Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\smartclock.lnk
- <SYSTEM32>\tasks\smart clock
Malicious functions
Creates and executes the following
- '' (downloaded from the Internet)
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\mozilla\firefox\profiles.ini
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG', WindowName: ''
- ClassName: 'GBDYLLO', WindowName: ''
- ClassName: 'pediy06', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
- ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'
Modifies file system
Creates the following files
- %TEMP%\nsl1f72.tmp\uac.dll
- %TEMP%\4chcnrhz\_files\_allforms_list.txt
- %TEMP%\4chcnrhz\files_\forms.txt
- %TEMP%\4chcnrhz\c5jmn.tmp-shm
- %TEMP%\4chcnrhz\_files\_cookies\mozilla_firefox.txt
- %TEMP%\4chcnrhz\files_\cookies\mozilla_firefox.txt
- %TEMP%\4chcnrhz\_files\_screen_desktop.jpeg
- %TEMP%\4chcnrhz\_files\_information.txt
- %TEMP%\4chcnrhz\files_\screenshot.jpg
- %TEMP%\4chcnrhz\files_\system_info.txt
- %TEMP%\4chcnrhz\gn6vvqpixqy7x.zip
- %TEMP%\4chcnrhz\zxdmpiog6ex1.zip
- %TEMP%\nsl1f72.tmp\nsexec.dll
- %TEMP%\hsfxmue.exe
- %TEMP%\gqlgrlix.exe
- %TEMP%\972.tmp
- %APPDATA%\smart clock\smartclock.exe
- %ALLUSERSPROFILE%\icgsdpoqe\8372422.txt
- %ALLUSERSPROFILE%\icgsdpoqe\files\_information.txt
- %ALLUSERSPROFILE%\icgsdpoqe\46173476.txt
- %TEMP%\4chcnrhz\fehs8.tmp
- %ALLUSERSPROFILE%\icgsdpoqe\nl_2020_09_20___20_41___uqvc_95.211.190.199.zip
- %TEMP%\4chcnrhz\c5jmn.tmp
- %TEMP%\4chcnrhz\_files\_cookies\opera.txt
- %ProgramFiles(x86)%\hieros\dd12.exe
- %ProgramFiles(x86)%\hieros\l12.exe
- %ProgramFiles(x86)%\hieros\i5.vbs
- %TEMP%\4chcnrhz\js64d.tmp
- %TEMP%\4chcnrhz\sige06.tmp
- %TEMP%\4chcnrhz\fndg.tmp
- %TEMP%\4chcnrhz\oxz4bg.tmp
- %TEMP%\4chcnrhz\uuqwvc.tmp
- %TEMP%\4chcnrhz\lraqah.tmp
- %TEMP%\4chcnrhz\bbnjsc.tmp
- %TEMP%\4chcnrhz\f1eo.tmp
- %TEMP%\4chcnrhz\qhsa.tmp
- %TEMP%\4chcnrhz\_files\_cookies\google_chrome.txt
- %TEMP%\4chcnrhz\files_\cookies\google_chrome.txt
- %TEMP%\4chcnrhz\_files\_allcookies_list.txt
- %TEMP%\4chcnrhz\files_\cookies.txt
- %TEMP%\4chcnrhz\f3whbd.tmp
- %TEMP%\4chcnrhz\bg3hg.tmp
- %TEMP%\4chcnrhz\867cu.tmp
- %TEMP%\4chcnrhz\files_\cookies\opera.txt
- %TEMP%\fgjjwbrget.exe
Deletes the following files
- %TEMP%\4chcnrhz\c5jmn.tmp-shm
- %TEMP%\hsfxmue.exe
- %ALLUSERSPROFILE%\icgsdpoqe\8372422.txt
- %ALLUSERSPROFILE%\icgsdpoqe\46173476.txt
- %ProgramFiles(x86)%\hieros\dd12.exe
- %TEMP%\4chcnrhz\_files\_cookies\opera.txt
- %TEMP%\4chcnrhz\uuqwvc.tmp
- %TEMP%\4chcnrhz\sige06.tmp
- %TEMP%\4chcnrhz\qhsa.tmp
- %TEMP%\4chcnrhz\oxz4bg.tmp
- %TEMP%\4chcnrhz\lraqah.tmp
- %TEMP%\nsl1f72.tmp\nsexec.dll
- %TEMP%\4chcnrhz\js64d.tmp
- %TEMP%\4chcnrhz\files_\forms.txt
- %TEMP%\4chcnrhz\files_\cookies.txt
- %TEMP%\4chcnrhz\files_\cookies\opera.txt
- %TEMP%\4chcnrhz\fehs8.tmp
- %TEMP%\4chcnrhz\f3whbd.tmp
- %TEMP%\4chcnrhz\f1eo.tmp
- %TEMP%\4chcnrhz\c5jmn.tmp
- %TEMP%\4chcnrhz\bg3hg.tmp
- %TEMP%\4chcnrhz\bbnjsc.tmp
- %TEMP%\4chcnrhz\867cu.tmp
- %TEMP%\4chcnrhz\fndg.tmp
- %TEMP%\nsl1f72.tmp\uac.dll
Network activity
TCP
HTTP GET requests
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- http://fu###rrr07.top/download.php?fi########
- http://fu###rrr07.top/downfiles/6.exe
- http://fu###rrr07.top/downfiles/4.exe
- http://ip##pi.com/json
- http://ip##pi.com/line
- http://su###nen.com/helka/trll.php
- http://eb#####adersoftware.com/ebook.exe
HTTP POST requests
- http://bi###yky04.top/index.php
- http://mo###ss02.top/index.php
UDP
- DNS ASK bi###yky04.top
- DNS ASK mo###ss02.top
- DNS ASK ip###ger.org
- DNS ASK microsoft.com
- DNS ASK fu###rrr07.top
- DNS ASK ip##pi.com
- DNS ASK 2n#.co
- DNS ASK su###nen.com
- DNS ASK eb#####adersoftware.com
- DNS ASK st####.rapidssl.com
Miscellaneous
Searches for the following windows
- ClassName: '18467-41' WindowName: ''
Creates and executes the following
- '%ProgramFiles(x86)%\hieros\dd12.exe'
- '%WINDIR%\syswow64\cscript.exe' "%ProgramFiles(x86)%\Hieros\i5.vbs" //e:vbscript //B //NOLOGO
- '%ProgramFiles(x86)%\hieros\l12.exe'
- '%TEMP%\hsfxmue.exe'
- '%TEMP%\gqlgrlix.exe'
- '%APPDATA%\smart clock\smartclock.exe'
- '%TEMP%\fgjjwbrget.exe'
- '%WINDIR%\syswow64\cmd.exe' /c rd /s /q %TEMP%\4chCnRHZ & timeout 2 & del /f /q "%ProgramFiles(x86)%\Hieros\dd12.exe"' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%ProgramFiles(x86)%\Hieros\i5.vbs" //e:vbscript //B //NOLOGO' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\hsfxmue.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\gqlgrlix.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c rd /s /q %ALLUSERSPROFILE%\icgsdpoqe & timeout 2 & del /f /q "%TEMP%\hsfxmue.exe"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\fgjjwbrget.exe"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c rd /s /q %TEMP%\4chCnRHZ & timeout 2 & del /f /q "%ProgramFiles(x86)%\Hieros\dd12.exe"
- '%WINDIR%\syswow64\timeout.exe' 2
- '%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\hsfxmue.exe"
- '%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\gqlgrlix.exe"
- '%WINDIR%\syswow64\cmd.exe' /c rd /s /q %ALLUSERSPROFILE%\icgsdpoqe & timeout 2 & del /f /q "%TEMP%\hsfxmue.exe"
- '%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\fgjjwbrget.exe"
