Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\microsoftedgeupdate
Malicious functions
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Task Manager (Taskmgr)
Terminates or attempts to terminate
the following user processes:
- firefox.exe
Modifies file system
Creates the following files
- %TEMP%\_mei35042\crypto\cipher\_arc4.pyd
- %TEMP%\_mei35042\crypto\cipher\_salsa20.pyd
- %TEMP%\_mei35042\crypto\cipher\_chacha20.pyd
- %TEMP%\_mei35042\crypto\cipher\_pkcs1_decode.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_aes.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_aesni.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_arc2.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_blowfish.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_cast.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_cbc.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_cfb.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_ctr.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_des.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_des3.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_ecb.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_eksblowfish.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_ocb.pyd
- %TEMP%\_mei35042\crypto\cipher\_raw_ofb.pyd
- %TEMP%\_mei35042\crypto\hash\_blake2b.pyd
- %TEMP%\_mei35042\crypto\hash\_blake2s.pyd
- %TEMP%\_mei35042\crypto\hash\_md2.pyd
- %TEMP%\_mei35042\crypto\hash\_md4.pyd
- %TEMP%\_mei35042\crypto\hash\_md5.pyd
- %TEMP%\_mei35042\crypto\hash\_ripemd160.pyd
- %TEMP%\_mei35042\crypto\hash\_sha1.pyd
- %TEMP%\_mei35042\crypto\hash\_sha224.pyd
- %TEMP%\_mei35042\crypto\hash\_sha256.pyd
- %TEMP%\_mei35042\crypto\hash\_sha384.pyd
- %TEMP%\_mei35042\crypto\hash\_sha512.pyd
- %TEMP%\_mei35042\crypto\hash\_ghash_clmul.pyd
- %TEMP%\_mei35042\crypto\hash\_ghash_portable.pyd
- %TEMP%\_mei35042\crypto\hash\_keccak.pyd
- %TEMP%\_mei35042\crypto\hash\_poly1305.pyd
- %TEMP%\_mei35042\crypto\math\_modexp.pyd
- %TEMP%\_mei35042\crypto\protocol\_scrypt.pyd
- %TEMP%\_mei35042\crypto\publickey\_curve25519.pyd
- %TEMP%\_mei35042\crypto\publickey\_curve448.pyd
- %TEMP%\_mei35042\crypto\publickey\_ec_ws.pyd
- %TEMP%\_mei35042\crypto\publickey\_ed25519.pyd
- %TEMP%\_mei35042\crypto\publickey\_ed448.pyd
- %TEMP%\_mei35042\crypto\util\_cpuid_c.pyd
- %TEMP%\_mei35042\crypto\util\_strxor.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_arc4.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_salsa20.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_chacha20.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_pkcs1_decode.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_aes.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_aesni.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_arc2.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_blowfish.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_cast.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_cbc.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_cfb.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_ctr.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_des.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_des3.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_ecb.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_eksblowfish.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_ocb.pyd
- %TEMP%\_mei35042\cryptodome\cipher\_raw_ofb.pyd
- %TEMP%\_mei35042\cryptodome\hash\_blake2b.pyd
- %TEMP%\_mei35042\cryptodome\hash\_blake2s.pyd
- %TEMP%\_mei35042\cryptodome\hash\_md2.pyd
- %TEMP%\_mei35042\cryptodome\hash\_md4.pyd
- %TEMP%\_mei35042\cryptodome\hash\_md5.pyd
- %TEMP%\_mei35042\cryptodome\hash\_ripemd160.pyd
- %TEMP%\_mei35042\cryptodome\hash\_sha1.pyd
- %TEMP%\_mei35042\cryptodome\hash\_sha224.pyd
- %TEMP%\_mei35042\cryptodome\hash\_sha256.pyd
- %TEMP%\_mei35042\cryptodome\hash\_sha384.pyd
- %TEMP%\_mei35042\cryptodome\hash\_sha512.pyd
- %TEMP%\_mei35042\cryptodome\hash\_ghash_clmul.pyd
- %TEMP%\_mei35042\cryptodome\hash\_ghash_portable.pyd
- %TEMP%\_mei35042\cryptodome\hash\_keccak.pyd
- %TEMP%\_mei35042\cryptodome\hash\_poly1305.pyd
- %TEMP%\_mei35042\cryptodome\math\_modexp.pyd
- %TEMP%\_mei35042\cryptodome\protocol\_scrypt.pyd
- %TEMP%\_mei35042\cryptodome\publickey\_curve25519.pyd
- %TEMP%\_mei35042\cryptodome\publickey\_curve448.pyd
- %TEMP%\_mei35042\cryptodome\publickey\_ec_ws.pyd
- %TEMP%\_mei35042\cryptodome\publickey\_ed25519.pyd
- %TEMP%\_mei35042\cryptodome\publickey\_ed448.pyd
- %TEMP%\_mei35042\cryptodome\util\_cpuid_c.pyd
- %TEMP%\_mei35042\cryptodome\util\_strxor.pyd
- %TEMP%\_mei35042\kitty.pyd
- %TEMP%\_mei35042\pythonwin\mfc140u.dll
- %TEMP%\_mei35042\pythonwin\win32ui.pyd
- %TEMP%\_mei35042\vcruntime140.dll
- %TEMP%\_mei35042\vcruntime140_1.dll
- %TEMP%\_mei35042\_asyncio.pyd
- %TEMP%\_mei35042\_bz2.pyd
- %TEMP%\_mei35042\_cffi_backend.cp311-win_amd64.pyd
- %TEMP%\_mei35042\_ctypes.pyd
- %TEMP%\_mei35042\_decimal.pyd
- %TEMP%\_mei35042\_hashlib.pyd
- %TEMP%\_mei35042\_lzma.pyd
- %TEMP%\_mei35042\_multiprocessing.pyd
- %TEMP%\_mei35042\_overlapped.pyd
- %TEMP%\_mei35042\_queue.pyd
- %TEMP%\_mei35042\_socket.pyd
- %TEMP%\_mei35042\_sqlite3.pyd
- %TEMP%\_mei35042\_ssl.pyd
- %TEMP%\_mei35042\_uuid.pyd
- %TEMP%\_mei35042\base_library.zip
- %TEMP%\_mei35042\certifi\cacert.pem
- %TEMP%\_mei35042\charset_normalizer\md.cp311-win_amd64.pyd
- %TEMP%\_mei35042\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
- %TEMP%\_mei35042\libcrypto-1_1.dll
- %TEMP%\_mei35042\libffi-8.dll
- %TEMP%\_mei35042\libssl-1_1.dll
- %TEMP%\_mei35042\lz4-4.4.5.dist-info\installer
- %TEMP%\_mei35042\lz4-4.4.5.dist-info\metadata
- %TEMP%\_mei35042\lz4-4.4.5.dist-info\record
- %TEMP%\_mei35042\lz4-4.4.5.dist-info\wheel
- %TEMP%\_mei35042\lz4-4.4.5.dist-info\licenses\license
- %TEMP%\_mei35042\lz4-4.4.5.dist-info\top_level.txt
- %TEMP%\_mei35042\lz4\_version.cp311-win_amd64.pyd
- %TEMP%\_mei35042\lz4\block\_block.cp311-win_amd64.pyd
- %TEMP%\_mei35042\markupsafe-3.0.3.dist-info\installer
- %TEMP%\_mei35042\markupsafe-3.0.3.dist-info\metadata
- %TEMP%\_mei35042\markupsafe-3.0.3.dist-info\record
- %TEMP%\_mei35042\markupsafe-3.0.3.dist-info\wheel
- %TEMP%\_mei35042\markupsafe-3.0.3.dist-info\licenses\license.txt
- %TEMP%\_mei35042\markupsafe-3.0.3.dist-info\top_level.txt
- %TEMP%\_mei35042\markupsafe\_speedups.cp311-win_amd64.pyd
- %TEMP%\_mei35042\psutil\_psutil_windows.pyd
- %TEMP%\_mei35042\pyexpat.pyd
- %TEMP%\_mei35042\python3.dll
- %TEMP%\_mei35042\python311.dll
- %TEMP%\_mei35042\pywin32_system32\pythoncom311.dll
- %TEMP%\_mei35042\pywin32_system32\pywintypes311.dll
- %TEMP%\_mei35042\select.pyd
- %TEMP%\_mei35042\setuptools-65.5.0.dist-info\installer
- %TEMP%\_mei35042\setuptools-65.5.0.dist-info\license
- %TEMP%\_mei35042\setuptools-65.5.0.dist-info\metadata
- %TEMP%\_mei35042\setuptools-65.5.0.dist-info\record
- %TEMP%\_mei35042\setuptools-65.5.0.dist-info\wheel
- %TEMP%\_mei35042\setuptools-65.5.0.dist-info\entry_points.txt
- %TEMP%\_mei35042\setuptools-65.5.0.dist-info\top_level.txt
- %TEMP%\_mei35042\sqlite3.dll
- %TEMP%\_mei35042\unicodedata.pyd
- %TEMP%\_mei35042\win32\_win32sysloader.pyd
- %TEMP%\_mei35042\win32\win32api.pyd
- %TEMP%\_mei35042\win32\win32crypt.pyd
- %TEMP%\_mei35042\win32\win32event.pyd
- %TEMP%\_mei35042\win32\win32file.pyd
- %TEMP%\_mei35042\win32\win32process.pyd
- %TEMP%\_mei35042\win32\win32security.pyd
- %TEMP%\_mei35042\win32\win32trace.pyd
- %TEMP%\_mei35042\win32com\shell\shell.pyd
- %TEMP%\gen_py\3.11\__init__.py
- %TEMP%\gen_py\3.11\dicts.dat
- %LOCALAPPDATA%\microsoft\microsoftedgeupdate.exe
- nul
- %TEMP%\system\system_information.txt
- %TEMP%\system\antivirus info.txt
- %TEMP%\dudomidbf.zip
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data_temp
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data_temp
- %LOCALAPPDATA%\microsoft\edge\user data\default\history_temp
- %APPDATA%\mozilla\firefox\profiles\dnyauhh1.default-release\cookies_temp.sqlite
- %APPDATA%\mozilla\firefox\profiles\dnyauhh1.default-release\cookies_temp.sqlite-shm
- %TEMP%\places_temp_4972.sqlite
- %TEMP%\places_temp_4972.sqlite-shm
- %TEMP%\wallets.zip
Sets the 'hidden' attribute to the following files
- %LOCALAPPDATA%\microsoft\microsoftedgeupdate.exe
Deletes following files that it created itself
- %TEMP%\system\antivirus info.txt
- %TEMP%\system\system_information.txt
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data_temp
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data_temp
- %LOCALAPPDATA%\microsoft\edge\user data\default\history_temp
- %APPDATA%\mozilla\firefox\profiles\dnyauhh1.default-release\cookies_temp.sqlite-shm
- %APPDATA%\mozilla\firefox\profiles\dnyauhh1.default-release\cookies_temp.sqlite
- %TEMP%\places_temp_4972.sqlite-shm
- %TEMP%\places_temp_4972.sqlite
Substitutes the following files
- %LOCALAPPDATA%\microsoft\edge\user data\default\history_temp
- %TEMP%\places_temp_4972.sqlite
- %TEMP%\places_temp_4972.sqlite-shm
Network activity
Connects to
- '16#.#6.93.174':5000
UDP
- DNS ASK ip##ois.app
- DNS ASK gi##ub.com
Miscellaneous
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe' /c "ver"
- '<SYSTEM32>\attrib.exe' +S +H %LOCALAPPDATA%\Microsoft\MicrosoftEdgeUpdate.exe
- '<SYSTEM32>\schtasks.exe' /Delete /TN MicrosoftEdgeUpdate /F
- '<SYSTEM32>\schtasks.exe' /Create /TN MicrosoftEdgeUpdate /TR \"%LOCALAPPDATA%\Microsoft\MicrosoftEdgeUpdate.exe\" /SC ONLOGON /RL HIGHEST /F
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command " Add-Type -AssemblyName System.Windows.Forms [System.Windows.Forms.MessageBox]::Show( \"Error code: Windows_0x988958`nSomething gone wr...
- '<SYSTEM32>\cmd.exe' /c "ver"' (with hidden window)
