Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\net.exe' stop FACEIT
- '<SYSTEM32>\net.exe' stop ESEADriver2
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq fiddler*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq wireshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq rawshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq charles*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq ida*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im Ida64.exe
- '<SYSTEM32>\taskkill.exe' /f /im OllyDbg.exe
- '<SYSTEM32>\taskkill.exe' /f /im Dbg64.exe
- '<SYSTEM32>\taskkill.exe' /f /im Dbg32.exe
Searches for windows to
detect analytical utilities:
- ClassName: '', WindowName: 'The Wireshark Network Analyzer'
Modifies file system
Creates the following files
- nul
Network activity
Connects to
- 'localhost':49175
- 'localhost':49177
TCP
Other
- 'localhost':49175
- 'localhost':49177
- 'localhost':49178
UDP
- DNS ASK ke##uth.uk
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'Resource Monitor'
- ClassName: '' WindowName: 'Process Hacker 2'
- ClassName: '' WindowName: 'Process Hacker'
- ClassName: '' WindowName: 'HTTP Debugger Pro'
- ClassName: '' WindowName: 'Ida Freeware'
- ClassName: '' WindowName: 'Ida Pro'
- ClassName: '' WindowName: 'Ida'
- ClassName: '' WindowName: 'Cheat Engine 7.6'
- ClassName: '' WindowName: 'Cheat Engine 7.5'
- ClassName: '' WindowName: 'Cheat Engine 7.4'
- ClassName: '' WindowName: 'Cheat Engine 7.3'
- ClassName: '' WindowName: 'OllyDbg'
- ClassName: '' WindowName: 'Cheat Engine 6.9'
- ClassName: '' WindowName: 'Cheat Engine 7.1'
- ClassName: '' WindowName: 'Cheat Engine 7.2'
- ClassName: '' WindowName: 'HxD'
- ClassName: '' WindowName: 'BinaryNinja'
- ClassName: '' WindowName: 'FolderChangesView'
- ClassName: '' WindowName: 'dnSpy'
- ClassName: '' WindowName: 'x64dbg'
- ClassName: '' WindowName: 'HTTP Debugger'
- ClassName: '' WindowName: 'Fiddler'
- ClassName: '' WindowName: 'Progress Telerik Fiddler Web Debugger'
- ClassName: '' WindowName: 'Cheat Engine 7.0'
- ClassName: '' WindowName: ''
Executes the following
- '<SYSTEM32>\cmd.exe' /c Color 5
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im OllyDbg.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Ida64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\sc.exe' stop npf
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg64.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc stop npf >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c sc stop wireshark >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker1
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker1 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker2
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker2 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker3
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker3 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop HTTPDebuggerPro
- '<SYSTEM32>\cmd.exe' /c sc stop HTTPDebuggerPro >nul 2>&1
- '<SYSTEM32>\net1.exe' stop ESEADriver2
- '<SYSTEM32>\cmd.exe' /c net stop ESEADriver2 >nul 2>&1
- '<SYSTEM32>\net1.exe' stop FACEIT
- '<SYSTEM32>\cmd.exe' /c net stop FACEIT >nul 2>&1
- '<SYSTEM32>\sc.exe' stop wireshark
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im Dbg32.exe >nul 2>&1
