Technical Information
Malicious functions
Creates and executes the following
- '' (downloaded from the Internet)
Creates and executes the following (exploit)
- 'C:\users\public\vbc.exe'
Injects code into
the following system processes:
- %WINDIR%\syswow64\cmd.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\LinasFTP\Site Manager]
- [<HKCU>\Software\FlashPeak\BlazeFtp\Settings]
- [<HKCU>\Software\Ghisler\Total Commander]
- [<HKCU>\Software\Far\Plugins\FTP\Hosts]
- [<HKCU>\Software\Far2\Plugins\FTP\Hosts]
- [<HKCU>\Software\VanDyke\SecureFX]
- [<HKLM>\Software\Wow6432Node\NCH Software\Fling\Accounts]
- [<HKCU>\Software\NCH Software\Fling\Accounts]
- [<HKLM>\Software\Wow6432Node\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\NCH Software\ClassicFTP\FTPAccounts]
- [<HKCU>\Software\SimonTatham\PuTTY\Sessions]
- [<HKLM>\Software\Wow6432Node\SimonTatham\PuTTY\Sessions]
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Wow6432Node\Martin Prikryl]
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook]
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\thunderbird\profiles.ini
Modifies file system
Creates the following files
- C:\users\public\vbc.exe
- %TEMP%\index1\44.opends60.dll
- %TEMP%\index1\raml+yaml.xml
- %TEMP%\index1\msenvmnu.dll
- %APPDATA%\ico\aspnetregiis.exe
- %APPDATA%\ico\org.gnome.disks.gschema.xml
- %TEMP%\signature\frontpage\inquiry\normalization.dll
- %TEMP%\promotions\pa\project\microsoftvisualstudiodebugger.dll
- %TEMP%\promotions\pa\project\82.opends60.dll
- %TEMP%\aspdnsfcommon\t1\asmx\locale.xml
- %TEMP%\formicarium.dll
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %APPDATA%\e6f983\35a09b.hdb
- %APPDATA%\cgiwrap\google-maps-zh-tw.xml
- %TEMP%\oenomel
- %TEMP%\promotions\pa\project\org.gnome.desktop.privacy.gschema.xml
- %TEMP%\promotions\pa\project\radio.xml
- %TEMP%\promotions\pa\project\x-minipsf.xml
- %APPDATA%\books\covers\link.exe
- %APPDATA%\books\covers\1.opends60.dll
- %APPDATA%\books\covers\iehost.dll
- %APPDATA%\books\covers\pdmui.dll
- %APPDATA%\books\covers\transformkeyboard.xml
- %APPDATA%\books\covers\x-qml.xml
- %APPDATA%\books\covers\kingalbert.xml
- %TEMP%\nsx2166.tmp
- %APPDATA%\books\covers\crtowordsen.dll
- %APPDATA%\books\covers\devicedma.dll
- %APPDATA%\books\covers\x-tex.xml
- %APPDATA%\books\covers\62.opends60.dll
- %APPDATA%\books\covers\x-sega-pico-rom.xml
- %TEMP%\promotions\pa\project\idl.xml
- %TEMP%\promotions\pa\project\clstencilui.dll
- %TEMP%\promotions\pa\project\gacutil.exe
- %APPDATA%\books\covers\accountleads.xml
- %APPDATA%\e6f983\35a09b.lck
- %APPDATA%\e6f983\35a09b.exe
Sets the 'hidden' attribute to the following files
- %APPDATA%\e6f983\35a09b.exe
Deletes the following files
- %APPDATA%\e6f983\35a09b.lck
Substitutes the following files
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1960123792-2022915161-3775307078-1001\f58155b4b1d5a524ca0261c3ee99fb50_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
Network activity
Connects to
- 'be##di.ga':80
TCP
HTTP GET requests
- http://ch###########sisabadassniggainthesnoop.ydns.eu/secure/svchost.exe
HTTP POST requests
- http://be##di.ga/chud/gate.php
UDP
- DNS ASK ch###########sisabadassniggainthesnoop.ydns.eu
- DNS ASK be##di.ga
Miscellaneous
Executes the following
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\rundll32.exe' Formicarium,Chechako
- '%WINDIR%\syswow64\cmd.exe'
