %WINDIR%\syswow64\config\systemprofile:.repos
- %ALLUSERSPROFILE%\i0vant5izezb35jl879v1w4lh\files\history\history_mozilla firefox_gn7ryp3k.default.txt
- %ALLUSERSPROFILE%\msvcp140.dll
- %APPDATA%\mozilla\firefox\profiles\gn7ryp~1.def\cookies.sqlite-shm
- %APPDATA%\sdvgrsh
- %TEMP%\f20b.exe
- %TEMP%\fa27.exe
- %TEMP%\riqoytao.exe
- %TEMP%\6a6.exe
- %LOCALAPPDATA%\4ae6bcfc-19af-494a-87a9-0b5d98c8ce8c\f20b.exe
- %TEMP%\1364.exe
- %TEMP%\484a.exe
- %ALLUSERSPROFILE%\freebl3.dll
- %ALLUSERSPROFILE%\mozglue.dll
- %TEMP%\lzma.exe
- %TEMP%\expatai.dll
- %TEMP%\conf.conf
- %TEMP%\config.ini
- %LOCALAPPDATA%\google\chrome\userda~1\default\login data.bak
- %TEMP%\5ac1.exe
- %ALLUSERSPROFILE%\i0vant5izezb35jl879v1w4lh\files\temp
Sets the 'hidden' attribute to the following files
- %APPDATA%\sdvgrsh
Deletes the following files
- %TEMP%\fa27.exe
- <SYSTEM32>\tasks\time trigger task
- %ALLUSERSPROFILE%\r2w2y3x0v3w2y3x0v3\gecayxuroa95.gec
- %ALLUSERSPROFILE%\i0vant5izezb35jl879v1w4lh\files\c-shm
- %ALLUSERSPROFILE%\i0vant5izezb35jl879v1w4lh\files\temp
Moves the following files
- from %TEMP%\riqoytao.exe to %WINDIR%\syswow64\grbbotxx\riqoytao.exe
Substitutes the following files
- %ALLUSERSPROFILE%\r2w2y3x0v3w2y3x0v3\gecayxuroa95.gec
- %ALLUSERSPROFILE%\i0vant5izezb35jl879v1w4lh\files\temp
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://37.##.127.236/2.php
- http://vj##.top/files/penelop/5.exe
- http://vj##.top/files/penelop/4.exe
- http://vj##.top/files/penelop/3.exe
- http://vj##.top/files/penelop/updatewin.exe
- http://fr####ivacytools.ru/downloads/privacytools2.exe
- http://vj##.top/files/penelop/updatewin2.exe
- http://bd###ans.com/softokn3.dll
- http://gc###artners.in/download.php?pu##########
- http://vj##.top/nddddhsspen6/get.php?pi#############################################
- http://bd###ans.com/nss3.dll
- http://bd###ans.com/msvcp140.dll
- http://bd###ans.com/mozglue.dll
- http://bd###ans.com/freebl3.dll
- http://jo##rca.com/download/004.exe
- http://vj##.top/files/penelop/updatewin1.exe
- http://bd###ans.com/vcruntime140.dll
HTTP POST requests
- http://19#.2.67.88/cfg/
- http://ff####load.online/business/receive
- http://na###ouzina.net/
UDP
- DNS ASK na###ouzina.net
- DNS ASK ap#.2ip.ua
- DNS ASK jo##rca.com
- DNS ASK bd###ans.com
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK ko##.monster
- DNS ASK vj##.top
- DNS ASK ff####load.online
- DNS ASK gc###artners.in
- DNS ASK fr####ivacytools.ru
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%TEMP%\f20b.exe'
- '%TEMP%\484a.exe'
- '%LOCALAPPDATA%\e92f74a1-d4df-4c66-a35b-b4aba8c27882\updatewin.exe'
- '%LOCALAPPDATA%\e92f74a1-d4df-4c66-a35b-b4aba8c27882\updatewin2.exe'
- '%TEMP%\5ac1.exe'
- '%TEMP%\lzma.exe'
- '%TEMP%\6a6.exe'
- '%LOCALAPPDATA%\e92f74a1-d4df-4c66-a35b-b4aba8c27882\updatewin1.exe'
- '%TEMP%\6cdc.exe'
- '%WINDIR%\syswow64\grbbotxx\riqoytao.exe' /d"%TEMP%\FA27.exe"
- '%TEMP%\fa27.exe'
- '%TEMP%\1364.exe'
- '%LOCALAPPDATA%\e92f74a1-d4df-4c66-a35b-b4aba8c27882\updatewin1.exe' --Admin
- '%TEMP%\f20b.exe' --Admin IsNotAutoStart IsNotTask
- '%WINDIR%\syswow64\sc.exe' create grbbotxx binPath= "%WINDIR%\SysWOW64\grbbotxx\riqoytao.exe /d\"%TEMP%\FA27.exe\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\riqoytao.exe" %WINDIR%\SysWOW64\grbbotxx\' (with hidden window)
- '%WINDIR%\syswow64\icacls.exe' "%LOCALAPPDATA%\4ae6bcfc-19af-494a-87a9-0b5d98c8ce8c" /deny *S-1-1-0:(OI)(CI)(DE,DC)' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start grbbotxx' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description grbbotxx "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\grbbotxx\' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\grbbotxx\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\riqoytao.exe" %WINDIR%\SysWOW64\grbbotxx\
- '%WINDIR%\syswow64\sc.exe' create grbbotxx binPath= "%WINDIR%\SysWOW64\grbbotxx\riqoytao.exe /d\"%TEMP%\FA27.exe\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description grbbotxx "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start grbbotxx
- '%WINDIR%\syswow64\icacls.exe' "%LOCALAPPDATA%\4ae6bcfc-19af-494a-87a9-0b5d98c8ce8c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+60000 -p x -k
