Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\npcapwatchdog
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\npcap] 'ImagePath' = 'system32\DRIVERS\npcap.sys'
- [<HKLM>\SYSTEM\CurrentControlSet\Services\npcap] 'Start' = '00000001'
- [<HKLM>\System\CurrentControlSet\Services\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9] 'ImagePath' = '"%ProgramFiles%\Rumble\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9-aeae8ce24d16...
Creates the following services
- 'npcap' system32\DRIVERS\npcap.sys
- 'rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9' "%ProgramFiles%\Rumble\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9-aeae8ce24d16f289-1.9.1.exe"
- 'rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9' %ProgramFiles%\Rumble\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9-aeae8ce24d16f289-1.9.1.exe
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /F /IM rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9-aeae8ce24d16f289-1.9.1.exe
- '<SYSTEM32>\taskkill.exe' /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
Modifies file system
Creates the following files
- %LOCALAPPDATA%\.rumble\6cbab6eb-90b1-4d9d-93b2-e8265b2439c9.agentid
- <SYSTEM32>\wlanhelper.exe
- <SYSTEM32>\npcap\wpcap.dll
- <SYSTEM32>\npcap\packet.dll
- <SYSTEM32>\npcap\npcaphelper.exe
- <SYSTEM32>\npcap\wlanhelper.exe
- %TEMP%\nswe0de.tmp\insecure-ev.cer
- %TEMP%\nswe0de.tmp\insecure-ev-sha1.cer
- %WINDIR%\inf\oem0.pnf
- %WINDIR%\inf\oem1.pnf
- %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\set934.tmp
- %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\seta5e.tmp
- %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\setba7.tmp
- %ProgramFiles%\npcap\diagreport.ps1
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
- <DRIVERS>\set37b7.tmp
- %WINDIR%\temp\udd3da2.tmp
- %ProgramFiles%\npcap\checkstatus.bat
- %ProgramFiles%\rumble\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9.log
- %WINDIR%\temp\cabc33d.tmp
- %WINDIR%\temp\tarc33e.tmp
- %WINDIR%\temp\cabc34f.tmp
- %WINDIR%\temp\tarc350.tmp
- %WINDIR%\temp\cabd94a.tmp
- %WINDIR%\temp\tard94b.tmp
- %WINDIR%\temp\cabf010.tmp
- %WINDIR%\temp\tarf011.tmp
- <SYSTEM32>\packet.dll
- <SYSTEM32>\npcaphelper.exe
- <SYSTEM32>\wpcap.dll
- %WINDIR%\syswow64\npcap\wlanhelper.exe
- %WINDIR%\syswow64\npcap\npcaphelper.exe
- %ProgramFiles%\rumble\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9-aeae8ce24d16f289-1.9.1.exe
- %TEMP%\npcap-oem-805735091.exe
- %TEMP%\nsre0be.tmp
- %TEMP%\nswe0de.tmp\options.ini
- %TEMP%\nswe0de.tmp\final.ini
- %TEMP%\nswe0de.tmp\system.dll
- %ProgramFiles%\npcap\install.log
- %TEMP%\nswe0de.tmp\simplesc.dll
- %TEMP%\nswe0de.tmp\npfinstall.exe
- %TEMP%\nswe0de.tmp\nsexec.dll
- %ProgramFiles%\npcap\npfinstall.log
- %ProgramFiles%\npcap\license
- %WINDIR%\temp\cab5fb.tmp
- %WINDIR%\inf\oem2.pnf
- %ProgramFiles%\npcap\diagreport.bat
- %ProgramFiles%\npcap\uninstall.exe
- %ProgramFiles%\npcap\npfinstall.exe
- %ProgramFiles%\npcap\npcap.sys
- %ProgramFiles%\npcap\npcap.cat
- %ProgramFiles%\npcap\npcap.inf
- %ProgramFiles%\npcap\npcap_wfp.inf
- %WINDIR%\syswow64\wpcap.dll
- %WINDIR%\syswow64\packet.dll
- %WINDIR%\syswow64\npcaphelper.exe
- %WINDIR%\syswow64\wlanhelper.exe
- %WINDIR%\syswow64\npcap\wpcap.dll
- %WINDIR%\syswow64\npcap\packet.dll
- nul
- %ProgramFiles%\npcap\fixinstall.bat
- %WINDIR%\temp\tar5fc.tmp
Sets the 'hidden' attribute to the following files
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
Deletes the following files
- %TEMP%\nswe0de.tmp\insecure-ev.cer
- %WINDIR%\temp\tarf011.tmp
- %WINDIR%\temp\cabf010.tmp
- %WINDIR%\temp\tard94b.tmp
- %WINDIR%\temp\cabd94a.tmp
- %WINDIR%\temp\tarc350.tmp
- %WINDIR%\temp\cabc34f.tmp
- %WINDIR%\temp\tarc33e.tmp
- %WINDIR%\temp\cabc33d.tmp
- %ProgramFiles%\rumble\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9-aeae8ce24d16f289-1.9.1.exe
- %TEMP%\npcap-oem-805735091.exe
- %TEMP%\nswe0de.tmp\system.dll
- %TEMP%\nswe0de.tmp\simplesc.dll
- %TEMP%\nswe0de.tmp\options.ini
- %TEMP%\nswe0de.tmp\nsexec.dll
- %TEMP%\nswe0de.tmp\npfinstall.exe
- %TEMP%\nswe0de.tmp\final.ini
- %WINDIR%\temp\udd3da2.tmp
- %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\npcap.sys
- %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\npcap.inf
- %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\npcap.cat
- %TEMP%\nswe0de.tmp\insecure-ev-sha1.cer
- %WINDIR%\temp\cab5fb.tmp
- %WINDIR%\temp\tar5fc.tmp
Moves the following files
- from %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\set934.tmp to %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\npcap.cat
- from %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\seta5e.tmp to %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\npcap.inf
- from %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\setba7.tmp to %TEMP%\{7d22f008-a2a5-7633-1a64-ae37fbdd5919}\npcap.sys
- from <DRIVERS>\set37b7.tmp to <DRIVERS>\npcap.sys
Network activity
TCP
HTTP GET requests
- http://x.##2.us/x.cer
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
UDP
- DNS ASK hu#.#umble.run
- DNS ASK x.##2.us
- DNS ASK microsoft.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '%TEMP%\npcap-oem-805735091.exe' "/S /npf_startup=yes /loopback_support=yes /dlt_null=no /admin_only=yes /dot11_support=yes /vlan_support=yes /winpcap_mode=no"
- '%TEMP%\nswe0de.tmp\npfinstall.exe' -n -check_dll
- '%ProgramFiles%\npcap\npfinstall.exe' -n -c
- '%ProgramFiles%\npcap\npfinstall.exe' -n -iw
- '%ProgramFiles%\npcap\npfinstall.exe' -n -i
- '%ProgramFiles%\rumble\rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9-aeae8ce24d16f289-1.9.1.exe'
- '%TEMP%\npcap-oem-805735091.exe' "/S /npf_startup=yes /loopback_support=yes /dlt_null=no /admin_only=yes /dot11_support=yes /vlan_support=yes /winpcap_mode=no"' (with hidden window)
- '%TEMP%\nswe0de.tmp\npfinstall.exe' -n -check_dll' (with hidden window)
- '%WINDIR%\syswow64\certutil.exe' -addstore -f "TrustedPublisher" "%TEMP%\nswE0DE.tmp\Insecure-EV.cer"' (with hidden window)
- '%WINDIR%\syswow64\certutil.exe' -addstore -f "TrustedPublisher" "%TEMP%\nswE0DE.tmp\Insecure-EV-sha1.cer"' (with hidden window)
- '%ProgramFiles%\npcap\npfinstall.exe' -n -c' (with hidden window)
- '<SYSTEM32>\pnputil.exe' -e' (with hidden window)
- '%ProgramFiles%\npcap\npfinstall.exe' -n -iw' (with hidden window)
- '%ProgramFiles%\npcap\npfinstall.exe' -n -i' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'%ProgramFiles%\Npcap\CheckStatus.bat'" /NP' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c "taskkill /F /IM rumble-agent-6cbab6eb-90b1-4d9d-93b2-e8265b2439c9-aeae8ce24d16f289-1.9.1.exe 2>NUL"
- '%WINDIR%\syswow64\certutil.exe' -addstore -f "TrustedPublisher" "%TEMP%\nswE0DE.tmp\Insecure-EV.cer"
- '%WINDIR%\syswow64\certutil.exe' -addstore -f "TrustedPublisher" "%TEMP%\nswE0DE.tmp\Insecure-EV-sha1.cer"
- '<SYSTEM32>\pnputil.exe' -e
- '%WINDIR%\syswow64\schtasks.exe' /Create /F /RU SYSTEM /SC ONSTART /TN npcapwatchdog /TR "'%ProgramFiles%\Npcap\CheckStatus.bat'" /NP
- '<SYSTEM32>\cmd.exe' /c taskkill /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" /FI "ImageName eq Chrome.exe"
