Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Kaseya Agent Service Helper' = '%PROGRAM_FILES%\Kaseya\Agent\KaUsrTsk.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\KaseyaAgent] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\KaseyaAgent] 'ImagePath' = '%PROGRAM_FILES%\Kaseya\Agent\AgentMon.exe'
Malicious functions:
Creates and executes the following:
- %PROGRAM_FILES%\Kaseya\Agent\AgentMon.exe
- %PROGRAM_FILES%\Kaseya\Agent\KaUsrTsk.exe
- %CommonProgramFiles%\InstallShield\Engine\6\Intel 32\IKernel.exe /REGSERVER -Embedding -RegServer
Modifies file system :
Creates the following files:
- %PROGRAM_FILES%\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\Setup.ini
- %PROGRAM_FILES%\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\setu5eef.rra
- %PROGRAM_FILES%\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\Setu5e81.rra
- %ALLUSERSPROFILE%\Start Menu\Programs\Kaseya\Kaseya Agent.lnk
- %PROGRAM_FILES%\Kaseya\Agent\Agen6b52.rra
- %PROGRAM_FILES%\Kaseya\Agent\KaUs6a2a.rra
- %PROGRAM_FILES%\Kaseya\Agent\KPrt696e.rra
- %TEMP%\pft3.tmp\setup.log
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\_IsR384c.rra
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\defa3406.rra
- %PROGRAM_FILES%\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\layo5d49.rra
- %PROGRAM_FILES%\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\Setu5e33.rra
- %PROGRAM_FILES%\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\data5d97.rra
- %PROGRAM_FILES%\InstallShield Installation Information\{48C76121-4F90-11D5-9884-0050BA85A903}\data5d78.rra
- <DRIVERS>\KaPF7303.rra
- %PROGRAM_FILES%\Kaseya\Agent\Kase71ea.rra
- %PROGRAM_FILES%\Kaseya\Agent\Kase718c.rra
- <DRIVERS>\Kase7332.rra
- %PROGRAM_FILES%\Kaseya\Agent\KaseyaD.ini
- <DRIVERS>\kase7390.rra
- <DRIVERS>\kapf7361.rra
- %PROGRAM_FILES%\Kaseya\Agent\Psap6df2.rra
- %PROGRAM_FILES%\Kaseya\Agent\spor6d85.rra
- %PROGRAM_FILES%\Kaseya\Agent\kGet6c9b.rra
- %PROGRAM_FILES%\Kaseya\Agent\KEve6e50.rra
- <SYSTEM32>\kase6fc7.rra
- %PROGRAM_FILES%\Kaseya\Agent\KAge6efc.rra
- %PROGRAM_FILES%\Kaseya\Agent\LogP6eae.rra
- %TEMP%\pft3.tmp\Setup.exe
- %TEMP%\pft3.tmp\Setup.bmp
- %TEMP%\pft3.tmp\data1.hdr
- %TEMP%\pft3.tmp\setup.iss
- %TEMP%\pft3.tmp\Setup.ini
- %TEMP%\pft3.tmp\layout.bin
- %TEMP%\pft3.tmp\data2.cab
- %TEMP%\KaseyaD.ini
- %TEMP%\KAgentSilent.exe
- %TEMP%\KASetup.log
- %TEMP%\ext2.tmp
- %TEMP%\pft3.tmp\data1.cab
- %TEMP%\pft3.tmp\pftw1.pkg
- %TEMP%\plf1.tmp
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\setu1a16.rra
- %CommonProgramFiles%\InstallShield\IScript\iscrf9cc.rra
- %CommonProgramFiles%\InstallShield\Engine\6\Intel 32\iusef6ee.rra
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\KSet2159.rra
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\isrt31c4.rra
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\valu2d40.rra
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\Psap259f.rra
- %TEMP%\IEC4.tmp
- %TEMP%\pft3.tmp\ikernel.ex_
- %TEMP%\pft3.tmp\setup.inx
- %CommonProgramFiles%\InstallShield\Engine\6\Intel 32\temp.000
- %CommonProgramFiles%\InstallShield\Engine\6\Intel 32\objef671.rra
- %CommonProgramFiles%\InstallShield\Engine\6\Intel 32\ctorf3f0.rra
- %CommonProgramFiles%\InstallShield\Engine\6\Intel 32\coref392.rra
Deletes the following files:
- %TEMP%\pft3.tmp\ikernel.ex_
- %TEMP%\pft3.tmp\layout.bin
- %TEMP%\pft3.tmp\Setup.bmp
- %TEMP%\pft3.tmp\data1.cab
- %TEMP%\pft3.tmp\data1.hdr
- %TEMP%\pft3.tmp\data2.cab
- %TEMP%\pft3.tmp\Setup.exe
- %TEMP%\pft3.tmp\setup.log
- %TEMP%\KaseyaD.ini
- %TEMP%\KAgentSilent.exe
- %TEMP%\pft3.tmp\Setup.ini
- %TEMP%\pft3.tmp\setup.inx
- %TEMP%\pft3.tmp\setup.iss
- %TEMP%\plf1.tmp
- %PROGRAM_FILES%\Kaseya\Agent\Psapi.Dll
- <DRIVERS>\kaseyaha64.sys
- <DRIVERS>\kapfa64.sys
- %TEMP%\ext2.tmp
- %TEMP%\pft3.tmp\pftw1.pkg
- %TEMP%\IEC4.tmp
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\_IsRes.dll
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\Psapi.Dll
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\KSetup.dll
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\setup.inx
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\default.pal
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\isrt.dll
- %TEMP%\{48c76121-4f90-11d5-9884-0050ba85a903}\value.shl
