BackDoor.DarkCrystalNET.16

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\Documents and Settings\iexplore.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\<File name>.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '<File name>' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\<File name>.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'lsm' = '"<SYSTEM32>\imgutil\lsm.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'lsm' = '"<SYSTEM32>\imgutil\lsm.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'wininit' = '"C:\Far2\Addons\wininit.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'lsass' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\lsass.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'wininit' = '"C:\Far2\Addons\wininit.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '"<SYSTEM32>\pcwum\winlogon.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\Documents and Settings\iexplore.exe", "<SYSTEM32>\rasdiag\spoolsv.exe", "<SYSTEM32>\pcwum...
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'spoolsv' = '"<SYSTEM32>\rasdiag\spoolsv.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'spoolsv' = '"<SYSTEM32>\rasdiag\spoolsv.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\Documents and Settings\iexplore.exe", "<SYSTEM32>\rasdiag\spoolsv.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\Documents and Settings\iexplore.exe"'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\Documents and Settings\iexplore.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'winlogon' = '"<SYSTEM32>\pcwum\winlogon.exe"'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'lsass' = '"C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\lsass.exe"'

Creates or modifies the following files

<SYSTEM32>\tasks\iexplore
<SYSTEM32>\tasks\spoolsv
<SYSTEM32>\tasks\winlogon
<SYSTEM32>\tasks\wininit
<SYSTEM32>\tasks\lsm
<SYSTEM32>\tasks\<File name>
<SYSTEM32>\tasks\lsass
<SYSTEM32>\tasks\csrss

Malicious functions

Searches for windows to

detect analytical utilities:

ClassName: 'OLLYDBG', WindowName: 'OllyDBg'

Modifies file system

Creates the following files

C:\documents and settings\iexplore.exe
%TEMP%\t6en6vq39u
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\6203df4a6bafc7
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\lsass.exe
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\886983d96e3d3e
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\79007c89e79669
C:\recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\<File name>.exe
%TEMP%\q3myuh4rwd.bat
%WINDIR%\syswow64\imgutil\101b941d020240
C:\far2\addons\56085415360792
C:\far2\addons\wininit.exe
%WINDIR%\syswow64\pcwum\cc11b995f2a76d
%WINDIR%\syswow64\pcwum\winlogon.exe
%WINDIR%\syswow64\rasdiag\f3b6ecef712a24
%WINDIR%\syswow64\rasdiag\spoolsv.exe
C:\documents and settings\9db6e019d4f04e
%WINDIR%\syswow64\imgutil\lsm.exe
nul

Deletes the following files

%TEMP%\t6en6vq39u

Network activity

Connects to

'je##aew.xyz':80

TCP

HTTP GET requests

http://je##aew.xyz/kdnwecn.ewdbcrc

UDP

DNS ASK je##aew.xyz
'localhost':123

Miscellaneous

Searches for the following windows

ClassName: 'ObsidianGUI' WindowName: ''
ClassName: 'WinDbgFrameClass' WindowName: ''
ClassName: 'ID' WindowName: ''

Creates and executes the following

'C:\far2\addons\wininit.exe'
'C:\far2\addons\wininit.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\q3MYUh4rWD.bat"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\rxS71E3RCV.bat"' (with hidden window)

Executes the following

'<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'C:\Documents and Settings\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "spoolsv" /sc ONLOGON /tr "'<SYSTEM32>\rasdiag\spoolsv.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "winlogon" /sc ONLOGON /tr "'<SYSTEM32>\pcwum\winlogon.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "wininit" /sc ONLOGON /tr "'C:\Far2\Addons\wininit.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "lsm" /sc ONLOGON /tr "'<SYSTEM32>\imgutil\lsm.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "<File name>" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\<File name>.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\csrss.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1195d5a8-f371-11e4-9c00-dd3082671db2\lsass.exe'" /rl HIGHEST /f
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath 'C:\'
'%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\q3MYUh4rWD.bat"
'%WINDIR%\syswow64\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2
'<SYSTEM32>\w32tm.exe' /stripchart /computer:localhost /period:5 /dataonly /samples:2
'%WINDIR%\syswow64\cmd.exe' /C "%TEMP%\rxS71E3RCV.bat"