Technical Information
Malicious functions
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
- ClassName: 'GBDYLLO', WindowName: ''
- ClassName: 'pediy06', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\0ip7461j\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\et0tjo5b\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\j5rqo4bj\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\t0jbvhqg\desktop.ini
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %ALLUSERSPROFILE%\systemnetwork\xcoremanagment.exe
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\0ip7461j\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\et0tjo5b\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\j5rqo4bj\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\t0jbvhqg\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://45.##.228.44/Build3/xCoreManagment.exe
Miscellaneous
Searches for the following windows
- ClassName: '18467-41' WindowName: ''
Creates and executes the following
- '%ALLUSERSPROFILE%\systemnetwork\xcoremanagment.exe'
- '%WINDIR%\syswow64\cmd.exe' /k ping -n 5 localhost < nul & del /F /Q "<Full path to file>"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c WMIC OS get osarchitecture >%ALLUSERSPROFILE%\SystemNetwork\arch.txt' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c wmic path win32_VideoController get name >%ALLUSERSPROFILE%\SystemNetwork\video.txt' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\cmd.exe' /k ping -n 5 localhost < nul & del /F /Q "<Full path to file>"
- '%WINDIR%\syswow64\ping.exe' -n 5 localhost
- '%WINDIR%\syswow64\cmd.exe' /c WMIC OS get osarchitecture >%ALLUSERSPROFILE%\SystemNetwork\arch.txt
- '%WINDIR%\syswow64\wbem\wmic.exe' OS get osarchitecture
- '%WINDIR%\syswow64\cmd.exe' /c wmic path win32_VideoController get name >%ALLUSERSPROFILE%\SystemNetwork\video.txt
- '%WINDIR%\syswow64\wbem\wmic.exe' path win32_VideoController get name
