Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\PlugAndPlay] 'ImagePath' = '%APPDATA%\svchost.exe -service -debug'
- [<HKLM>\SYSTEM\ControlSet001\Services\PlugAndPlay] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\TestService] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- %APPDATA%\lsass.exe
Executes the following:
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 5900 name = TCP5900
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 5931 name = TCP5931
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 5932 name = TCP5932
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 8080 name = TCP8080
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 443 name = TCP443
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 5800 name = TCP5800
- <SYSTEM32>\sc.exe start "PlugAndPlay"
- <SYSTEM32>\mnmsrvc.exe
- <SYSTEM32>\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- <SYSTEM32>\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
- <SYSTEM32>\sc.exe start mnmsrvc
- <SYSTEM32>\sc.exe Start TlntSvr
- <SYSTEM32>\sc.exe Start TermService
- <SYSTEM32>\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\services\PlugAndPlay" /v ImagePath /t REG_SZ /d "%APPDATA%\svchost.exe -service -debug" /f
- <SYSTEM32>\reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3389 /f
- <SYSTEM32>\reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" /v iexplore.exe /t REG_DWORD /d 0 /f
- <SYSTEM32>\sc.exe create "TestService" displayname= "HTTPS Service" binpath= "%APPDATA%\lsass.exe" type= own start= auto error= ignore
- <SYSTEM32>\sc.exe start TestService
- <SYSTEM32>\sc.exe create "PlugAndPlay" displayname= "PlugAndPlay" binpath= "%APPDATA%\svchost.exe -service -debug" type= own start= auto error= ignore
- <SYSTEM32>\netsh.exe firewall add allowedprogram "%APPDATA%\svchost.exe" "Служба сетевого доступа к файлам и принтерам"
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 3389 name = TCP3389
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 31337 name = TCP31337
- <SYSTEM32>\netsh.exe firewall add portopening protocol = TCP port = 80 name = TCP80
- <SYSTEM32>\netsh.exe firewall add allowedprogram "%APPDATA%\hvnc2.exe" "Служба сетевых подключений"
- <SYSTEM32>\netsh.exe firewall add allowedprogram "<SYSTEM32>\mstsc.exe" "Подключение к удаленному рабочему столу"
- <SYSTEM32>\netsh.exe firewall add allowedprogram "<SYSTEM32>\sessmgr.exe" "Удаленный рабочий стол"
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: %APPDATA%\core.dll
Modifies file system :
Creates the following files:
- %APPDATA%\core.dll
- %APPDATA%\lsass.exe
Sets the 'hidden' attribute to the following files:
- %APPDATA%\core.dll
- %APPDATA%\lsass.exe
Network activity:
Connects to:
- 'www.at##che.lt':80
- 'localhost':4455
TCP:
HTTP GET requests:
- www.at##che.lt/_hello.php?pa#########################################################################################################################################################
- www.at##che.lt/
UDP:
- DNS ASK www.at##che.lt
