Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\realteksb.lnk
- <SYSTEM32>\tasks\realtek sound blaster
Malicious functions
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
- ClassName: 'GBDYLLO', WindowName: ''
- ClassName: 'pediy06', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
Modifies file system
Creates the following files
- %TEMP%\nsed84d.tmp
- %PROGRAMDATA%\systemnetwork\xcoremanagment.exe
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\dkohepwd\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\10kk9nue\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\u9rnvwks\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\lqd8y6g9\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %TEMP%\is-jg5sr.tmp\wizardform.bitmapimage1.bmp
- %TEMP%\is-jg5sr.tmp\metroblue.vsf
- %TEMP%\is-jg5sr.tmp\vclstylesinno.dll
- %TEMP%\is-jg5sr.tmp\istask.dll
- %TEMP%\is-jg5sr.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-jg5sr.tmp\_isetup\_setup64.tmp
- %TEMP%\is-jg5sr.tmp\_isetup\_regdll.tmp
- %TEMP%\is-bfva6.tmp\1.tmp
- %APPDATA%\realtek sound blaster\realteksb.exe
- %APPDATA%\software\1.exe
- %APPDATA%\software\sponsor_68.exe
- %APPDATA%\bamboo\boat_10.exe
- %TEMP%\nsjd86d.tmp\system.dll
- %PROGRAMDATA%\systemnetwork\video.txt
- %PROGRAMDATA%\systemnetwork\arch.txt
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\lqd8y6g9\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\u9rnvwks\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\10kk9nue\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\dkohepwd\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
Deletes the following files
- %TEMP%\nsjd86d.tmp\system.dll
- %APPDATA%\software\sponsor_68.exe
Network activity
TCP
HTTP GET requests
- http://vm###560.had.wf/Build2/xCoreManagment.exe
UDP
- DNS ASK vm###560.had.wf
Miscellaneous
Searches for the following windows
- ClassName: '18467-41' WindowName: ''
- ClassName: 'Edit' WindowName: ''
Creates and executes the following
- '%APPDATA%\bamboo\boat_10.exe'
- '%APPDATA%\software\sponsor_68.exe'
- '%APPDATA%\software\1.exe'
- '%TEMP%\is-bfva6.tmp\1.tmp' /SL5="$6023E,16663327,66048,%APPDATA%\Software\1.exe"
- '%APPDATA%\realtek sound blaster\realteksb.exe'
- '%PROGRAMDATA%\systemnetwork\xcoremanagment.exe'
- '%WINDIR%\syswow64\cmd.exe' /k ping -n 5 localhost < nul & del /F /Q "%APPDATA%\Software\Sponsor_68.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c WMIC OS get osarchitecture >%PROGRAMDATA%\SystemNetwork\arch.txt' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c wmic path win32_VideoController get name >%PROGRAMDATA%\SystemNetwork\video.txt' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\cmd.exe' /k ping -n 5 localhost < nul & del /F /Q "%APPDATA%\Software\Sponsor_68.exe"
- '%WINDIR%\syswow64\ping.exe' -n 5 localhost
- '%WINDIR%\syswow64\cmd.exe' /c WMIC OS get osarchitecture >%PROGRAMDATA%\SystemNetwork\arch.txt
- '%WINDIR%\syswow64\wbem\wmic.exe' OS get osarchitecture
- '%WINDIR%\syswow64\cmd.exe' /c wmic path win32_VideoController get name >%PROGRAMDATA%\SystemNetwork\video.txt
- '%WINDIR%\syswow64\wbem\wmic.exe' path win32_VideoController get name
