Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Adobe Flash Player Update' = '<SYSTEM32>\Restore\svchost.exe'
Substitutes the following executable system files:
- <SYSTEM32>\dllcache\ctfmon.exe with <SYSTEM32>\dllcache\ctfmon.exe.new
- <SYSTEM32>\ctfmon.exe with <SYSTEM32>\ctfmon.exe.new
Malicious functions:
Creates and executes the following:
- %ALLUSERSPROFILE%\install.res.exe A:\
- %ALLUSERSPROFILE%\install.res.exe E:\
- <SYSTEM32>\Restore\svchost.exe
- %TEMP%\zEigsCzucMUVAd\_apc\ResHacker.exe -add to.exe, result.exe, _icons\icons.res, icongroup,,
- <SYSTEM32>\CatRoot2\smss.exe
- %TEMP%\zEigsCzucMUVAd\_apc\ResHacker.exe -extract from.exe, _icons\icons.rc, icongroup,,
- %TEMP%\zEigsCzucMUVAd\_apc\porc.exe _icons\icons.rc
Modifies file system :
Creates the following files:
- %TEMP%\r96p29
- <SYSTEM32>\Restore\svchost.exe
- %TEMP%\dhh3tm
- %TEMP%\ArzPjqUGpgJazJ\_apc\diff.json
- %TEMP%\UzUgiPPemwQAIP\_apc\diff.json
- %TEMP%\zEigsCzucMUVAd\_icons\icons.res
- %TEMP%\zEigsCzucMUVAd\_icons\Icon_1.ico
- %TEMP%\zEigsCzucMUVAd\result.exe
- <SYSTEM32>\ctfmon.exe
- %ALLUSERSPROFILE%\install.res.exe
- %TEMP%\ArzPjqUGpgJazJ\_apc\porc.dll
- %TEMP%\UzUgiPPemwQAIP\_apc\ResHacker.exe
- %TEMP%\ArzPjqUGpgJazJ\_apc\porc.exe
- %TEMP%\ArzPjqUGpgJazJ\_apc\ResHacker.exe
- %TEMP%\ArzPjqUGpgJazJ\_apc\redirector_win.exe
- %TEMP%\ArzPjqUGpgJazJ\_apc\hello.exe
- %TEMP%\UzUgiPPemwQAIP\_apc\hello.exe
- %TEMP%\UzUgiPPemwQAIP\_apc\porc.dll
- %TEMP%\UzUgiPPemwQAIP\_apc\redirector_win.exe
- %TEMP%\UzUgiPPemwQAIP\_apc\porc.exe
- %TEMP%\zEigsCzucMUVAd\_icons\icons.rc
- %TEMP%\zEigsCzucMUVAd\_apc\ResHacker.exe
- %TEMP%\zEigsCzucMUVAd\_apc\redirector_win.exe
- %ALLUSERSPROFILE%:mate
- %ALLUSERSPROFILE%\Start Menu\wrt0089.exe
- %ALLUSERSPROFILE%\Favorites\wrt0083.exe
- %TEMP%\zEigsCzucMUVAd\_apc\diff.json
- %TEMP%\2gie_n
- %TEMP%\zEigsCzucMUVAd\_apc\hello.exe
- %TEMP%\zEigsCzucMUVAd\_apc\porc.exe
- %TEMP%\zEigsCzucMUVAd\_apc\porc.dll
- %TEMP%\zEigsCzucMUVAd\to.exe
- <SYSTEM32>\CatRoot2\smss.exe
- %TEMP%\zEigsCzucMUVAd\from.exe
- %TEMP%\zEigsCzucMUVAd\_apc\ResHacker.ini
- %TEMP%\zEigsCzucMUVAd\_apc\ResHacker.log
- %ALLUSERSPROFILE%\Documents\Backup_rev_1.exe
- %ALLUSERSPROFILE%\DRM\redist.exe
- %ALLUSERSPROFILE%\Application Data\install.res.286.exe
- %ALLUSERSPROFILE%:check
- %ALLUSERSPROFILE%\Templates\install.res.339.exe
Deletes the following files:
- %TEMP%\zEigsCzucMUVAd\_apc\redirector_win.exe
- %TEMP%\zEigsCzucMUVAd\_apc\ResHacker.exe
- %TEMP%\zEigsCzucMUVAd\_apc\porc.dll
- %TEMP%\zEigsCzucMUVAd\_apc\porc.exe
- %TEMP%\r96p29
- %TEMP%\dhh3tm
- %TEMP%\zEigsCzucMUVAd\_apc\ResHacker.ini
- %TEMP%\zEigsCzucMUVAd\_apc\ResHacker.log
- %TEMP%\zEigsCzucMUVAd\_apc\hello.exe
- %TEMP%\zEigsCzucMUVAd\_icons\icons.res
- %TEMP%\zEigsCzucMUVAd\_icons\Icon_1.ico
- %TEMP%\2gie_n
- %TEMP%\zEigsCzucMUVAd\_icons\icons.rc
- %TEMP%\zEigsCzucMUVAd\result.exe
- %TEMP%\zEigsCzucMUVAd\_apc\diff.json
- %TEMP%\zEigsCzucMUVAd\from.exe
- %TEMP%\zEigsCzucMUVAd\to.exe
Moves the following system files:
- from <SYSTEM32>\ctfmon.exe to <SYSTEM32>\system32\ctfmon.exe
Moves the following files:
- from <SYSTEM32>\ctfmon.exe.new to <SYSTEM32>\ctfmon.exe
- from %TEMP%\zEigsCzucMUVAd\result.exe to <SYSTEM32>\ctfmon.exe
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''