Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'w' = '"%TEMP%\MUNYNAYDANRZMN1XIXDA1KPFNKN8DDME..EXE"'
Creates or modifies the following files
- %WINDIR%\tasks\us.job
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\WindowsInput] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\WindowsInput] 'ImagePath' = '"<SYSTEM32>\WindowsInput.exe"'
Modifies file system
Creates the following files
- %TEMP%\4swnr7bawirhmhachask78mxow751q5x..exe
- %TEMP%\yna3yig1.dll
- %TEMP%\res4.tmp
- %TEMP%\csc3.tmp
- %TEMP%\yna3yig1.out
- %TEMP%\yna3yig1.cmdline
- %TEMP%\yna3yig1.0.cs
- %ProgramFiles%\s\s.exe.config
- %ProgramFiles%\s\s.exe
- <SYSTEM32>\windowsinput.installstate
- %TEMP%\og.exe
- <SYSTEM32>\windowsinput.exe.config
- %TEMP%\b2ds25jg.dll
- %TEMP%\res2.tmp
- %TEMP%\csc1.tmp
- %TEMP%\b2ds25jg.out
- %TEMP%\b2ds25jg.cmdline
- %TEMP%\b2ds25jg.0.cs
- %TEMP%\zxopg9caxi6a3rh8fjrg3ztcvonqoyui..exe
- %TEMP%\xgcxxdowaeveabqhn9cscp8oreinfvif..exe
- %TEMP%\munynaydanrzmn1xixda1kpfnkn8ddme..exe
- <SYSTEM32>\windowsinput.exe
- %APPDATA%\subdir\s.exe
Sets the 'hidden' attribute to the following files
- %ProgramFiles%\s\s.exe
- %APPDATA%\subdir\s.exe
Deletes the following files
- %TEMP%\res2.tmp
- %TEMP%\csc1.tmp
- %TEMP%\b2ds25jg.cmdline
- %TEMP%\b2ds25jg.0.cs
- %TEMP%\b2ds25jg.out
- %TEMP%\b2ds25jg.dll
- %TEMP%\res4.tmp
- %TEMP%\csc3.tmp
- %TEMP%\yna3yig1.dll
- %TEMP%\yna3yig1.0.cs
- %TEMP%\yna3yig1.cmdline
- %TEMP%\yna3yig1.out
- %TEMP%\og.exe
Substitutes the following files
- %TEMP%\og.exe
Network activity
UDP
- DNS ASK ip##pi.com
- DNS ASK pt###p.mypi.co
- DNS ASK fr###eoip.net
- DNS ASK my######tblock.001www.com
- DNS ASK ap#.#pify.org
Miscellaneous
Creates and executes the following
- '%TEMP%\4swnr7bawirhmhachask78mxow751q5x..exe'
- '%TEMP%\munynaydanrzmn1xixda1kpfnkn8ddme..exe'
- '%TEMP%\xgcxxdowaeveabqhn9cscp8oreinfvif..exe'
- '%TEMP%\zxopg9caxi6a3rh8fjrg3ztcvonqoyui..exe'
- '<SYSTEM32>\windowsinput.exe' --install
- '<SYSTEM32>\windowsinput.exe'
- '%ProgramFiles%\s\s.exe'
- '%APPDATA%\subdir\s.exe'
- '%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\b2ds25jg.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\CSC1.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\yna3yig1.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4.tmp" "%TEMP%\CSC3.tmp"' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\b2ds25jg.cmdline"
- '%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\CSC1.tmp"
- '%WINDIR%\microsoft.net\framework\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\yna3yig1.cmdline"
- '%WINDIR%\microsoft.net\framework\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4.tmp" "%TEMP%\CSC3.tmp"
- '<SYSTEM32>\schtasks.exe' /create /tn "w" /sc ONLOGON /tr "%TEMP%\MUNYNAYDANRZMN1XIXDA1KPFNKN8DDME..EXE" /rl HIGHEST /f