Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%WINDIR%\INF\.NETFramework\CORPerfMonSymbols.exe'
Creates or modifies the following files
- <SYSTEM32>\tasks\launch adobe ccxprocess
- <SYSTEM32>\tasks\xccprocess
- <SYSTEM32>\tasks\microsoft\windows\windows update listner
- <SYSTEM32>\tasks\microsoft\microsoft launcher
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\System Diagnostics Host] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\System Diagnostics Host] 'ImagePath' = '%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\aswArPot.sys] 'ImagePath' = '%WINDIR%\temp\aswArPot.bin'
Creates the following services
- 'System Diagnostics Host' %WINDIR%\SysWOW64\SystemDiagnosticsHost.exe
- 'aswArPot.sys' %WINDIR%\temp\aswArPot.bin
Malicious functions
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="XCCProcess" dir=in action=allow program="%WINDIR%\Media\mppr.exe" enable=yes
Launches a large number of processes
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\securityhealthsystray.exe
- <SYSTEM32>\securityhealthservice.exe
Modifies file system
Creates the following files
- %TEMP%\tmp3535.tmp.exe
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\<File name>.exe.log
- %WINDIR%\media\mppr.exe
- %WINDIR%\inputmethod\shared\rc_connectedaccount.exe
- %TEMP%\gr1ndx1x\gr1ndx1x.0.cs
- %TEMP%\gr1ndx1x\gr1ndx1x.cmdline
- %TEMP%\gr1ndx1x\gr1ndx1x.out
- %TEMP%\cscb17864166968467987bf276a039e765.tmp
- %TEMP%\res7470.tmp
- %TEMP%\tmp686a.tmp
- %WINDIR%\inf\.netframework\corperfmonsymbols.exe
- %TEMP%\tnc4fzfm\tnc4fzfm.0.cs
- %TEMP%\tnc4fzfm\tnc4fzfm.cmdline
- %TEMP%\tnc4fzfm\tnc4fzfm.out
- %TEMP%\csc98c53fcb60b34673bd6bcf92912525ff.tmp
- %TEMP%\res7991.tmp
- %TEMP%\tmp7627.tmp
- %WINDIR%\inf\usbhub\usbperfsym.exe
- %WINDIR%\syswow64\systemdiagnosticshost.exe
- %WINDIR%\media\msldriver.dll
- %WINDIR%\temp\aswarpot.bin
- C:\recovery\oem\resetconfig.xml
- C:\recovery\oem\ee312b48-ea0c-432f-ba74-ee5697f3953f.bat
- C:\recovery\oem\702d984d-3e15-41d1-831f-9c1ca8012fb9.exe
- %TEMP%\ommte4tz.2jz.bat
- nul
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\tmp3535.tmp.exe.log
- %WINDIR%\temp\tmp5328.tmp
- %WINDIR%\temp\tmp53a6.tmp
- %TEMP%\tmp83ae.tmp
- %TEMP%\tmp83dd.tmp
Sets the 'hidden' attribute to the following files
- %WINDIR%\media\mppr.exe
- %WINDIR%\inputmethod\shared\rc_connectedaccount.exe
- %WINDIR%\inf\.netframework\corperfmonsymbols.exe
- %WINDIR%\inf\usbhub\usbperfsym.exe
- %WINDIR%\syswow64\systemdiagnosticshost.exe
- %WINDIR%\media\msldriver.dll
Deletes following files that it created itself
- %TEMP%\res7470.tmp
- %TEMP%\cscb17864166968467987bf276a039e765.tmp
- %TEMP%\gr1ndx1x\gr1ndx1x.cmdline
- %TEMP%\gr1ndx1x\gr1ndx1x.out
- %TEMP%\gr1ndx1x\gr1ndx1x.0.cs
- %TEMP%\tmp686a.tmp
- %TEMP%\res7991.tmp
- %TEMP%\csc98c53fcb60b34673bd6bcf92912525ff.tmp
- %TEMP%\tnc4fzfm\tnc4fzfm.out
- %TEMP%\tnc4fzfm\tnc4fzfm.cmdline
- %TEMP%\tnc4fzfm\tnc4fzfm.0.cs
- %TEMP%\tmp7627.tmp
- %WINDIR%\temp\tmp5328.tmp
- %WINDIR%\temp\tmp53a6.tmp
- %TEMP%\tmp83ae.tmp
- %TEMP%\tmp83dd.tmp
Network activity
UDP
- DNS ASK 8j####glwi6ns92.cc
- DNS ASK z8######pxt19zq.gotdns.ch
- DNS ASK 29########2h4tv.freedynamicdns.org
- DNS ASK 2n########l2o91.freedynamicdns.org
- DNS ASK kq####j2qtph2l9.cc
Miscellaneous
Searches for the following windows
- ClassName: 'MouseZ' WindowName: 'Magellan MSWHEEL'
Creates and executes the following
- '%TEMP%\tmp3535.tmp.exe'
- '%WINDIR%\syswow64\systemdiagnosticshost.exe'
- '%WINDIR%\media\mppr.exe'
Executes the following
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\gr1ndx1x\gr1ndx1x.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7470.tmp" "%TEMP%\CSCB17864166968467987BF276A039E765.TMP"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\tnc4fzfm\tnc4fzfm.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7991.tmp" "%TEMP%\CSC98C53FCB60B34673BD6BCF92912525FF.TMP"
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /rl highest /tn "Launch Adobe CCXProcess" /tr "%WINDIR%\Media\mppr.exe" /sc onlogon & exit
- '<SYSTEM32>\schtasks.exe' /create /f /rl highest /tn "Launch Adobe CCXProcess" /tr "%WINDIR%\Media\mppr.exe" /sc onlogon
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /rl highest /tn "XCCProcess" /tr "%WINDIR%\INF\usbhub\usbperfsym.exe" /sc onlogon & exit
- '<SYSTEM32>\schtasks.exe' /create /f /rl highest /tn "XCCProcess" /tr "%WINDIR%\INF\usbhub\usbperfsym.exe" /sc onlogon
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /rl highest /mo 2 /tn "Microsoft\Windows\Windows Update Listner" /tr "%WINDIR%\Media\mppr.exe" & exit
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /rl highest /mo 2 /tn "Microsoft\Windows\Windows Update Listner" /tr "%WINDIR%\Media\mppr.exe"
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\Microsoft Launcher" /tr "%WINDIR%\InputMethod\SHARED\RC_ConnectedAccount.exe" & exit
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\Microsoft Launcher" /tr "%WINDIR%\InputMethod\SHARED\RC_ConnectedAccount.exe"
- '<SYSTEM32>\cmd.exe' /c sc query "System Diagnostics Host" & exit
- '<SYSTEM32>\sc.exe' query "System Diagnostics Host"
- '<SYSTEM32>\cmd.exe' /c sc create "System Diagnostics Host" binPath= "%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe" obj= "LocalSystem" start= auto & exit
- '<SYSTEM32>\sc.exe' create "System Diagnostics Host" binPath= "%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe" obj= "LocalSystem" start= auto
- '<SYSTEM32>\cmd.exe' /c sc description "System Diagnostics Host" "Monitors and manages system diagnostic tasks." & exit
- '<SYSTEM32>\sc.exe' description "System Diagnostics Host" "Monitors and manages system diagnostic tasks."
- '<SYSTEM32>\cmd.exe' /c sc start "System Diagnostics Host" & exit
- '<SYSTEM32>\sc.exe' start "System Diagnostics Host"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall show rule name="XCCProcess" & exit
- '<SYSTEM32>\netsh.exe' advfirewall firewall show rule name="XCCProcess"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="XCCProcess" dir=in action=allow program="%WINDIR%\Media\mppr.exe" enable=yes & exit
- '<SYSTEM32>\cmd.exe' /c sc.exe create aswArPot.sys binPath= %WINDIR%\temp\aswArPot.bin type= kernel & exit
- '<SYSTEM32>\sc.exe' create aswArPot.sys binPath= %WINDIR%\temp\aswArPot.bin type= kernel
- '<SYSTEM32>\cmd.exe' /c sc.exe start aswArPot.sys & exit
- '<SYSTEM32>\sc.exe' start aswArPot.sys
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\ommte4tz.2jz.bat""
- '<SYSTEM32>\timeout.exe' 8
- '<SYSTEM32>\securityhealthservice.exe'
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\gr1ndx1x\gr1ndx1x.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7470.tmp" "%TEMP%\CSCB17864166968467987BF276A039E765.TMP"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\tnc4fzfm\tnc4fzfm.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES7991.tmp" "%TEMP%\CSC98C53FCB60B34673BD6BCF92912525FF.TMP"' (with hidden window)
