Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'lsass' = '"%ALLUSERSPROFILE%\Oracle\Java\javapath\lsass.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'mdm' = '"%CommonProgramFiles(x86)%\microsoft shared\VS7Debug\msdbg2\mdm.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'firefox' = '"%ProgramFiles(x86)%\Mozilla Firefox\AccessibleMarshal\firefox.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'wininit' = '"<SYSTEM32>\gpupdate\wininit.exe"'
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'services' = '"<SYSTEM32>\InkEd\services.exe"'
Creates or modifies the following files
- <SYSTEM32>\tasks\lsass
- <SYSTEM32>\tasks\mdm
- <SYSTEM32>\tasks\wininit
- <SYSTEM32>\tasks\services
- <SYSTEM32>\tasks\firefox
Malicious functions
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\opera software\opera stable\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\oracle\java\javapath\lsass.exe
- %TEMP%\jkvf8ctugt
- %TEMP%\vfsqnt1x0t
- %TEMP%\zqqrxwxqbe
- %TEMP%\v6uxscj8rm
- %TEMP%\0v0swmvgqn
- %TEMP%\9ehzwigk7q
- %TEMP%\esqm5fqbiu
- %TEMP%\aefnd1pqhe
- %TEMP%\nr1xl0knrq
- %TEMP%\u3ong1ttfb
- %TEMP%\v8m7yrxo7i
- %TEMP%\lv0bwkvnlm
- %TEMP%\chkcjcuedz
- %TEMP%\8ewe38v4mw
- %TEMP%\vw4cs5dspn
- nul
- %TEMP%\i4uosv8g9h.bat
- %TEMP%\pj2qoapsrj
- <SYSTEM32>\inked\c5b4cb5e9653cc
- <SYSTEM32>\inked\services.exe
- <SYSTEM32>\gpupdate\56085415360792
- <SYSTEM32>\gpupdate\wininit.exe
- %ProgramFiles(x86)%\mozilla firefox\accessiblemarshal\0fc223bdacedc3
- %ProgramFiles(x86)%\mozilla firefox\accessiblemarshal\firefox.exe
- %CommonProgramFiles(x86)%\microsoft shared\vs7debug\msdbg2\559fba5f8e4410
- %CommonProgramFiles(x86)%\microsoft shared\vs7debug\msdbg2\mdm.exe
- %ALLUSERSPROFILE%\oracle\java\javapath\6203df4a6bafc7
- %TEMP%\yicv1kei5a
- %TEMP%\ppov2qodt9
Deletes the following files
- %TEMP%\pj2qoapsrj
- %TEMP%\jkvf8ctugt
- %TEMP%\vfsqnt1x0t
- %TEMP%\zqqrxwxqbe
- %TEMP%\v6uxscj8rm
- %TEMP%\0v0swmvgqn
- %TEMP%\9ehzwigk7q
- %TEMP%\esqm5fqbiu
- %TEMP%\aefnd1pqhe
- %TEMP%\nr1xl0knrq
- %TEMP%\u3ong1ttfb
- %TEMP%\v8m7yrxo7i
- %TEMP%\lv0bwkvnlm
- %TEMP%\chkcjcuedz
- %TEMP%\8ewe38v4mw
- %TEMP%\vw4cs5dspn
- %TEMP%\yicv1kei5a
- %TEMP%\ppov2qodt9
Network activity
Connects to
- '37.##0.113.20':80
TCP
HTTP GET requests
- http://37.##0.113.20/TemporaryCentral5temporary/LocalGeoPublicTemporary/Private/WordpressjsSecuredatalife/universallow/Temp/JavascriptDownloadsVoiddb/privatePacketauth/0JavascriptWp/Protonjavas...
UDP
- 'localhost':123
Miscellaneous
Creates and executes the following
- '%CommonProgramFiles(x86)%\microsoft shared\vs7debug\msdbg2\mdm.exe'
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\i4uOsv8g9H.bat"' (with hidden window)
Executes the following
- '<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'%ALLUSERSPROFILE%\Oracle\Java\javapath\lsass.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "mdm" /sc ONLOGON /tr "'%CommonProgramFiles(x86)%\microsoft shared\VS7Debug\msdbg2\mdm.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "firefox" /sc ONLOGON /tr "'%ProgramFiles(x86)%\Mozilla Firefox\AccessibleMarshal\firefox.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'<SYSTEM32>\gpupdate\wininit.exe'" /rl HIGHEST /f
- '<SYSTEM32>\schtasks.exe' /create /tn "services" /sc ONLOGON /tr "'<SYSTEM32>\InkEd\services.exe'" /rl HIGHEST /f
- '<SYSTEM32>\cmd.exe' /C "%TEMP%\i4uOsv8g9H.bat"
- '<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2
