Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '08f4dc96bbb7af09d1a37fe35c75a42f' = '"%TEMP%\explorer.exe" ..'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '08f4dc96bbb7af09d1a37fe35c75a42f' = '"%TEMP%\explorer.exe" ..'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe
- %HOMEPATH%\Start Menu\Programs\Startup\svchost.exe
Creates the following files on removable media:
- <Drive name for removable media>:\Bloc-notes.exe.lnk
- <Drive name for removable media>:\RCX5.tmp
- <Drive name for removable media>:\08f4dc96bbb7af09d1a37fe35c75a42f_backup.exe
- <Drive name for removable media>:\08f4dc96bbb7af09d1a37fe35c75a42f.exe
- <Drive name for removable media>:\Bloc-notes.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\explorer.exe' = '%TEMP%\explorer.exe:*:Enabled:explorer.exe'
Creates and executes the following:
- '%TEMP%\explorer.exe'
- '%TEMP%\svchost.exe'
- '%TEMP%\08f4dc96bbb7af09d1a37fe35c75a42f.exe'
Executes the following:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\obskkcht.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4.tmp" "%TEMP%\vbc3.tmp"
- '<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\explorer.exe" "explorer.exe" ENABLE
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /noconfig @"%TEMP%\jfxsv-z3.cmdline"
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2.tmp" "%TEMP%\vbc1.tmp"
Modifies file system :
Creates the following files:
- %TEMP%\eFvTCC.resources
- %TEMP%\whatdafock.txt
- %TEMP%\swAxb.resources
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new
- %TEMP%\jfxsv-z3.exe
- %TEMP%\obskkcht.0.vb
- %TEMP%\RES4.tmp
- %TEMP%\windowsupdate.ico
- %TEMP%\vbc3.tmp
- %TEMP%\obskkcht.cmdline
- %TEMP%\obskkcht.out
- %TEMP%\RES2.tmp
- %TEMP%\Mz686818.resources
- %TEMP%\MSNPSharp.dll
- %TEMP%\svchost.exe
- %TEMP%\Jx.resources
- %TEMP%\08f4dc96bbb7af09d1a37fe35c75a42f.exe
- %TEMP%\jfxsv-z3.0.vb
- %TEMP%\vbc1.tmp
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new
- %TEMP%\explorer.exe
- %TEMP%\jfxsv-z3.cmdline
- %TEMP%\jfxsv-z3.out
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\Bloc-notes.exe
- <Drive name for removable media>:\08f4dc96bbb7af09d1a37fe35c75a42f.exe
Deletes the following files:
- %TEMP%\obskkcht.0.vb
- %TEMP%\swAxb.resources
- %TEMP%\obskkcht.cmdline
- %TEMP%\obskkcht.out
- %TEMP%\windowsupdate.ico
- <Drive name for removable media>:\08f4dc96bbb7af09d1a37fe35c75a42f.exe
- %TEMP%\eFvTCC.resources
- <Drive name for removable media>:\08f4dc96bbb7af09d1a37fe35c75a42f_backup.exe
- %TEMP%\jfxsv-z3.out
- %TEMP%\jfxsv-z3.cmdline
- %TEMP%\RES2.tmp
- %TEMP%\vbc1.tmp
- %TEMP%\RES4.tmp
- %TEMP%\vbc3.tmp
- %TEMP%\jfxsv-z3.exe
- %TEMP%\jfxsv-z3.0.vb
Moves the following files:
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
- from %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new to %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
Network activity:
Connects to:
- 'su####.no-ip.org':7711
- '17#.#3.169.14':80
UDP:
- DNS ASK su####.no-ip.org
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'