Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\entryprotectdrv] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\entryprotectdrv] 'ImagePath' = '%ProgramFiles(x86)%\SentryBay\EntryProtect\entryprotect.sys'
- [<HKLM>\System\CurrentControlSet\Services\epinject6] 'Start' = '00000001'
- [<HKLM>\System\CurrentControlSet\Services\epinject6] 'ImagePath' = '%ProgramFiles(x86)%\SentryBay\EntryProtect\epinject.sys'
- [<HKLM>\System\CurrentControlSet\Services\epinjectsvc] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\epinjectsvc] 'ImagePath' = '%ProgramFiles(x86)%\SentryBay\EntryProtect\inject.exe'
Malicious functions
Creates and loads libraries (exploit)
- %ProgramFiles(x86)%\sentrybay\entryprotect\epclient64.dll
Injects code into
the following system processes:
- <SYSTEM32>\wbem\wmiprvse.exe
- <SYSTEM32>\svchost.exe
- <SYSTEM32>\wudfhost.exe
- <SYSTEM32>\taskhost.exe
- <SYSTEM32>\spoolsv.exe
- %WINDIR%\explorer.exe
- <SYSTEM32>\dwm.exe
- <SYSTEM32>\lsm.exe
- <SYSTEM32>\lsass.exe
- <SYSTEM32>\services.exe
- <SYSTEM32>\winlogon.exe
- <SYSTEM32>\csrss.exe
- <SYSTEM32>\wininit.exe
the following user processes:
- iexplore.exe
- firefox.exe
Reads files which store third party applications passwords
- %HOMEPATH%\desktop\dashborder_192.bmp
Modifies file system
Creates the following files
- %TEMP%\tmpe96c.exe
- %ProgramFiles(x86)%\sentrybay\entryprotect\uninstall_.exe
- %WINDIR%\temp\uddf40c.tmp
- %WINDIR%\temp\uddf294.tmp
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\epinject.cat
- %ProgramFiles(x86)%\sentrybay\entryprotect\inject.exe
- %ProgramFiles(x86)%\sentrybay\entryprotect\epinject.cat.6.4.0.11671.new
- %ProgramFiles(x86)%\sentrybay\entryprotect\epinject.sys.6.4.0.11671.new
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\1.cat
- %TEMP%\nskeb72.tmp\service.dll
- %ProgramFiles(x86)%\sentrybay\entryprotect\entryprotect.cat.6.4.0.11671.new
- %ProgramFiles(x86)%\sentrybay\entryprotect\entryprotect.sys.6.4.0.11671.new
- %ProgramFiles(x86)%\sentrybay\entryprotect\epclient64.dll.6.4.0.11671.new
- %ProgramFiles(x86)%\sentrybay\entryprotect\epclient32.dll.6.4.0.11671.new
- %TEMP%\nskeb72.tmp\system.dll
- %TEMP%\nsueb61.tmp
- %ProgramFiles(x86)%\sentrybay\entryprotect\install.log
- %ProgramFiles(x86)%\sentrybay\entryprotect\uninstall.exe
Sets the 'hidden' attribute to the following files
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\1.cat
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\epinject.cat
Deletes the following files
- %WINDIR%\temp\uddf294.tmp
- %WINDIR%\temp\uddf40c.tmp
- %TEMP%\nskeb72.tmp\service.dll
- %TEMP%\nskeb72.tmp\system.dll
- %TEMP%\tmpe96c.exe
Moves the following files
- from %ProgramFiles(x86)%\sentrybay\entryprotect\epclient32.dll.6.4.0.11671.new to %ProgramFiles(x86)%\sentrybay\entryprotect\epclient32.dll
- from %ProgramFiles(x86)%\sentrybay\entryprotect\epclient64.dll.6.4.0.11671.new to %ProgramFiles(x86)%\sentrybay\entryprotect\epclient64.dll
- from %ProgramFiles(x86)%\sentrybay\entryprotect\entryprotect.sys.6.4.0.11671.new to %ProgramFiles(x86)%\sentrybay\entryprotect\entryprotect.sys
- from %ProgramFiles(x86)%\sentrybay\entryprotect\entryprotect.cat.6.4.0.11671.new to %ProgramFiles(x86)%\sentrybay\entryprotect\entryprotect.cat
- from %ProgramFiles(x86)%\sentrybay\entryprotect\epinject.sys.6.4.0.11671.new to %ProgramFiles(x86)%\sentrybay\entryprotect\epinject.sys
- from %ProgramFiles(x86)%\sentrybay\entryprotect\epinject.cat.6.4.0.11671.new to %ProgramFiles(x86)%\sentrybay\entryprotect\epinject.cat
Miscellaneous
Creates and executes the following
- '%TEMP%\tmpe96c.exe' "/installdir="%ProgramFiles(x86)%\SentryBay\EntryProtect""
- '%ProgramFiles(x86)%\sentrybay\entryprotect\inject.exe' install "%ProgramFiles(x86)%\SentryBay\EntryProtect\epinject.sys" "%ProgramFiles(x86)%\SentryBay\EntryProtect\epinject.cat"
- '%ProgramFiles(x86)%\sentrybay\entryprotect\inject.exe' inject "%ProgramFiles(x86)%\SentryBay\EntryProtect\epclient32.dll" "%ProgramFiles(x86)%\SentryBay\EntryProtect\epclient64.dll"
