Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\net.exe' stop Security Centers
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\cmd.exe
Modifies file system
Creates the following files
- %TEMP%\ktcbldpg.exe
- %TEMP%\_mei26762\yarl\_quoting_c.cp37-win32.pyd
- %TEMP%\_mei26762\win32wnet.pyd
- %TEMP%\_mei26762\win32ui.pyd
- %TEMP%\_mei26762\win32trace.pyd
- %TEMP%\_mei26762\win32cred.pyd
- %TEMP%\_mei26762\win32com\shell\shell.pyd
- %TEMP%\_mei26762\win32api.pyd
- %TEMP%\_mei26762\unicodedata.pyd
- %TEMP%\_mei26762\sqlite3.dll
- %TEMP%\_mei26762\select.pyd
- %TEMP%\_mei26762\pywintypes37.dll
- %TEMP%\_mei26762\pythoncom37.dll
- %TEMP%\_mei26762\include\pyconfig.h
- %TEMP%\_mei26762\python37.dll
- %TEMP%\_mei26762\pyexpat.pyd
- %TEMP%\_mei26762\psutil\_psutil_windows.cp37-win32.pyd
- %TEMP%\_mei26762\multidict\_multidict.cp37-win32.pyd
- %TEMP%\_mei26762\mfc140u.dll
- %TEMP%\_mei26762\lz4\block\_block.cp37-win32.pyd
- %TEMP%\_mei26762\lz4\_version.cp37-win32.pyd
- %TEMP%\_mei26762\libssl-1_1.dll
- %TEMP%\_mei26762\libcrypto-1_1.dll
- %TEMP%\_mei26762\cryptography\hazmat\bindings\_openssl.pyd
- %TEMP%\_mei26762\aiohttp\_websocket.cp37-win32.pyd
- %TEMP%\_mei26762\aiohttp\_http_writer.cp37-win32.pyd
- %TEMP%\_mei26762\aiohttp\_http_parser.cp37-win32.pyd
- %TEMP%\_mei26762\python3.dll
- %TEMP%\_mei26762\importlib_metadata-3.9.0-py3.7.egg-info\wheel
- %TEMP%\_mei26762\lz4-3.1.3-py3.7.egg-info\top_level.txt
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\installer
- %TEMP%\_mei26762\lz4-3.1.3-py3.7.egg-info\wheel
- %TEMP%\_mei26762\lz4-3.1.3-py3.7.egg-info\record
- %TEMP%\_mei26762\lz4-3.1.3-py3.7.egg-info\metadata
- %TEMP%\_mei26762\lz4-3.1.3-py3.7.egg-info\license
- %TEMP%\_mei26762\lz4-3.1.3-py3.7.egg-info\installer
- %TEMP%\_mei26762\keyring-23.0.1-py3.7.egg-info\top_level.txt
- %TEMP%\_mei26762\keyring-23.0.1-py3.7.egg-info\entry_points.txt
- %TEMP%\_mei26762\keyring-23.0.1-py3.7.egg-info\wheel
- %TEMP%\_mei26762\keyring-23.0.1-py3.7.egg-info\record
- %TEMP%\_mei26762\keyring-23.0.1-py3.7.egg-info\metadata
- %TEMP%\_mei26762\keyring-23.0.1-py3.7.egg-info\license
- %TEMP%\_mei26762\keyring-23.0.1-py3.7.egg-info\installer
- %TEMP%\_mei26762\aiohttp\_helpers.cp37-win32.pyd
- %TEMP%\_mei26762\importlib_metadata-3.9.0-py3.7.egg-info\top_level.txt
- %TEMP%\_mei26762\importlib_metadata-3.9.0-py3.7.egg-info\record
- %TEMP%\_mei26762\importlib_metadata-3.9.0-py3.7.egg-info\metadata
- %TEMP%\_mei26762\importlib_metadata-3.9.0-py3.7.egg-info\license
- %TEMP%\_mei26762\importlib_metadata-3.9.0-py3.7.egg-info\installer
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\top_level.txt
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\wheel
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\record
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\metadata
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\license.psf
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\license.bsd
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\license.apache
- %TEMP%\_mei26762\cryptography-3.4.7-py3.7.egg-info\license
- %TEMP%\_mei26762\base_library.zip
- %TEMP%\_mei26762\certifi\cacert.pem
- %TEMP%\_mei26762\aiohttp\_frozenlist.cp37-win32.pyd
- %TEMP%\_mei26762\crypto\hash\_sha256.pyd
- %TEMP%\_mei26762\crypto\hash\_ripemd160.pyd
- %TEMP%\_mei26762\crypto\hash\_md5.pyd
- %TEMP%\_mei26762\crypto\hash\_md4.pyd
- %TEMP%\_mei26762\crypto\hash\_md2.pyd
- %TEMP%\_mei26762\crypto\hash\_blake2s.pyd
- %TEMP%\_mei26762\crypto\hash\_blake2b.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_ofb.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_ocb.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_eksblowfish.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_ecb.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_des3.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_des.pyd
- %TEMP%\_mei26762\crypto\hash\_sha1.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_ctr.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_cbc.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_cast.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_blowfish.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_arc2.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_aesni.pyd
- %TEMP%\_mei26762\crypto\cipher\_raw_aes.pyd
- %TEMP%\_mei26762\crypto\cipher\_chacha20.pyd
- %TEMP%\_mei26762\crypto\cipher\_salsa20.pyd
- %TEMP%\_mei26762\crypto\cipher\_arc4.pyd
- %TEMP%\_mei26762\anti malware service executable.exe.manifest
- %TEMP%\jhydgiymdpwb.exe
- %TEMP%\6132.tmp\6143.tmp\6144.bat
- %TEMP%\_mei26762\crypto\cipher\_raw_cfb.pyd
- %TEMP%\_mei26762\_bz2.pyd
- %TEMP%\_mei26762\_ssl.pyd
- %TEMP%\_mei26762\crypto\hash\_sha384.pyd
- %TEMP%\_mei26762\_sqlite3.pyd
- %TEMP%\_mei26762\_socket.pyd
- %TEMP%\_mei26762\_queue.pyd
- %TEMP%\_mei26762\_overlapped.pyd
- %TEMP%\_mei26762\_multiprocessing.pyd
- %TEMP%\_mei26762\_lzma.pyd
- %TEMP%\_mei26762\_hashlib.pyd
- %TEMP%\_mei26762\_elementtree.pyd
- %TEMP%\_mei26762\_distutils_findvs.pyd
- %TEMP%\_mei26762\_decimal.pyd
- %TEMP%\_mei26762\_ctypes.pyd
- %TEMP%\_mei26762\_contextvars.pyd
- %TEMP%\_mei26762\_win32sysloader.pyd
- %TEMP%\_mei26762\_cffi_backend.cp37-win32.pyd
- %TEMP%\_mei26762\_asyncio.pyd
- %TEMP%\_mei26762\vcruntime140.dll
- %TEMP%\_mei26762\crypto\util\_strxor.pyd
- %TEMP%\_mei26762\crypto\util\_cpuid_c.pyd
- %TEMP%\_mei26762\crypto\publickey\_ec_ws.pyd
- %TEMP%\_mei26762\crypto\protocol\_scrypt.pyd
- %TEMP%\_mei26762\crypto\math\_modexp.pyd
- %TEMP%\_mei26762\crypto\hash\_poly1305.pyd
- %TEMP%\_mei26762\crypto\hash\_keccak.pyd
- %TEMP%\_mei26762\crypto\hash\_ghash_portable.pyd
- %TEMP%\_mei26762\crypto\hash\_ghash_clmul.pyd
- %TEMP%\_mei26762\crypto\hash\_sha512.pyd
- %TEMP%\_mei26762\crypto\hash\_sha224.pyd
- %TEMP%\3s95p117
Deletes the following files
- %TEMP%\6132.tmp\6143.tmp\6144.bat
- %TEMP%\3s95p117
Network activity
Connects to
- 'ap#.#pify.org':443
- 'ip##i.co':443
- 'ip##pi.com':80
TCP
HTTP GET requests
- http://ip##pi.com/json?fi##########
Other
- 'ap#.#pify.org':443
- 'ip##i.co':443
UDP
- DNS ASK ap#.#pify.org
- DNS ASK ip##i.co
- DNS ASK ip##pi.com
Miscellaneous
Creates and executes the following
- '%TEMP%\ktcbldpg.exe'
- '%TEMP%\jhydgiymdpwb.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\6132.tmp\6143.tmp\6144.bat %TEMP%\Ktcbldpg.exe"
- '<SYSTEM32>\net1.exe' stop Security Centers
