Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Opera GX ECP" dir=out action=block protocol=TCP localport=,
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Opera GX ECP" dir=out action=block protocol=UDP localport=,
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Opera GX ECP" dir=out action=block remoteip=37.48.87.53
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Opera GX ECP" dir=out action=block program="C:\AMD\AeroAdmin.exe"
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Opera GX ECP" dir=in action=block protocol=TCP localport=,
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Opera GX ECP" dir=in action=block protocol=UDP localport=,
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Opera GX ECP" dir=in action=block remoteip=37.48.87.53
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Opera GX ECP" dir=in action=block program="C:\AMD\AeroAdmin.exe"
Modifies file system
Creates the following files
- %TEMP%\90ba.tmp\90cb.tmp\90cc.bat
- %TEMP%\90ba.tmp\hosts.exe
- %TEMP%\90ba.tmp\xidel.exe
- nul
- <DRIVERS>\etc\hosts.backup
- <DRIVERS>\etc\hosts.rollback
Modifies the HOSTS file.
Miscellaneous
Creates and executes the following
- '%TEMP%\90ba.tmp\hosts.exe' rem auth20.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth19.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth18.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth17.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth16.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth15.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth14.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth13.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth12.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth11.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth10.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add auth20.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' add aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth18.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth17.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth16.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth15.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth14.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth13.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth12.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth11.aeroadmin.com
- '%TEMP%\90ba.tmp\hosts.exe' rem auth10.aeroadmin.com
- '%TEMP%\90ba.tmp\xidel.exe' -s %ALLUSERSPROFILE%\Aeroadmin\config -e "op:=$json/out_port" --output-format=cmd
- '%TEMP%\90ba.tmp\xidel.exe' -s %ALLUSERSPROFILE%\Aeroadmin\config -e "bp:=$json/base_port" --output-format=cmd
- '%TEMP%\90ba.tmp\hosts.exe' rem auth19.aeroadmin.com
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\90BA.tmp\90CB.tmp\90CC.bat <Full path to file>"' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\90BA.tmp\90CB.tmp\90CC.bat <Full path to file>"
- '<SYSTEM32>\cmd.exe' /c xidel -s %ALLUSERSPROFILE%\Aeroadmin\config -e "bp:=$json/base_port" --output-format=cmd
- '<SYSTEM32>\cmd.exe' /c xidel -s %ALLUSERSPROFILE%\Aeroadmin\config -e "op:=$json/out_port" --output-format=cmd
- '<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="Diagnostique de réseau de base - Activation du relais neurologique"
- '<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="Activation du relais neurologique"
- '<SYSTEM32>\netsh.exe' advfirewall firewall delete rule name="Opera GX ECP"
- '<SYSTEM32>\ipconfig.exe' /flushdns
