Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WigWaggM' = '%APPDATA%\SaHaks.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '%APPDATA%\SaHaks.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'WigWaggM' = '%APPDATA%\SaHaks.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\noname.lnk
Malicious functions:
Creates and executes the following:
- %APPDATA%\SaHaks.exe
Executes the following:
- %WINDIR%\explorer.exe
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
- %WINDIR%\Explorer.EXE
Hides the following processes:
- <Full path to virus>
- %APPDATA%\SaHaks.exe
Modifies file system :
Creates the following files:
- %TEMP%\windump.exe
- %APPDATA%\imm.dll
- %APPDATA%\SaHaks.exe
Sets the 'hidden' attribute to the following files:
- %APPDATA%\imm.dll
- %APPDATA%\SaHaks.exe
Network activity:
Connects to:
- '15#.#00.244.31':4444
- '12#.#2.95.30':4444
- '19#.#52.240.33':4444
- '16.##2.188.2':4444
- '22#.52.8.99':4444
- '16#.#13.25.101':4444
- '22#.#46.170.104':4444
- '12#.30.2.35':4444
- '15#.#9.217.94':4444
- '19#.#31.108.120':4444
- '77.##.164.21':4444
- '89.#6.72.92':4444
- '19#.#90.147.38':4444
- '23#.#24.165.191':4444
- '15#.#31.183.89':4444
- '55.##.245.200':4444
- 'ba####.kazeu.net':23232
- '17#.#02.216.108':4444
- '23#.#35.105.111':4444
- '<Private IP address>':80
- '<Private IP address>':445
- '<Private IP address>':139
- '13#.85.83.4':4444
- '17#.#0.250.113':4444
- 'ga#####g.lowerland.org':23232
- '20#.#9.82.45':4444
- '13.##2.227.47':4444
- '8.###.193.42':4444
- '89.#4.13.12':4444
- '22#.#22.69.40':4444
- '19#.#3.175.39':4444
UDP:
- DNS ASK ga#####g.lowerland.org
- DNS ASK ba####.kazeu.net
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
- ClassName: 'Indicator' WindowName: ''
