Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'babe8364d0b44de2ea6e4bcccd70281e' = '"%TEMP%\server.exe" ..'
- [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'babe8364d0b44de2ea6e4bcccd70281e' = '"%TEMP%\server.exe" ..'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\babe8364d0b44de2ea6e4bcccd70281e.exe
Creates the following files on removable media
- <Drive name for removable media>:\babe8364d0b44de2ea6e4bcccd70281e.exe
- <Drive name for removable media>:\contoso.cer.lnk
- <Drive name for removable media>:\pmd.cer.lnk
- <Drive name for removable media>:\sdkfailsafeemulator.cer.lnk
- <Drive name for removable media>:\sdksampleunprivdeveloper.cer.lnk
- <Drive name for removable media>:\testcertificate.cer.lnk
- <Drive name for removable media>:\sdksampleprivdeveloper.cer.lnk
- <Drive name for removable media>:\contosoroot_1.cer.lnk
- <Drive name for removable media>:\dashborder_192.bmp.lnk
- <Drive name for removable media>:\tileimage.bmp.lnk
- <Drive name for removable media>:\dial.bmp.lnk
- <Drive name for removable media>:\dashborder_144.bmp.lnk
- <Drive name for removable media>:\delete.avi.lnk
- <Drive name for removable media>:\000814251_video_01.avi.lnk
- <Drive name for removable media>:\split.avi.lnk
- <Drive name for removable media>:\correct.avi.lnk
- <Drive name for removable media>:\lisp_success.doc.lnk
- <Drive name for removable media>:\weeklysheet1215.doc.lnk
Malicious functions
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE
Modifies file system
Creates the following files
- %TEMP%\server.exe
Sets the 'hidden' attribute to the following files
- <Drive name for removable media>:\babe8364d0b44de2ea6e4bcccd70281e.exe
Network activity
Connects to
- 'localhost':5553
Miscellaneous
Creates and executes the following
- '%TEMP%\server.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%TEMP%\server.exe" "server.exe" ENABLE' (with hidden window)