Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\trg] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\ttrg] 'Start' = '00000002'
Malicious functions:
Executes the following:
- '<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows nt\currentversion\svchost" /v ttrg /t reg_multi_sz /d "ttrg\0" /f
- '<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\services\ttrg" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
- '<SYSTEM32>\svchost.exe' -k ttrg
- '<SYSTEM32>\sc.exe' start ttrg
- '<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\services\ttrg\parameters" /v servicedll /t reg_expand_sz /d "<SYSTEM32>\trg.dll" /f
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram name="trg" program="<SYSTEM32>\svchost.exe" mode=enable
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\\trg.bat"
- '<SYSTEM32>\sc.exe' create "ttrg" type= interact type= share start= auto binpath= "<SYSTEM32>\svchost.exe -k ttrg"
- '<SYSTEM32>\netsh.exe' firewall add portopening tcp 8085 trg enable
Modifies file system :
Creates the following files:
- %TEMP%\trg.bat
- <DRIVERS>\trg.sys
- <SYSTEM32>\trg.dll
Network activity:
Connects to:
- '85.##.236.156':80
- 'localhost':8085
TCP:
HTTP GET requests:
- 85.##.236.156/feed/?v=########################