Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\Updater] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\Updater] 'ImagePath' = '%ALLUSERSPROFILE%\Watchdog\Updater.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\TEMP\mvjxvdgqnvpq.sys'
Creates the following services
- 'Updater' %ALLUSERSPROFILE%\Watchdog\Updater.exe
- 'WinRing0_1_2_0' %WINDIR%\TEMP\mvjxvdgqnvpq.sys
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Event Logging
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Injects code into
the following system processes:
- <SYSTEM32>\conhost.exe
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\watchdog\updater.exe
- %WINDIR%\temp\__psscriptpolicytest_fv3mt5rk.epl.ps1
- %WINDIR%\temp\__psscriptpolicytest_5nfjwaqj.qfl.psm1
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-32-225.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-32-479.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-32-580.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-32-749.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-32-812.dump
- %WINDIR%\temp\__psscriptpolicytest_wjjkuflw.vv4.ps1
- %WINDIR%\temp\__psscriptpolicytest_htzupgmu.gux.psm1
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-32-950.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-32-981.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-028.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-113.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-267.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-377.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-499.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-530.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-552.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-583.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-615.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-646.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-33-684.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-34-123.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-34-177.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-34-208.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-34-255.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-34-277.dump
- %WINDIR%\temp\content\1264-2720-powershell.exe-06-44-34-324.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\mvjxvdgqnvpq.sys
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_fv3mt5rk.epl.ps1
- %WINDIR%\temp\__psscriptpolicytest_5nfjwaqj.qfl.psm1
- %WINDIR%\temp\__psscriptpolicytest_wjjkuflw.vv4.ps1
- %WINDIR%\temp\__psscriptpolicytest_htzupgmu.gux.psm1
Network activity
Connects to
- 'po##.#ashvault.pro':80
- '17#.#49.63.22':80
- 'po##.#ashvault.pro':443
- 'mo######ler2k1.bplaced.net':80
TCP
HTTP GET requests
- http://17#.#49.63.22/config.json
HTTP POST requests
Other
- 'po##.#ashvault.pro':80
- 'po##.#ashvault.pro':443
UDP
- DNS ASK co##############e-chains.prod.autograph.services.mozaws.net
- DNS ASK po##.#ashvault.pro
- DNS ASK mo######ler2k1.bplaced.net
Miscellaneous
Creates and executes the following
- '%ALLUSERSPROFILE%\watchdog\updater.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
- '<SYSTEM32>\sc.exe' delete "Updater"
- '<SYSTEM32>\sc.exe' create "Updater" binpath= "%ALLUSERSPROFILE%\Watchdog\Updater.exe" start= "auto"
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "Updater"
- '<SYSTEM32>\svchost.exe'
