Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq procmon*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq rawshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq wireshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq fiddler*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq FolderChangesView*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq idaq*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq KsDumperClient*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq HTTPDebuggerSvc*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\net.exe' stop ESEADriver2
- '<SYSTEM32>\net.exe' stop FACEIT
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq HTTPDebuggerUI*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq charles*" /IM * /F /T
Searches for windows to
detect analytical utilities:
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: '', WindowName: 'The Wireshark Network Analyzer'
Modifies file system
Creates the following files
- nul
Network activity
Connects to
- 'localhost':49181
TCP
Other
- 'localhost':49181
- 'localhost':49182
UDP
- DNS ASK ke##uth.win
Miscellaneous
Searches for the following windows
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '' WindowName: 'IDA: Quick start'
- ClassName: '' WindowName: 'KsDumper'
- ClassName: '' WindowName: 'OllyDbg'
- ClassName: '' WindowName: 'Process Hacker 2'
- ClassName: '' WindowName: 'Process Hacker'
- ClassName: '' WindowName: 'HTTP Debugger Pro'
- ClassName: '' WindowName: 'Ida Freeware'
- ClassName: '' WindowName: 'Ida Pro'
- ClassName: '' WindowName: 'Ida'
- ClassName: '' WindowName: 'Cheat Engine 7.6'
- ClassName: '' WindowName: 'Cheat Engine 7.5'
- ClassName: '' WindowName: 'Cheat Engine 7.4'
- ClassName: '' WindowName: 'Cheat Engine 7.3'
- ClassName: '' WindowName: 'Cheat Engine 6.9'
- ClassName: '' WindowName: 'Cheat Engine 7.0'
- ClassName: '' WindowName: 'Cheat Engine 7.1'
- ClassName: '' WindowName: 'Cheat Engine 7.2'
- ClassName: '' WindowName: 'HxD'
- ClassName: '' WindowName: 'BinaryNinja'
- ClassName: '' WindowName: 'FolderChangesView'
- ClassName: '' WindowName: 'dnSpy'
- ClassName: '' WindowName: 'x64dbg'
- ClassName: '' WindowName: 'HTTP Debugger'
- ClassName: '' WindowName: 'Fiddler'
- ClassName: '' WindowName: 'Progress Telerik Fiddler Web Debugger'
- ClassName: '' WindowName: 'Resource Monitor'
- ClassName: '18467-41' WindowName: ''
- ClassName: '' WindowName: 'Memory Viewer'
- ClassName: '' WindowName: 'Process List'
Executes the following
- '<SYSTEM32>\cmd.exe' /c certutil -hashfile "<Full path to file>" MD5 | find /i /v "md5" | find /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq HTTPDebuggerSvc*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq HTTPDebuggerUI*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq KsDumperClient*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc stop HTTPDebuggerPro >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq FolderChangesView*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq procmon*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c start cmd /C "color b && title Error && echo CURL Error: Could not resolve hostname && timeout /t 5"
- '<SYSTEM32>\cmd.exe' /C "color b && title Error && echo CURL Error: Could not resolve hostname && timeout /t 5"
- '<SYSTEM32>\timeout.exe' /t 5
- '<SYSTEM32>\cmd.exe' /c sc stop npf >nul 2>&1
- '<SYSTEM32>\sc.exe' stop npf
- '<SYSTEM32>\sc.exe' stop wireshark
- '<SYSTEM32>\cmd.exe' /c sc stop wireshark >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\find.exe' /i /v "md5"
- '<SYSTEM32>\certutil.exe' -hashfile "<Full path to file>" MD5
- '<SYSTEM32>\find.exe' /i /v "certutil"
- '<SYSTEM32>\net1.exe' stop FACEIT
- '<SYSTEM32>\cmd.exe' /c net stop ESEADriver2 >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq idaq*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\net1.exe' stop ESEADriver2
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker3 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker3
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker2 >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker2
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker1 >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c net stop FACEIT >nul 2>&1
- '<SYSTEM32>\sc.exe' stop HTTPDebuggerPro
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
