Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\tgi] 'Start' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\ssuf] 'Start' = '00000002'
Malicious functions:
Executes the following:
- '<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows nt\currentversion\svchost" /v ssuf /t reg_multi_sz /d "ssuf\0" /f
- '<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\services\ssuf" /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
- '<SYSTEM32>\svchost.exe' -k ssuf
- '<SYSTEM32>\sc.exe' start ssuf
- '<SYSTEM32>\reg.exe' add "hklm\system\currentcontrolset\services\ssuf\parameters" /v servicedll /t reg_expand_sz /d "<SYSTEM32>\suf.dll" /f
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram name="suf" program="<SYSTEM32>\svchost.exe" mode=enable
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\\suf.bat"
- '<SYSTEM32>\sc.exe' create "ssuf" type= share start= auto binpath= "<SYSTEM32>\svchost.exe -k ssuf"
- '<SYSTEM32>\netsh.exe' firewall add portopening tcp 8085 suf enable
Modifies file system :
Creates the following files:
- %TEMP%\suf.bat
- <SYSTEM32>\suf.dll
- <DRIVERS>\suf.sys
Network activity:
Connects to:
- '85.##.236.154':80
- 'localhost':8085
TCP:
HTTP GET requests:
- 85.##.236.154/feed/?v=########################