Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%WINDIR%\INF\.NETFramework\CORPerfMonSymbols.exe'
Creates or modifies the following files
- <SYSTEM32>\tasks\launch adobe ccxprocess
- <SYSTEM32>\tasks\xccprocess
- <SYSTEM32>\tasks\microsoft\windows\windows update listner
- <SYSTEM32>\tasks\microsoft\microsoft launcher
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\System Diagnostics Host] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\System Diagnostics Host] 'ImagePath' = '%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\aswArPot.sys] 'ImagePath' = '%WINDIR%\temp\aswArPot.bin'
Creates the following services
- 'System Diagnostics Host' %WINDIR%\SysWOW64\SystemDiagnosticsHost.exe
- 'aswArPot.sys' %WINDIR%\temp\aswArPot.bin
Malicious functions
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="XCCProcess" dir=in action=allow program="%WINDIR%\Media\mppr.exe" enable=yes
- '%WINDIR%\syswow64\taskkill.exe' /im splwow32.exe /f
Launches a large number of processes
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\securityhealthsystray.exe
- <SYSTEM32>\securityhealthservice.exe
Modifies file system
Creates the following files
- %TEMP%\tmpeea6.tmp.exe
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\<File name>.exe.log
- %WINDIR%\media\mppr.exe
- %WINDIR%\inputmethod\shared\rc_connectedaccount.exe
- %TEMP%\ck2xp5q4\ck2xp5q4.0.cs
- %TEMP%\ck2xp5q4\ck2xp5q4.cmdline
- %TEMP%\ck2xp5q4\ck2xp5q4.out
- %TEMP%\cscb8f9019b33e744b69e6e8adccbabcf3.tmp
- %TEMP%\res3d24.tmp
- %TEMP%\tmp3573.tmp
- %WINDIR%\inf\.netframework\corperfmonsymbols.exe
- %TEMP%\3aw5or1v\3aw5or1v.0.cs
- %TEMP%\3aw5or1v\3aw5or1v.cmdline
- %TEMP%\3aw5or1v\3aw5or1v.out
- %TEMP%\csc5acba13089264703a547fbbb979396.tmp
- %TEMP%\res4409.tmp
- %TEMP%\tmp3fa5.tmp
- %WINDIR%\inf\usbhub\usbperfsym.exe
- %WINDIR%\syswow64\systemdiagnosticshost.exe
- %WINDIR%\media\msldriver.dll
- %WINDIR%\temp\aswarpot.bin
- C:\recovery\oem\resetconfig.xml
- C:\recovery\oem\2dd56833-e100-4513-96eb-544a7b523a39.bat
- C:\recovery\oem\2dc4e55a-ab19-483d-8026-d37e52d13acd.exe
- %TEMP%\n4gcktca.cos.bat
- nul
- %LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\tmpeea6.tmp.exe.log
- %WINDIR%\temp\tmpc31d.tmp
- %WINDIR%\temp\tmpc3aa.tmp
- %TEMP%\tmpd666.tmp
- %TEMP%\tmpd703.tmp
- %WINDIR%\temp\tmp73b2.tmp.exe
Sets the 'hidden' attribute to the following files
- %WINDIR%\media\mppr.exe
- %WINDIR%\inputmethod\shared\rc_connectedaccount.exe
- %WINDIR%\inf\.netframework\corperfmonsymbols.exe
- %WINDIR%\inf\usbhub\usbperfsym.exe
- %WINDIR%\syswow64\systemdiagnosticshost.exe
- %WINDIR%\media\msldriver.dll
Deletes following files that it created itself
- %TEMP%\res3d24.tmp
- %TEMP%\cscb8f9019b33e744b69e6e8adccbabcf3.tmp
- %TEMP%\ck2xp5q4\ck2xp5q4.out
- %TEMP%\ck2xp5q4\ck2xp5q4.cmdline
- %TEMP%\ck2xp5q4\ck2xp5q4.0.cs
- %TEMP%\tmp3573.tmp
- %TEMP%\res4409.tmp
- %TEMP%\csc5acba13089264703a547fbbb979396.tmp
- %TEMP%\3aw5or1v\3aw5or1v.cmdline
- %TEMP%\3aw5or1v\3aw5or1v.0.cs
- %TEMP%\3aw5or1v\3aw5or1v.out
- %TEMP%\tmp3fa5.tmp
- %WINDIR%\temp\tmpc31d.tmp
- %WINDIR%\temp\tmpc3aa.tmp
- %TEMP%\tmpd666.tmp
- %TEMP%\tmpd703.tmp
Network activity
Connects to
- 'co##############e-chains.prod.autograph.services.mozaws.net':443
- 'vv######jnj25i5.hopto.org':443
- 'vv######jnj25i5.hopto.org':80
TCP
HTTP GET requests
- http://93.##3.84.212/files/loader/OnoMiner_obfus.exe
Other
- 'vv######jnj25i5.hopto.org':443
UDP
- DNS ASK co##############e-chains.prod.autograph.services.mozaws.net
- DNS ASK vv#######yuigi2.bounceme.net
- DNS ASK vv#######nj25i5.3utilities.com
- DNS ASK vv#######yuigi2.3utilities.com
- DNS ASK xq######qtwe81v.gotdns.ch
- DNS ASK 29#######l2h4tv.ddnsking.com
- DNS ASK 2n####9uqywio91.top
- DNS ASK mq####j29dlqt91.top
- DNS ASK 0a#######twkq21.3utilities.com
- DNS ASK 2y########l2qlo.freedynamicdns.org
- DNS ASK vv######oij25i4.gotdns.ch
- DNS ASK vv########j25i5.freedynamicdns.org
- DNS ASK vv#######ij25i4.ddnsking.com
- DNS ASK vq#######zqtqe1.ddnsking.com
- DNS ASK 2n######k4l2o91.gotdns.ch
- DNS ASK 2n######k4l2o91.hopto.org
- DNS ASK 8j####glwi6ns92.cc
- DNS ASK 2y#######fl2qlo.bounceme.net
- DNS ASK vv######gyuigi2.webhop.me
- DNS ASK ty######ht82qlo.hopto.org
- DNS ASK 2q#######wl4qe1.3utilities.com
- DNS ASK kq####j2qtph2l9.cc
- DNS ASK kq######qtph2l9.myftp.org
- DNS ASK vv####wwgyuigi2.cc
- DNS ASK 7x######tn5sjr3.myftp.org
- DNS ASK 2n######k4l2o91.myftp.org
- DNS ASK ww########ui3s1.freedynamicdns.org
- DNS ASK vv######gyuigi2.myftp.org
- DNS ASK q9######qt9qh4v.webhop.me
- DNS ASK z8####jqpxt19zq.cc
- DNS ASK kq####j2qtph2l9.top
- DNS ASK 91######nqtphj2.webhop.me
- DNS ASK 2n#######4l2o91.3utilities.com
- DNS ASK 2q######kwl4qe1.myftp.org
- DNS ASK vq####fqnzqtqe1.top
- DNS ASK vq####fqnzqtqe1.cc
- DNS ASK 2y#######t8iqlo.3utilities.com
- DNS ASK 2n######qywio91.myftp.org
- DNS ASK 2n#######ywio91.ddnsking.com
- DNS ASK 0a####pqjtwkq21.cc
- DNS ASK 2q######kwl4qe1.gotdns.ch
- DNS ASK vv#######nj25i5.bounceme.net
- DNS ASK z8########t19zq.freedynamicdns.org
- DNS ASK q9#######t9qh4v.3utilities.com
- DNS ASK 2n######k4l2o91.webhop.me
- DNS ASK 91####fjnqtphj2.cc
- DNS ASK 2y####fskfl2qlo.cc
- DNS ASK 29######el2h4tv.gotdns.ch
- DNS ASK 3w######htyeqow.gotdns.ch
- DNS ASK ww######gyui3s1.hopto.org
- DNS ASK 2q####fskf22qe1.top
- DNS ASK 29######qt9ih4v.hopto.org
- DNS ASK vv####dsjnj25i5.top
- DNS ASK 8j####glwi6ns92.top
- DNS ASK kq######qtph2l9.webhop.me
- DNS ASK vv######jnj25i5.webhop.me
- DNS ASK 29######qt9ih4v.webhop.me
- DNS ASK 29#######l2h4tv.bounceme.net
- DNS ASK 2n####9sk4l2o91.top
- DNS ASK vv######oij25i4.webhop.me
- DNS ASK 7n####9tqyweo91.top
- DNS ASK mq######9dlqt91.hopto.org
- DNS ASK 7x#######n5sjr3.ddnsking.com
- DNS ASK 29########2h4tv.freedynamicdns.org
- DNS ASK vv########uigi2.freedynamicdns.org
- DNS ASK 2q#######f22qe1.3utilities.com
- DNS ASK z8#######xt19zq.3utilities.com
- DNS ASK q9######qt9qh4v.myftp.org
- DNS ASK kq#######tph2l9.3utilities.com
- DNS ASK 2y####fskfl2qlo.top
- DNS ASK q9########9qh4v.freedynamicdns.org
- DNS ASK mq######9dlqt91.webhop.me
- DNS ASK 2q######kf22qe1.webhop.me
- DNS ASK 3w######htyeqow.myftp.org
- DNS ASK q9######qt9qh4v.gotdns.ch
- DNS ASK 2y#######t8iqlo.bounceme.net
- DNS ASK 2n######qywio91.hopto.org
- DNS ASK 0a######jtwkq21.gotdns.ch
- DNS ASK 29######el2h4tv.myftp.org
- DNS ASK kq######qtph2l9.hopto.org
- DNS ASK 2q######kf22qe1.gotdns.ch
- DNS ASK 8j######wi6ns92.hopto.org
- DNS ASK 29######el2h4tv.hopto.org
- DNS ASK 29#######t9ih4v.ddnsking.com
- DNS ASK ty#######t82qlo.ddnsking.com
- DNS ASK 7n######qyweo91.myftp.org
- DNS ASK 7n######qyweo91.hopto.org
- DNS ASK 0a######jtwkq21.hopto.org
- DNS ASK 2q####fskwl4qe1.cc
- DNS ASK z8####jqpxt19zq.top
- DNS ASK 8j######wi6ns92.myftp.org
- DNS ASK 2n#######4l2o91.ddnsking.com
- DNS ASK vq######nzqtqe1.hopto.org
- DNS ASK 7n####9tqyweo91.cc
- DNS ASK 3w######htyeqow.webhop.me
- DNS ASK 29########9ih4v.freedynamicdns.org
- DNS ASK 2q#######f22qe1.bounceme.net
- DNS ASK mq#######dlqt91.bounceme.net
- DNS ASK ty######ht82qlo.webhop.me
- DNS ASK 2n########l2o91.freedynamicdns.org
- DNS ASK vv####dsjnj25i5.cc
- DNS ASK 8j########6ns92.freedynamicdns.org
- DNS ASK 7x#######n5sjr3.3utilities.com
- DNS ASK 2y######ht8iqlo.gotdns.ch
- DNS ASK 2n####9uqywio91.cc
- DNS ASK ww#######yui3s1.3utilities.com
- DNS ASK 2n#######4l2o91.bounceme.net
- DNS ASK 2q######kwl4qe1.webhop.me
- DNS ASK 7n#######yweo91.bounceme.net
- DNS ASK 29#######t9ih4v.3utilities.com
- DNS ASK ty#######t82qlo.3utilities.com
- DNS ASK vv#######nj25i5.ddnsking.com
- DNS ASK vv######oij25i4.myftp.org
- DNS ASK vv####u9oij25i4.cc
- DNS ASK ww#######yui3s1.ddnsking.com
- DNS ASK vq#######zqtqe1.bounceme.net
- DNS ASK q9####jfqt9qh4v.top
- DNS ASK 7x######tn5sjr3.webhop.me
- DNS ASK 2y######kfl2qlo.gotdns.ch
- DNS ASK 2q####fskwl4qe1.top
- DNS ASK z8######pxt19zq.hopto.org
- DNS ASK xq######qtwe81v.hopto.org
- DNS ASK 2n########wio91.freedynamicdns.org
- DNS ASK ty#######t82qlo.bounceme.net
- DNS ASK 2q####fskf22qe1.cc
- DNS ASK 7n#######yweo91.3utilities.com
- DNS ASK 7x########5sjr3.freedynamicdns.org
- DNS ASK 2q#######f22qe1.ddnsking.com
- DNS ASK 2y#######t8iqlo.ddnsking.com
- DNS ASK mq######9dlqt91.gotdns.ch
- DNS ASK ww######gyui3s1.webhop.me
- DNS ASK 0a########wkq21.freedynamicdns.org
- DNS ASK 29####juqt9ih4v.top
- DNS ASK 2q#######wl4qe1.ddnsking.com
- DNS ASK 2y######ht8iqlo.myftp.org
- DNS ASK 7n########weo91.freedynamicdns.org
- DNS ASK 2y#######fl2qlo.3utilities.com
- DNS ASK vq#######zqtqe1.3utilities.com
- DNS ASK 2n######qywio91.webhop.me
- DNS ASK 2y####fuht8iqlo.top
- DNS ASK vv######jnj25i5.hopto.org
- DNS ASK vv######jnj25i5.gotdns.ch
- DNS ASK 29#######l2h4tv.3utilities.com
- DNS ASK vv####u9oij25i4.top
- DNS ASK q9#######t9qh4v.bounceme.net
- DNS ASK xq########we81v.freedynamicdns.org
- DNS ASK q9####jfqt9qh4v.cc
- DNS ASK ww#######yui3s1.bounceme.net
- DNS ASK 3w####2qhtyeqow.cc
- DNS ASK 91######nqtphj2.gotdns.ch
- DNS ASK 0a######jtwkq21.webhop.me
- DNS ASK 29####jsel2h4tv.top
- DNS ASK vv########j25i4.freedynamicdns.org
- DNS ASK vv######oij25i4.hopto.org
- DNS ASK ty####fqht82qlo.cc
- DNS ASK z8#######xt19zq.bounceme.net
- DNS ASK ww####nwgyui3s1.cc
- DNS ASK 2y#######fl2qlo.ddnsking.com
- DNS ASK 2q######kf22qe1.hopto.org
Miscellaneous
Searches for the following windows
- ClassName: 'MouseZ' WindowName: 'Magellan MSWHEEL'
Creates and executes the following
- '%TEMP%\tmpeea6.tmp.exe'
- '%WINDIR%\syswow64\systemdiagnosticshost.exe'
- '%WINDIR%\media\mppr.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' –ExecutionPolicy Bypass Start-Process -FilePath '"%WINDIR%\TEMP\tmp73B2.tmp.exe"'
- '%WINDIR%\temp\tmp73b2.tmp.exe'
Executes the following
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\ck2xp5q4\ck2xp5q4.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D24.tmp" "%TEMP%\CSCB8F9019B33E744B69E6E8ADCCBABCF3.TMP"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\3aw5or1v\3aw5or1v.cmdline"
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4409.tmp" "%TEMP%\CSC5ACBA13089264703A547FBBB979396.TMP"
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /rl highest /tn "Launch Adobe CCXProcess" /tr "%WINDIR%\Media\mppr.exe" /sc onlogon & exit
- '<SYSTEM32>\schtasks.exe' /create /f /rl highest /tn "Launch Adobe CCXProcess" /tr "%WINDIR%\Media\mppr.exe" /sc onlogon
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /rl highest /tn "XCCProcess" /tr "%WINDIR%\INF\usbhub\usbperfsym.exe" /sc onlogon & exit
- '<SYSTEM32>\schtasks.exe' /create /f /rl highest /tn "XCCProcess" /tr "%WINDIR%\INF\usbhub\usbperfsym.exe" /sc onlogon
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /rl highest /mo 2 /tn "Microsoft\Windows\Windows Update Listner" /tr "%WINDIR%\Media\mppr.exe" & exit
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /rl highest /mo 2 /tn "Microsoft\Windows\Windows Update Listner" /tr "%WINDIR%\Media\mppr.exe"
- '<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\Microsoft Launcher" /tr "%WINDIR%\InputMethod\SHARED\RC_ConnectedAccount.exe" & exit
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\Microsoft Launcher" /tr "%WINDIR%\InputMethod\SHARED\RC_ConnectedAccount.exe"
- '<SYSTEM32>\cmd.exe' /c sc query "System Diagnostics Host" & exit
- '<SYSTEM32>\sc.exe' query "System Diagnostics Host"
- '<SYSTEM32>\cmd.exe' /c sc create "System Diagnostics Host" binPath= "%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe" obj= "LocalSystem" start= auto & exit
- '<SYSTEM32>\sc.exe' create "System Diagnostics Host" binPath= "%WINDIR%\SysWOW64\SystemDiagnosticsHost.exe" obj= "LocalSystem" start= auto
- '<SYSTEM32>\cmd.exe' /c sc description "System Diagnostics Host" "Monitors and manages system diagnostic tasks." & exit
- '<SYSTEM32>\sc.exe' description "System Diagnostics Host" "Monitors and manages system diagnostic tasks."
- '<SYSTEM32>\cmd.exe' /c sc start "System Diagnostics Host" & exit
- '<SYSTEM32>\sc.exe' start "System Diagnostics Host"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall show rule name="XCCProcess" & exit
- '<SYSTEM32>\netsh.exe' advfirewall firewall show rule name="XCCProcess"
- '<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="XCCProcess" dir=in action=allow program="%WINDIR%\Media\mppr.exe" enable=yes & exit
- '<SYSTEM32>\cmd.exe' /c sc.exe create aswArPot.sys binPath= %WINDIR%\temp\aswArPot.bin type= kernel & exit
- '<SYSTEM32>\sc.exe' create aswArPot.sys binPath= %WINDIR%\temp\aswArPot.bin type= kernel
- '<SYSTEM32>\cmd.exe' /c sc.exe start aswArPot.sys & exit
- '<SYSTEM32>\sc.exe' start aswArPot.sys
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\n4gcktca.cos.bat""
- '<SYSTEM32>\timeout.exe' 8
- '<SYSTEM32>\cmd.exe' /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"%WINDIR%\TEMP\tmp73B2.tmp.exe"' & exit
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /f /rl highest /tn "Microsoft\splwow" /tr "<SYSTEM32>\splwow32.exe" /sc onlogon & exit
- '%WINDIR%\syswow64\cmd.exe' /c schtasks /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\sywi222" /tr "<SYSTEM32>\splwow32.exe" & exit
- '%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\TEMP\ydtsv0bl.o4p.bat""
- '%WINDIR%\syswow64\schtasks.exe' /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\sywi222" /tr "<SYSTEM32>\splwow32.exe"
- '%WINDIR%\syswow64\schtasks.exe' /create /f /rl highest /tn "Microsoft\splwow" /tr "<SYSTEM32>\splwow32.exe" /sc onlogon
- '%WINDIR%\syswow64\timeout.exe' 8
- '<SYSTEM32>\securityhealthservice.exe'
- '%WINDIR%\syswow64\cmd.exe' /c taskkill /im splwow32.exe /f
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\ck2xp5q4\ck2xp5q4.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3D24.tmp" "%TEMP%\CSCB8F9019B33E744B69E6E8ADCCBABCF3.TMP"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\3aw5or1v\3aw5or1v.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4409.tmp" "%TEMP%\CSC5ACBA13089264703A547FBBB979396.TMP"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"%WINDIR%\TEMP\tmp73B2.tmp.exe"' & exit' (with hidden window)
