Trojan.MulDrop24.3697

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...

Malicious functions

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\cmd.exe

Modifies file system

Creates the following files

%TEMP%\4e9c.tmp\4e9d.tmp\4eae.bat

Deletes the following files

%TEMP%\4e9c.tmp\4e9d.tmp\4eae.bat

Miscellaneous

Executes the following

'<SYSTEM32>\cmd.exe' /c "%TEMP%\4E9C.tmp\4E9D.tmp\4EAE.bat <Full path to file>"
'<SYSTEM32>\netsh.exe' int ipv4 set interface Ethernet retransmittime=1
'<SYSTEM32>\netsh.exe' int ipv6 set interface Ethernet retransmittime=1
'<SYSTEM32>\netsh.exe' int ipv4 set interface Ethernet advertisedrouterlifetime=255
'<SYSTEM32>\netsh.exe' int ipv6 set interface Ethernet advertisedrouterlifetime=255
'<SYSTEM32>\netsh.exe' int ipv4 set interface Ethernet advertisedefaultroute=enabled
'<SYSTEM32>\netsh.exe' int ipv6 set interface Ethernet advertisedefaultroute=enabled
'<SYSTEM32>\netsh.exe' int ipv4 set interface Ethernet rabaseddnsconfig=enabled
'<SYSTEM32>\netsh.exe' int ipv6 set interface Ethernet rabaseddnsconfig=enabled
'<SYSTEM32>\netsh.exe' int ipv4 set interface Ethernet dhcpstaticipcoexistence=enabled
'<SYSTEM32>\netsh.exe' int ipv6 set interface Ethernet dhcpstaticipcoexistence=enabled
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Disable-NetAdapterChecksumOffload -Name "*"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Disable-NetAdapterLso -Name "*"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Disable-NetAdapterIPsecOffload -Name "*"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Disable-NetAdapterPowerManagement -Name "*"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Disable-NetAdapterQos -Name "*"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-NetOffloadGlobalSetting -Chimney Disabled
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-NetOffloadGlobalSetting -PacketCoalescingFilter disabled
'<SYSTEM32>\netsh.exe' int ip set global sourceroutingbehavior=drop
'<SYSTEM32>\netsh.exe' int ip set global taskoffload=disabled
'<SYSTEM32>\netsh.exe' int tcp set security profiles=disabled
'<SYSTEM32>\netsh.exe' int tcp set global fastopenfallback=enabled
'<SYSTEM32>\netsh.exe' int tcp set security mpp=disabled
'<SYSTEM32>\netsh.exe' int tcp set global congestionprovider=ctcp
'<SYSTEM32>\netsh.exe' winsock reset catalog
'<SYSTEM32>\netsh.exe' int ip reset c:resetlog.txt
'<SYSTEM32>\netsh.exe' int ip reset C:\tcplog.txt
'<SYSTEM32>\netsh.exe' int tcp reset
'<SYSTEM32>\netsh.exe' int tcp set global autotuninglevel=restricted
'<SYSTEM32>\netsh.exe' int tcp set global ecncapability=disabled
'<SYSTEM32>\netsh.exe' int tcp set global rsc=enabled
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-NetTCPSetting -SettingName Internet -MinRto 300
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-NetTCPSetting -SettingName Internet -InitialRto 3000
'<SYSTEM32>\netsh.exe' winsock set autotuning on
'<SYSTEM32>\netsh.exe' int tcp set global nonsackrttresiliency=disabled
'<SYSTEM32>\netsh.exe' int tcp set supplemental Internet congestionprovider=ctcp
'<SYSTEM32>\netsh.exe' int tcp set global maxsynretransmissions=2
'<SYSTEM32>\netsh.exe' int tcp set global fastopen=enabled
'<SYSTEM32>\netsh.exe' int tcp set global chimney=disabled
'<SYSTEM32>\netsh.exe' interface tcp set global rss=enabled
'<SYSTEM32>\netsh.exe' int tcp set heuristics disabled
'<SYSTEM32>\netsh.exe' int tcp set global dca=enabled
'<SYSTEM32>\netsh.exe' int tcp set global netdma=disabled
'<SYSTEM32>\netsh.exe' int tcp set global rss=enabled
'<SYSTEM32>\netsh.exe' int tcp set global pacingprofile=off

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial