Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'c366620eb6d62c73cd7d80fe4045ec9b' = '"%PROGRAMDATA%\Client.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'c366620eb6d62c73cd7d80fe4045ec9b' = '"%PROGRAMDATA%\Client.exe" ..'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\c366620eb6d62c73cd7d80fe4045ec9b.exe
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%PROGRAMDATA%\Client.exe" "Client.exe" ENABLE
Modifies file system
Creates the following files
- %TEMP%\djqkb.exe
- %TEMP%\ydtzayz.cmd
- %PROGRAMDATA%\client.exe
- nul
Network activity
Connects to
- 'ra######22896.portmap.host':32765
UDP
- DNS ASK ra######22896.portmap.host
- DNS ASK km##.#SGuides.com
Miscellaneous
Searches for the following windows
- ClassName: 'SystemTray_Main' WindowName: ''
Creates and executes the following
- '%TEMP%\djqkb.exe'
- '%PROGRAMDATA%\client.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%PROGRAMDATA%\Client.exe" "Client.exe" ENABLE' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\Ydtzayz.cmd" "
- '<SYSTEM32>\cscript.exe' //nologo slmgr.vbs /upk
- '<SYSTEM32>\cscript.exe' //nologo slmgr.vbs /cpky
- '<SYSTEM32>\wbem\wmic.exe' os
- '<SYSTEM32>\findstr.exe' /I "enterprise"
- '<SYSTEM32>\cscript.exe' //nologo slmgr.vbs /ipk 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
- '<SYSTEM32>\cscript.exe' //nologo slmgr.vbs /ipk YDRBP-3D83W-TY26F-D46B2-XCKRJ
- '<SYSTEM32>\cscript.exe' //nologo slmgr.vbs /ipk C29WB-22CC8-VJ326-GHFJW-H9DH4
- '<SYSTEM32>\cscript.exe' //nologo slmgr.vbs /skms kms7.MSGuides.com
- '<SYSTEM32>\cscript.exe' //nologo slmgr.vbs /ato
- '<SYSTEM32>\find.exe' /i "successfully"
- '<SYSTEM32>\cscript.exe' //nologo slmgr.vbs /skms kms8.MSGuides.com
- '<SYSTEM32>\choice.exe' /n /c YN /m "Would you like to visit my blog [Y,N]?"
