Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\Software\Classes\PROTOCOLS\Handler\touchenex] 'CLSID' = '{4016c30a-fd7b-11ef-941e-000c2936bd4f}'
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'CrossEXService' = '%ProgramFiles(x86)%\iniLINE\CrossEX\crossex\CrossEXService.exe'
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\TENXW_Guard] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\TENXW_Guard] 'ImagePath' = '%ProgramFiles%\RaonSecure\NxWeb\TENXW_SVR.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\TNXNET_SVR] 'Start' = '00000001'
- [HKLM\SYSTEM\CurrentControlSet\Services\TNXNET_SVR] 'ImagePath' = '%WINDIR%\TNXNet64.sys'
- [HKLM\SYSTEM\CurrentControlSet\Services\CrossEX Live Checker] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\CrossEX Live Checker] 'ImagePath' = '"%ProgramFiles(x86)%\iniLINE\CrossEX\crossex\ObCrossEXService.exe"'
Creates the following services
- 'TENXW_Guard' %ProgramFiles%\RaonSecure\NxWeb\TENXW_SVR.exe
- 'TNXNET_SVR' %WINDIR%\TNXNet64.sys
- 'CrossEX Live Checker' %ProgramFiles(x86)%\iniLINE\CrossEX\crossex\ObCrossEXService.exe
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\winlogon.exe
Installs hooks to intercept notifications
on keystrokes:
- Handler for all processes: %ProgramFiles%\RaonSecure\NxWeb\TENXWGuard64_269.dll
on window messages:
- Handler for all processes: %ProgramFiles%\RaonSecure\NxWeb\TENXWGuard64_269.dll
- Handler for all processes: %ProgramFiles%\RaonSecure\NxWeb\TENXWGuard32_269.dll
Modifies file system
Creates the following files
- %TEMP%\tenxwguard\dllcheck64.exe
- %ProgramFiles%\raonsecure\nxweb\setup.cab
- %ProgramFiles%\raonsecure\nxweb\tenxw_svr32.exe
- %ProgramFiles%\raonsecure\nxweb\tenxw_svr64.exe
- %ProgramFiles%\raonsecure\nxweb\tenxwguard32.dll
- %ProgramFiles%\raonsecure\nxweb\tenxwguard64.dll
- %ProgramFiles%\raonsecure\nxweb\teweb.exe
- %ProgramFiles%\raonsecure\nxweb\teweb64.exe
- %ProgramFiles%\raonsecure\nxweb\tewebp.exe
- %ProgramFiles%\raonsecure\nxweb\twmain.dll
- %ProgramFiles%\raonsecure\nxweb\twmain64.dll
- %ProgramFiles%\raonsecure\nxweb\crossex_localservice_install.exe
- %ProgramFiles%\raonsecure\nxweb\raon_touchenex_install.exe
- %ProgramFiles%\raonsecure\nxweb\ffcert.exe
- %WINDIR%\tnxnet64.sys
- %ProgramFiles(x86)%\raonsecure\bridge\crossex\touchenex\1.0.1.1604\digicert_root_g4.cer
- %ProgramFiles(x86)%\raonsecure\bridge\crossex\touchenex\1.0.1.1604\crossexprotocol.dll
- %ProgramFiles(x86)%\raonsecure\bridge\crossex\touchenex\1.0.1.1604\crossexchrome.exe
- %ProgramFiles(x86)%\raonsecure\bridge\crossex\touchenex\1.0.1.1604\crossex.sig
- %ProgramFiles(x86)%\raonsecure\bridge\crossex\touchenex\1.0.1.1604\kr.co.raon.touchenex.json
- %ProgramFiles(x86)%\raonsecure\bridge\crossex\touchenex\1.0.1.1604\kr.co.raon.touchenex.firefox.json
- %ProgramFiles(x86)%\raonsecure\bridge\crossex\touchenex\uninstallcrossex.exe
- %TEMP%\nsmc083.tmp\system.dll
- %ProgramFiles(x86)%\iniline\crossex\crossex\uninstallcrossexlocal.exe
- %ProgramFiles(x86)%\iniline\crossex\crossex\obcrossexservice.exe
- %ProgramFiles(x86)%\iniline\crossex\crossex\crossexservice.exe
- %ProgramFiles(x86)%\iniline\crossex\crossex\crossexservice.exe.sig
- %ProgramFiles(x86)%\iniline\crossex\crossex\rootca.crt
- %TEMP%\nssd013.tmp\system.dll
- %TEMP%\nssd013.tmp\nsexec.dll
- %TEMP%\ffcert_raon\firefox_certutil.exe
- %TEMP%\ffcert_raon\bin\certutil.exe
- %TEMP%\ffcert_raon\bin\freebl3.dll
- %TEMP%\ffcert_raon\bin\libnspr4.dll
- %TEMP%\ffcert_raon\bin\libplc4.dll
- %TEMP%\ffcert_raon\bin\libplds4.dll
- %TEMP%\ffcert_raon\bin\msvcr100.dll
- %TEMP%\ffcert_raon\bin\nss3.dll
- %TEMP%\ffcert_raon\bin\nssckbi.dll
- %TEMP%\ffcert_raon\bin\nssdbm3.dll
- %TEMP%\ffcert_raon\bin\nssutil3.dll
- %TEMP%\ffcert_raon\bin\smime3.dll
- %TEMP%\ffcert_raon\bin\softokn3.dll
- %TEMP%\ffcert_raon\bin\sqlite3.dll
- %TEMP%\ffcert_raon\bin\ssl3.dll
- %APPDATA%\mozilla\firefox\profiles\dnyauhh1.default-release\cert9.db-journal
- %TEMP%\etilqs_gpdedyyspmkefnep6xwo
- %TEMP%\etilqs_ggtncragt5bothsvblhh
- %TEMP%\etilqs_h6qf4tllqzvqkjkukxvb
- %APPDATA%\mozilla\firefox\profiles\dnyauhh1.default-release\key4.db-journal
- %TEMP%\etilqs_3cry1vmchhrb5uqavfc5
- %TEMP%\etilqs_n1tfqicbhcrekuyouaxh
- %TEMP%\etilqs_3kzt9joy3pojl3o43sp8
- %TEMP%\etilqs_yfdk7njrzjg3rvsueexl
- %TEMP%\etilqs_cnobehjy3milytkmjm2k
- %TEMP%\etilqs_epqtbeitakmpmqnidcfg
- %TEMP%\etilqs_3hhm2kwm0ulbtm4l04hv
Moves the following files
- from %ProgramFiles%\raonsecure\nxweb\tenxw_svr64.exe to %ProgramFiles%\raonsecure\nxweb\tenxw_svr.exe
- from %ProgramFiles%\raonsecure\nxweb\tenxwguard32.dll to %ProgramFiles%\raonsecure\nxweb\tenxwguard32_269.dll
- from %ProgramFiles%\raonsecure\nxweb\tenxwguard64.dll to %ProgramFiles%\raonsecure\nxweb\tenxwguard64_269.dll
Modifies the following files
- %APPDATA%\mozilla\firefox\profiles\dnyauhh1.default-release\cert9.db
- %APPDATA%\mozilla\firefox\profiles\dnyauhh1.default-release\key4.db
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: '' WindowName: '_TouchEn_nxWeb_32'
- ClassName: '' WindowName: 'Global\TouchEn_nxWeb_Policy_32'
- ClassName: '' WindowName: 'Global\TouchEn_nxWeb_Policy_64'
- ClassName: '' WindowName: '_TouchEn_nxWeb_64'
- ClassName: 'MSAA_DA_Class' WindowName: 'MSAA_DA_19c'
- ClassName: 'MSAA_DA_Class' WindowName: 'MSAA_DA_12f0'
- ClassName: '#32768' WindowName: ''
- ClassName: 'Worker' WindowName: ''
- ClassName: 'MSAA_DA_Class' WindowName: 'MSAA_DA_764'
Creates and executes the following
- '%TEMP%\tenxwguard\dllcheck64.exe'
- '%ProgramFiles%\raonsecure\nxweb\tenxw_svr.exe'
- '%ProgramFiles%\raonsecure\nxweb\tewebp.exe'
- '%ProgramFiles%\raonsecure\nxweb\teweb.exe'
- '%ProgramFiles%\raonsecure\nxweb\teweb64.exe'
- '%ProgramFiles%\raonsecure\nxweb\raon_touchenex_install.exe' /S
- '%ProgramFiles%\raonsecure\nxweb\crossex_localservice_install.exe' /S
- '%ProgramFiles(x86)%\iniline\crossex\crossex\crossexservice.exe'
- '%ProgramFiles(x86)%\iniline\crossex\crossex\obcrossexservice.exe'
- '%ProgramFiles%\raonsecure\nxweb\ffcert.exe'
- '%TEMP%\ffcert_raon\firefox_certutil.exe' "%ProgramFiles%\RaonSecure\NxWeb\FFCert.exe"
- '%TEMP%\ffcert_raon\bin\certutil.exe' -A -d sql:"%APPDATA%\Mozilla\Firefox\Profiles\dnyauhh1.default-release" -i "%ProgramFiles(x86)%\iniLINE\CrossEX\crossex\rootCA.crt" -n "iniLINE CrossEX RootCA2" -t "CT,C,C"
- '%TEMP%\ffcert_raon\bin\certutil.exe' -L -d sql:"%APPDATA%\Mozilla\Firefox\Profiles\dnyauhh1.default-release"
Executes the following
- '%WINDIR%\syswow64\sc.exe' create "CrossEX Live Checker" binpath= "\"%ProgramFiles(x86)%\iniLINE\CrossEX\crossex\ObCrossEXService.exe\"" start= auto
- '%WINDIR%\syswow64\sc.exe' description "CrossEX Live Checker" "checking live status of CrossEXService"
- '%WINDIR%\syswow64\sc.exe' start "CrossEX Live Checker"
- '%TEMP%\tenxwguard\dllcheck64.exe' ' (with hidden window)
- '%ProgramFiles%\raonsecure\nxweb\raon_touchenex_install.exe' /S' (with hidden window)
- '%ProgramFiles%\raonsecure\nxweb\crossex_localservice_install.exe' /S' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create "CrossEX Live Checker" binpath= "\"%ProgramFiles(x86)%\iniLINE\CrossEX\crossex\ObCrossEXService.exe\"" start= auto' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description "CrossEX Live Checker" "checking live status of CrossEXService"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start "CrossEX Live Checker"' (with hidden window)
- '%ProgramFiles%\raonsecure\nxweb\ffcert.exe' ' (with hidden window)
