To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\server.exe' = '%TEMP%\server.exe:*:Enabled:server.exe'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Command Prompt (CMD)
- Windows Task Manager (Taskmgr)
- Registry Editor (RegEdit)
Creates and executes the following:
Executes the following:
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE
- '%TEMP%\server.exe'
- '<SYSTEM32>\cmd.exe' /K "%ALLUSERSPROFILE%\Application Data\WipeShadow.exe"
- '<SYSTEM32>\reg.exe' reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "4ed3073e-4f27-4f5a-a9c7-bbb04a742d00" /t REG_SZ /d "%ALLUSERSPROFILE%\Application Data\WipeShadow.exe" & exit
- '<SYSTEM32>\reg.exe' add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
- '%ALLUSERSPROFILE%\Application Data\WipeShadow.exe'
Injects code into
the following user processes: