Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %WINDIR%\tasks\cert.pfx
Modifies file system
Creates the following files
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\a70f233b2975a6fd01b1823d17b37efd_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %APPDATA%\microsoft\systemcertificates\request\certificates\1e864e2cc79f07ec876d7824cc5a659165d59237
- %APPDATA%\microsoft\systemcertificates\my\certificates\cdb16971cee0d9595ad3c612ed9c9aefebae0157
- %APPDATA%\microsoft\systemcertificates\my\keys\5cc132adfed9d44045f05355d89f6afebf4b535d
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\a9ce25ea54c57d715cf5cf03fafa2df7_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
Deletes the following files
- %APPDATA%\microsoft\systemcertificates\request\certificates\1e864e2cc79f07ec876d7824cc5a659165d59237
Network activity
TCP
HTTP GET requests
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
UDP
- DNS ASK microsoft.com
Miscellaneous
Executes the following
- '<SYSTEM32>\certutil.exe' -store -user MY __JSRat_Trusted_Root
- '<SYSTEM32>\certutil.exe' -exportPFX -p password -user My 24d9fbafd048f78443e20a25e2b7a8bb %WINDIR%\Tasks\cert.pfx
- '<SYSTEM32>\certutil.exe' -f -p password -user -importpfx %WINDIR%\Tasks\cert.pfx
- '<SYSTEM32>\certutil.exe' -store -user MY __eetbus_Trusted_Root
