Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Control Panel\Desktop] 'SCRNSAVE.EXE' = 'ssmarque.scr'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = 'drivers\Kazekage.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe] 'Debugger' = 'drivers\Kazekage.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe] 'Debugger' = 'drivers\Kazekage.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = 'drivers\Kazekage.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe] 'Debugger' = 'drivers\Kazekage.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = 'drivers\Kazekage.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe] 'Debugger' = 'drivers\Kazekage.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\Software\Classes\VBSFile\Shell\Open\Command] '' = 'calc.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,drivers\system32.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'Explorer.exe, drivers\csrss.exe'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'SystemRun' = 'drivers\csrss.exe'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] '644r4' = '23-7-2019.exe'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'FreeAV' = 'Fonts\user 23 - 7 - 2019\Gaara.exe'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'DesertSand' = 'Fonts\user 23 - 7 - 2019\smss.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe] 'Debugger' = 'cmd.exe /c del'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = 'drivers\Kazekage.exe'
Changes the following executable system files
- <SYSTEM32>\mscomctl.ocx
Creates the following files on removable media
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\user games\hokage-sampit (nothing).exe
- <Drive name for removable media>:\gaara.exe
- <Drive name for removable media>:\user games\readme.txt
- <Drive name for removable media>:\user games\gaara games - naruto.exe
- <Drive name for removable media>:\user games\naruto games.exe
- <Drive name for removable media>:\user games\anbu team sampit (nothing).exe
- <Drive name for removable media>:\user games\kazekage.exe
- <Drive name for removable media>:\user games\kazekage vs hokage.exe
- <Drive name for removable media>:\user games\gaara go to kazekage.exe
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks execution of the following system utilities:
- Registry Editor (RegEdit)
blocks the following features:
- System Restore (SR)
- User Account Control (UAC)
modifies the following system settings:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFind' = '00000001'
Searches for windows to
detect analytical utilities:
- ClassName: 'PROCEXPL', WindowName: ''
Modifies settings of Windows Internet Explorer
- [<HKCU>\Software\Microsoft\Internet Explorer\Main] 'Window Title' = '!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!'
Modifies file system
Creates the following files
- %WINDIR%\fonts\the kazekage.jpg
- C:\user games\kazekage vs hokage.exe
- C:\user games\gaara go to kazekage.exe
- D:\user games\kazekage.exe
- C:\user games\kazekage.exe
- D:\user games\anbu team sampit (nothing).exe
- C:\user games\anbu team sampit (nothing).exe
- D:\user games\naruto games.exe
- C:\user games\naruto games.exe
- D:\user games\gaara games - naruto.exe
- C:\user games\gaara games - naruto.exe
- %WINDIR%\mscomctl.ocx
- D:\user games\readme.txt
- D:\gaara.exe
- D:\user games\hokage-sampit (nothing).exe
- D:\autorun.inf
- C:\user games\readme.txt
- C:\gaara.exe
- C:\user games\hokage-sampit (nothing).exe
- C:\autorun.inf
- <Current directory>\gaara the kazekage.exe
- %WINDIR%\system\msvbvm60.dll
- %WINDIR%\msvbvm60.dll
- %WINDIR%\fonts\user 23 - 7 - 2019\msvbvm60.dll
- <DRIVERS>\system32.exe
- <DRIVERS>\kazekage.exe
- <SYSTEM32>\23-7-2019.exe
- %WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe
- %WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe
- %WINDIR%\fonts\user 23 - 7 - 2019\smss.exe
- D:\user games\kazekage vs hokage.exe
- D:\user games\gaara go to kazekage.exe
Sets the 'hidden' attribute to the following files
- C:\autorun.inf
- C:\gaara.exe
- D:\autorun.inf
- D:\gaara.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\gaara.exe
- %WINDIR%\msvbvm60.dll
Network activity
UDP
- DNS ASK 22#.###.0.0.in-addr.arpa
Miscellaneous
Searches for the following windows
- ClassName: 'THUNDERRT6FORMDC' WindowName: ''
- ClassName: 'SYMINTEGRATORWND' WindowName: ''
- ClassName: 'CENTRALFRAME' WindowName: ''
- ClassName: 'TMCAFEEVIRUSSCANCENTRAL' WindowName: ''
- ClassName: 'NAI_VS_STAT' WindowName: ''
- ClassName: 'VIRUSSCANCONSULEWINDOWSCLASS' WindowName: ''
- ClassName: 'TMESSAGEFORM' WindowName: ''
- ClassName: 'TFROM1' WindowName: ''
- ClassName: 'TPANEL' WindowName: ''
- ClassName: 'NAVAPWNDCLASS' WindowName: ''
- ClassName: 'TAPPLICATION' WindowName: ''
- ClassName: 'TXPTITLE' WindowName: ''
- ClassName: 'TMAINFORM' WindowName: ''
- ClassName: 'CONSOLEWINDOWCLASS' WindowName: ''
- ClassName: 'ANSAV#2194' WindowName: ''
- ClassName: 'HONEYKISSME' WindowName: ''
- ClassName: 'THUNDERRT6USERCONTROL' WindowName: ''
- ClassName: 'THUNDERRT6USERCONTROLDC' WindowName: ''
- ClassName: 'THUNDERRT6FRAME' WindowName: ''
- ClassName: 'TTFXPFORM' WindowName: ''
- ClassName: 'SYM_CCWEBWINDOWS_CLASS' WindowName: ''
Creates and executes the following
- '%WINDIR%\fonts\user 23 - 7 - 2019\smss.exe'
- '%WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe'
- '%WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe'
- '<DRIVERS>\kazekage.exe'
- '<DRIVERS>\system32.exe'
- '%WINDIR%\fonts\user 23 - 7 - 2019\smss.exe' ' (with hidden window)
- '%WINDIR%\fonts\user 23 - 7 - 2019\gaara.exe' ' (with hidden window)
- '%WINDIR%\fonts\user 23 - 7 - 2019\csrss.exe' ' (with hidden window)
- '<DRIVERS>\kazekage.exe' ' (with hidden window)
- '<DRIVERS>\system32.exe' ' (with hidden window)
- '<SYSTEM32>\ping.exe' -a -l www.ra####yang.com.my 65500' (with hidden window)
- '<SYSTEM32>\ping.exe' -a -l www.du###sex.com 65500' (with hidden window)
Executes the following
- '<SYSTEM32>\winmine.exe'
- '<SYSTEM32>\ping.exe' -a -l www.ra####yang.com.my 65500
- '<SYSTEM32>\ping.exe' -a -l www.du###sex.com 65500
