Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
- [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010] 'PackedCatalogItem' = '{25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,3...
Malicious functions
Executes the following
- '<SYSTEM32>\net.exe' stop dnscache
Modifies file system
Creates the following files
- %TEMP%\3b3b.tmp\3b3c.tmp\3b4d.bat
- %TEMP%\477b.tmp\477c.tmp\478c.bat
- nul
Deletes the following files
- %TEMP%\3b3b.tmp\3b3c.tmp\3b4d.bat
Network activity
UDP
- 'localhost':54523
- 'localhost':59048
- 'localhost':64029
- 'localhost':64032
Miscellaneous
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\3B3B.tmp\3B3C.tmp\3B4D.bat <Full path to file>"
- '<SYSTEM32>\net1.exe' stop dnscache
- '<SYSTEM32>\netsh.exe' interface ip delete arpcache
- '<SYSTEM32>\netsh.exe' interface ipv4 add dns "Ethernet" 8.#.8.8 index=2
- '<SYSTEM32>\netsh.exe' interface ipv4 set dns "Ethernet" static 1.#.1.1 primary
- '<SYSTEM32>\netsh.exe' interface ipv4 add dns "Wi-Fi" 8.#.8.8 index=2
- '<SYSTEM32>\netsh.exe' interface ipv4 set dns "Wi-Fi" static 1.#.1.1 primary
- '<SYSTEM32>\netsh.exe' int ipv6 reset
- '<SYSTEM32>\netsh.exe' int ipv4 reset
- '<SYSTEM32>\netsh.exe' interface set interface "Ethernet" admin=enable
- '<SYSTEM32>\netsh.exe' interface set interface "Ethernet" admin=disable
- '<SYSTEM32>\netsh.exe' interface set interface "Wi-Fi" admin=enable
- '<SYSTEM32>\netsh.exe' interface set interface "Wi-Fi" admin=disable
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\ipconfig.exe' /renew
- '<SYSTEM32>\ipconfig.exe' /release
- '<SYSTEM32>\netsh.exe' int ip reset
- '<SYSTEM32>\netsh.exe' winsock reset
- '<SYSTEM32>\netsh.exe' int tcp set heuristics disabled
- '<SYSTEM32>\netsh.exe' int tcp set global rss=enabled
- '<SYSTEM32>\netsh.exe' int tcp set global netdma=enabled
- '<SYSTEM32>\netsh.exe' int tcp set global dca=enabled
- '<SYSTEM32>\netsh.exe' int tcp set global chimney=enabled
- '<SYSTEM32>\netsh.exe' int tcp set global ecncapability=enabled
- '<SYSTEM32>\netsh.exe' int tcp set global congestionprovider=ctcp
- '<SYSTEM32>\netsh.exe' int tcp set global autotuninglevel=normal
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\477B.tmp\477C.tmp\478C.bat <Full path to file> am_admin"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' start -verb runas '<Full path to file>' am_admin
- '<SYSTEM32>\net.exe' start dnscache
- '<SYSTEM32>\net1.exe' start dnscache
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\477B.tmp\477C.tmp\478C.bat <Full path to file> am_admin"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\3B3B.tmp\3B3C.tmp\3B4D.bat <Full path to file>"' (with hidden window)
