Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\QHRAJGDI] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\QHRAJGDI] 'ImagePath' = '%ALLUSERSPROFILE%\nalfdgwigwyg\lhhsgwktkatl.exe'
- [HKLM\SYSTEM\CurrentControlSet\Services\WinRing0_1_2_0] 'ImagePath' = '%WINDIR%\TEMP\franupscsctb.sys'
Creates the following services
- 'QHRAJGDI' %ALLUSERSPROFILE%\nalfdgwigwyg\lhhsgwktkatl.exe
- 'WinRing0_1_2_0' %WINDIR%\TEMP\franupscsctb.sys
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Event Logging
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Injects code into
the following system processes:
- <SYSTEM32>\conhost.exe
- <SYSTEM32>\nslookup.exe
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\nalfdgwigwyg\lhhsgwktkatl.exe
- %WINDIR%\temp\__psscriptpolicytest_rc3ddwei.2uh.ps1
- %WINDIR%\temp\__psscriptpolicytest_z023ewvs.fik.psm1
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-04-403.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-04-653.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-04-738.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-04-886.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-04-923.dump
- %WINDIR%\temp\__psscriptpolicytest_olirxb4p.g4l.ps1
- %WINDIR%\temp\__psscriptpolicytest_42wsxp5f.kvo.psm1
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-087.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-118.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-187.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-288.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-404.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-659.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-821.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-852.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-884.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-915.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-945.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-05-968.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-06-000.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-06-399.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-06-468.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-06-499.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-06-537.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-06-568.dump
- %WINDIR%\temp\content\5208-3884-powershell.exe-07-46-06-650.dump
- <SYSTEM32>\config\systemprofile\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive
- %WINDIR%\temp\franupscsctb.sys
Deletes following files that it created itself
- %WINDIR%\temp\__psscriptpolicytest_rc3ddwei.2uh.ps1
- %WINDIR%\temp\__psscriptpolicytest_z023ewvs.fik.psm1
- %WINDIR%\temp\__psscriptpolicytest_olirxb4p.g4l.ps1
- %WINDIR%\temp\__psscriptpolicytest_42wsxp5f.kvo.psm1
Network activity
Connects to
- 'eu#####.#iningrigrentals.com':3333
- '64.##8.79.242':80
TCP
HTTP POST requests
Other
- 'eu#####.#iningrigrentals.com':3333
UDP
- DNS ASK eu#####.#iningrigrentals.com
Miscellaneous
Creates and executes the following
- '%ALLUSERSPROFILE%\nalfdgwigwyg\lhhsgwktkatl.exe'
Executes the following
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
- '<SYSTEM32>\sc.exe' delete "QHRAJGDI"
- '<SYSTEM32>\sc.exe' create "QHRAJGDI" binpath= "%ALLUSERSPROFILE%\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "QHRAJGDI"
- '<SYSTEM32>\conhost.exe'
- '<SYSTEM32>\nslookup.exe'
