Technical Information
Malicious functions
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\signons.sqlite
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %APPDATA%\opera software\opera stable\login data
- %HOMEPATH%\desktop\508softwareandos.doc
- %HOMEPATH%\desktop\fi51.doc
- %HOMEPATH%\desktop\file_p_00000000_1371597592.docx
- %HOMEPATH%\desktop\hadac_newsletter_july_2010_final.docx
Modifies file system
Creates the following files
- %TEMP%\avg_antivirus_free_setup.exe
- %APPDATA%\sss\508softwareandos.doc
- %APPDATA%\sss\fi51.doc
- %APPDATA%\sss\file_p_00000000_1371597592.docx
- %APPDATA%\sss\hadac_newsletter_july_2010_final.docx
- %APPDATA%\sss\chromesetup.exe
- %APPDATA%\sss\chromesetup.exe\:zone.identifier:$data
- %APPDATA%\sss\icq_rfrset.exe
- %APPDATA%\sss\icq_rfrset.exe\:zone.identifier:$data
- %APPDATA%\sss\jre-8u45-windows-x64.exe
- %APPDATA%\sss\jre-8u45-windows-x64.exe\:zone.identifier:$data
- %APPDATA%\sss\k-lite_codec_pack_1110_mega.exe
- %APPDATA%\sss\k-lite_codec_pack_1110_mega.exe\:zone.identifier:$data
- %APPDATA%\sss\k-lite_codec_pack_1110_mega_dlm.exe
- %APPDATA%\sss\k-lite_codec_pack_1110_mega_dlm.exe\:zone.identifier:$data
- %APPDATA%\sss\magent_rfrset.exe
- %APPDATA%\sss\magent_rfrset.exe\:zone.identifier:$data
- %APPDATA%\sss\mirc741.exe
- %APPDATA%\sss\mirc741.exe\:zone.identifier:$data
- %APPDATA%\sss\opera_ni_stable.exe
- %APPDATA%\sss\opera_ni_stable.exe\:zone.identifier:$data
- %APPDATA%\sss\pidgin-2.10.11.exe
- %APPDATA%\sss\pidgin-2.10.11.exe\:zone.identifier:$data
- %APPDATA%\sss\steamsetup.exe
- %APPDATA%\sss\steamsetup.exe\:zone.identifier:$data
- %APPDATA%\sss\tcmd851ax64.exe
- %APPDATA%\sss\tcmd851ax64.exe\:zone.identifier:$data
- %APPDATA%\sss\thunderbird setup 31.6.0.exe
- %APPDATA%\sss\thunderbird setup 31.6.0.exe\:zone.identifier:$data
- %APPDATA%\sss\winamp5666_full_all.exe
- %APPDATA%\pass.txt
- %APPDATA%\sss\winamp5666_full_all.exe\:zone.identifier:$data
- %TEMP%\vetoaqckc
- %TEMP%\exjkmfwaomp
- %TEMP%\joined.vmp.sfx.exe
- %TEMP%\kts21.3.10.391ru_26487.exe
- %TEMP%\joined.vmp.exe
- %TEMP%\ss.exe
- %TEMP%\sss.exe
- %TEMP%\start.bat
- %TEMP%\start.vbs
- %TEMP%\_mei22842\msvcr90.dll
- %TEMP%\_mei22842\_ctypes.pyd
- %TEMP%\_mei22842\_elementtree.pyd
- %TEMP%\_mei22842\_hashlib.pyd
- %TEMP%\_mei22842\_multiprocessing.pyd
- %TEMP%\_mei22842\_socket.pyd
- %TEMP%\_mei22842\_sqlite3.pyd
- %TEMP%\_mei22842\_ssl.pyd
- %TEMP%\_mei22842\bz2.pyd
- %TEMP%\_mei22842\lazagne.exe.manifest
- %TEMP%\_mei22842\msvcp100.dll
- %TEMP%\_mei22842\msvcr100.dll
- %TEMP%\_mei22842\pyexpat.pyd
- %TEMP%\_mei22842\python27.dll
- %TEMP%\_mei22842\pywintypes27.dll
- %TEMP%\_mei22842\select.pyd
- %TEMP%\_mei22842\sqlite3.dll
- %TEMP%\_mei22842\unicodedata.pyd
- %TEMP%\_mei22842\win32pipe.pyd
- %TEMP%\dfxwef
- %TEMP%\bngotnwx
- %TEMP%\mznxowilhgt
- %TEMP%\qkbssggsn
- %TEMP%\python39.dll
Sets the 'hidden' attribute to the following files
- %TEMP%\ss.exe
- %TEMP%\sss.exe
- %TEMP%\start.bat
- %TEMP%\start.vbs
- %TEMP%\python39.dll
Deletes the following files
- %TEMP%\joined.vmp.exe
- %TEMP%\_mei22842\_socket.pyd
- %TEMP%\_mei22842\_multiprocessing.pyd
- %TEMP%\_mei22842\_hashlib.pyd
- %TEMP%\_mei22842\_elementtree.pyd
- %TEMP%\_mei22842\_ctypes.pyd
- %TEMP%\_mei22842\win32pipe.pyd
- %TEMP%\_mei22842\unicodedata.pyd
- %TEMP%\_mei22842\sqlite3.dll
- %TEMP%\_mei22842\select.pyd
- %TEMP%\_mei22842\pywintypes27.dll
- %TEMP%\_mei22842\python27.dll
- %TEMP%\_mei22842\pyexpat.pyd
- %TEMP%\_mei22842\msvcr90.dll
- %TEMP%\_mei22842\msvcr100.dll
- %TEMP%\_mei22842\msvcp100.dll
- %TEMP%\_mei22842\lazagne.exe.manifest
- %TEMP%\_mei22842\bz2.pyd
- %TEMP%\vetoaqckc
- %TEMP%\qkbssggsn
- %TEMP%\exjkmfwaomp
- %TEMP%\mznxowilhgt
- %TEMP%\bngotnwx
- %TEMP%\dfxwef
- %TEMP%\_mei22842\_sqlite3.pyd
- %TEMP%\_mei22842\_ssl.pyd
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- '%TEMP%\joined.vmp.sfx.exe'
- '%TEMP%\joined.vmp.exe'
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\start.vbs"
- '%TEMP%\ss.exe' browsers
- '%TEMP%\sss.exe'
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\start.vbs"' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del "%TEMP%\joined.vmp.exe" >> NUL' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\start.bat" "' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "reg.exe save hklm\security %TEMP%\bngotnwx"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "reg.exe save hklm\system %TEMP%\mznxowilhgt"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "reg.exe save hklm\sam %TEMP%\exjkmfwaomp"' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c del "%TEMP%\joined.vmp.exe" >> NUL
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\start.bat" "
- '<SYSTEM32>\cmd.exe' /c "reg.exe save hklm\security %TEMP%\bngotnwx"
- '<SYSTEM32>\reg.exe' save hklm\security %TEMP%\bngotnwx
- '<SYSTEM32>\cmd.exe' /c "reg.exe save hklm\system %TEMP%\mznxowilhgt"
- '<SYSTEM32>\reg.exe' save hklm\system %TEMP%\mznxowilhgt
- '<SYSTEM32>\cmd.exe' /c "reg.exe save hklm\sam %TEMP%\exjkmfwaomp"
- '<SYSTEM32>\reg.exe' save hklm\sam %TEMP%\exjkmfwaomp
