Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\SysMain] 'Start' = '00000002'
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Modifies file system
Creates the following files
- %TEMP%\ixp000.tmp\cate.ps1
- %TEMP%\f3fmqks5.0.cs
- %TEMP%\zrmjcebsay\contig.zip
- %TEMP%\60cw5a3t.dll
- %TEMP%\res2fdd.tmp
- %TEMP%\csc2fdc.tmp
- %TEMP%\60cw5a3t.out
- %TEMP%\60cw5a3t.cmdline
- %TEMP%\60cw5a3t.0.cs
- %TEMP%\jwgiyxpgml\devnodeclean.zip
- %TEMP%\f3fmqks5.cmdline
- %TEMP%\ixp000.tmp\psversion.txt
- %TEMP%\ixp000.tmp\tweakntfs.ps1
- %TEMP%\ixp000.tmp\tweakmemtcp.ps1
- %TEMP%\ixp000.tmp\tosc.ps1
- %TEMP%\ixp000.tmp\rundevnodeclean.ps1
- %TEMP%\ixp000.tmp\owtas.ps1
- %TEMP%\ixp000.tmp\ovss.ps1
- %TEMP%\ixp000.tmp\optimize.cmd
- %TEMP%\ixp000.tmp\mma-appx-etc.ps1
- %TEMP%\ixp000.tmp\getredists.ps1
- %TEMP%\ixp000.tmp\wt_removeghosts.ps1
- %TEMP%\f3fmqks5.out
Deletes the following files
- %TEMP%\ixp000.tmp\psversion.txt
- %TEMP%\ixp000.tmp\tosc.ps1
- %TEMP%\ixp000.tmp\cate.ps1
- %TEMP%\f3fmqks5.out
- %TEMP%\f3fmqks5.0.cs
- %TEMP%\f3fmqks5.cmdline
- %TEMP%\ixp000.tmp\ovss.ps1
- %TEMP%\ixp000.tmp\owtas.ps1
- %TEMP%\ixp000.tmp\tweakntfs.ps1
- %TEMP%\ixp000.tmp\wt_removeghosts.ps1
- %TEMP%\ixp000.tmp\optimize.cmd
- %TEMP%\60cw5a3t.out
- %TEMP%\60cw5a3t.cmdline
- %TEMP%\60cw5a3t.0.cs
- %TEMP%\60cw5a3t.dll
- %TEMP%\csc2fdc.tmp
- %TEMP%\res2fdd.tmp
- %TEMP%\ixp000.tmp\rundevnodeclean.ps1
- %TEMP%\jwgiyxpgml\devnodeclean.zip
- %TEMP%\ixp000.tmp\tweakmemtcp.ps1
- %TEMP%\ixp000.tmp\mma-appx-etc.ps1
- %TEMP%\60cw5a3t.pdb
- %TEMP%\ixp000.tmp\getredists.ps1
Network activity
TCP
- 'download.microsoft.com':443
- 'do######.sysinternals.com':443
UDP
- DNS ASK download.microsoft.com
- DNS ASK do######.sysinternals.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\60cw5a3t.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2FDD.tmp" "%TEMP%\CSC2FDC.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\f3fmqks5.cmdline"' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c %TEMP%\IXP000.TMP\Optimize.CMD -KEEPSHARECACHING
- '<SYSTEM32>\vssadmin.exe' list volumes
- '<SYSTEM32>\svchost.exe' -k swprv
- '<SYSTEM32>\vssvc.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex .\OVSS.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex .\OWTAS.ps1"
- '<SYSTEM32>\fsutil.exe' behavior set DisableDeleteNotify 0
- '<SYSTEM32>\fsutil.exe' behavior set DisableLastAccess 1
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex .\CATE.ps1"
- '<SYSTEM32>\fsutil.exe' 8dot3name set 1
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES2FDD.tmp" "%TEMP%\CSC2FDC.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\60cw5a3t.cmdline"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex .\wt_removeGhosts.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex .\RunDevNodeClean.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex .\TweakMemTCP.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex .\mma-appx-etc.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "[string]$PSVersionTable.PSVersion.Major + '.' + [string]$PSVersionTable.PSVersion.Minor"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex .\TweakNTFS.ps1"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\f3fmqks5.cmdline"
