Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
Creates the following files on removable media
- <Drive name for removable media>:\tileimage.bmp.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\adadsi.html.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\tree_view.html.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\about.html.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\ituneshelpunavailable.html.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\1189.jpeg.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\210252809.jpeg.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\3.jpg.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\1189.jpg.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\parnas_01.jpg.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\split.avi.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\delete.avi.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\read-this.txt
- <Drive name for removable media>:\000814251_video_01.avi.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\correct.avi.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\alert.html.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\168.jpeg.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\tree_view.htm.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\testee.cer.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\coffee.bmp.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\dashborder_144.bmp.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\contosoroot_1.cer.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\sdksampleprivdeveloper.cer.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\contoso_1.cer.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\sdksampleunprivdeveloper.cer.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\contoso.cer.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\trivial-merge.htm.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\testcertificate.cer.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\file_p_00000000_1371597592.docx.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\notepad.exe.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\calc.exe.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\browse.htm.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\garden.htm.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\alert.htm.[rucetsus@gmail.com][mj-au3146295087].cracker
- <Drive name for removable media>:\archer.avi.[rucetsus@gmail.com][mj-au3146295087].cracker
Malicious functions
Executes the following
- '%WINDIR%\syswow64\net.exe' stop MSDTC
- '%WINDIR%\syswow64\net.exe' stop SQLSERVERAGENT
- '%WINDIR%\syswow64\net.exe' stop MSSQLSERVER
- '%WINDIR%\syswow64\net.exe' stop vds
- '%WINDIR%\syswow64\netsh.exe' firewall set opmode mode=disable
- '%WINDIR%\syswow64\net.exe' stop SQLWriter
- '%WINDIR%\syswow64\net.exe' stop SQLBrowser
- '%WINDIR%\syswow64\net.exe' stop MSSQL$CONTOSO1
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\<File name>.exe
- C:\far2\file_id.diz.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\farspa.lng.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\farrus.lng.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\farpol.lng.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\farhun.lng.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\farger.lng.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\farrus.hlf.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\fareng.lng.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\farhun.hlf.[rucetsus@gmail.com][mj-au3146295087].cracker
- D:\read-this.txt
- C:\far2\fareng.hlf.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\farcze.lng.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\restoresettings.cmd.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\far.map.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\changelog.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\clearpluginscache.cmd.[rucetsus@gmail.com][mj-au3146295087].cracker
- D:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\desktop.ini.[rucetsus@gmail.com][mj-au3146295087].cracker
- D:\install.log.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\$recycle.bin\s-1-5-21-1960123792-2022915161-3775307078-1001\desktop.ini.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\read-this.txt
- %ALLUSERSPROFILE%\prvkey.txt.key
- %ALLUSERSPROFILE%\prvkey.txt
- %WINDIR%\temp\tar8c96.tmp
- %WINDIR%\temp\cab8c95.tmp
- %ALLUSERSPROFILE%\pkey.txt
- %ALLUSERSPROFILE%\idk.txt
- C:\far2\changelog_eng.[rucetsus@gmail.com][mj-au3146295087].cracker
- C:\far2\savesettings.cmd.[rucetsus@gmail.com][mj-au3146295087].cracker
Deletes the following files
- %WINDIR%\temp\cab8c95.tmp
- %WINDIR%\temp\tar8c96.tmp
Modifies the following files
- D:\install.log
- C:\far2\farhun.lng
- C:\far2\farrus.hlf
- C:\far2\farger.lng
- <Drive name for removable media>:\tree_view.htm
- <Drive name for removable media>:\alert.htm
- <Drive name for removable media>:\trivial-merge.htm
- <Drive name for removable media>:\garden.htm
- <Drive name for removable media>:\browse.htm
- <Drive name for removable media>:\file_p_00000000_1371597592.docx
- <Drive name for removable media>:\testcertificate.cer
- <Drive name for removable media>:\contoso.cer
- <Drive name for removable media>:\testee.cer
- <Drive name for removable media>:\sdksampleunprivdeveloper.cer
- <Drive name for removable media>:\contoso_1.cer
- <Drive name for removable media>:\sdksampleprivdeveloper.cer
- <Drive name for removable media>:\contosoroot_1.cer
- <Drive name for removable media>:\dashborder_144.bmp
- <Drive name for removable media>:\coffee.bmp
- <Drive name for removable media>:\tileimage.bmp
- C:\far2\fareng.lng
- C:\far2\farhun.hlf
- C:\far2\fareng.hlf
- C:\far2\far.map
- C:\far2\farcze.lng
- C:\far2\changelog
- C:\far2\changelog_eng
- C:\far2\clearpluginscache.cmd
- C:\far2\farpol.lng
- C:\far2\farrus.lng
Modifies multiple files.
Modifies user data files (Trojan.Encoder).
Network activity
Connects to
- 'localhost':49177
- 'localhost':49179
- 'ap#.#y-ip.io':443
- 'x1.#.lencr.org':80
- 'r3.#.lencr.org':80
- 'microsoft.com':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://r3.#.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgQ%2BC%2FZCAPf9%2FYYEZIAfOoPZOw%3D%3D
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
Other
- 'localhost':49177
- 'localhost':49179
- 'localhost':49180
- 'ap#.#y-ip.io':443
UDP
- DNS ASK ap#.#y-ip.io
- DNS ASK x1.#.lencr.org
- DNS ASK r3.#.lencr.org
- DNS ASK microsoft.com
Miscellaneous
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c net stop MSDTC
- '%WINDIR%\syswow64\net1.exe' stop SQLBrowser
- '%WINDIR%\syswow64\cmd.exe' /c net stop SQLBrowser
- '%WINDIR%\syswow64\net1.exe' stop SQLWriter
- '%WINDIR%\syswow64\cmd.exe' /c net stop SQLWriter
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall set opmode mode=disable
- '%WINDIR%\syswow64\netsh.exe' advfirewall set currentprofile state off
- '%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall set currentprofile state off
- '%WINDIR%\syswow64\net1.exe' stop vds
- '%WINDIR%\syswow64\cmd.exe' /c net stop vds
- '%WINDIR%\syswow64\net1.exe' stop MSSQLSERVER
- '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQLSERVER
- '%WINDIR%\syswow64\net1.exe' stop SQLSERVERAGENT
- '%WINDIR%\syswow64\cmd.exe' /c net stop SQLSERVERAGENT
- '%WINDIR%\syswow64\cmd.exe' /c wbadmin delete catalog -quiet
- '%WINDIR%\syswow64\cmd.exe' /c bcdedit /set {default} recoveryenabled no
- '%WINDIR%\syswow64\cmd.exe' /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
- '%WINDIR%\syswow64\net1.exe' stop MSDTC
- '%WINDIR%\syswow64\cmd.exe' /c net stop MSSQL$CONTOSO1
- '%WINDIR%\syswow64\net1.exe' stop MSSQL$CONTOSO1