Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerUI.exe
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq ida*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq procmon*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq charles*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq rawshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq wireshark*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq FolderChangesView*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq fiddler*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq idaq*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq KsDumperClient*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq HTTPDebuggerUI*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq HTTPDebuggerSvc*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq cheatengine*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /f /im HTTPDebuggerSvc.exe
- '<SYSTEM32>\net.exe' stop ESEADriver2
- '<SYSTEM32>\net.exe' stop FACEIT
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq processhacker*" /IM * /F /T
- '<SYSTEM32>\taskkill.exe' /FI "IMAGENAME eq idaq64*" /IM * /F /T
Launches a large number of processes
Searches for windows to
detect analytical utilities:
- ClassName: '', WindowName: 'The Wireshark Network Analyzer'
Modifies file system
Creates the following files
- nul
- %WINDIR%\temp\cabef7c.tmp
- %WINDIR%\temp\taref7d.tmp
- %WINDIR%\temp\cab6a6.tmp
- %WINDIR%\temp\tar6a7.tmp
- %WINDIR%\temp\cab783.tmp
- %WINDIR%\temp\tar793.tmp
Deletes the following files
- %WINDIR%\temp\cabef7c.tmp
- %WINDIR%\temp\taref7d.tmp
- %WINDIR%\temp\cab6a6.tmp
- %WINDIR%\temp\tar6a7.tmp
- %WINDIR%\temp\cab783.tmp
- %WINDIR%\temp\tar793.tmp
Network activity
Connects to
- 'localhost':49179
- 'localhost':49181
- 'ke##uth.win':443
- 'x1.#.lencr.org':80
TCP
HTTP GET requests
- http://x1.#.lencr.org/
Other
- 'localhost':49179
- 'localhost':49181
- 'localhost':49182
- 'ke##uth.win':443
UDP
- DNS ASK ke##uth.win
- DNS ASK x1.#.lencr.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'KsDumperClient.exe'
- ClassName: '' WindowName: 'Fiddler'
- ClassName: '' WindowName: 'x64dbg'
- ClassName: '' WindowName: 'dnSpy'
- ClassName: '' WindowName: 'FolderChangesView'
- ClassName: '' WindowName: 'BinaryNinja'
- ClassName: '' WindowName: 'HxD'
- ClassName: '' WindowName: 'Cheat Engine 7.2'
- ClassName: '' WindowName: 'Cheat Engine 7.1'
- ClassName: '' WindowName: 'Cheat Engine 6.9'
- ClassName: '' WindowName: 'Process Hacker'
- ClassName: '' WindowName: 'Cheat Engine 7.3'
- ClassName: '' WindowName: 'Cheat Engine 7.4'
- ClassName: '' WindowName: 'Cheat Engine 7.5'
- ClassName: '' WindowName: 'Cheat Engine 7.6'
- ClassName: '' WindowName: 'Ida'
- ClassName: '' WindowName: 'Ida Pro'
- ClassName: '' WindowName: 'Ida Freeware'
- ClassName: '' WindowName: 'HTTP Debugger Pro'
- ClassName: '' WindowName: 'Progress Telerik Fiddler Web Debugger'
- ClassName: '' WindowName: 'Cheat Engine 7.0'
- ClassName: '' WindowName: 'Resource Monitor'
- ClassName: '' WindowName: 'Fiddler.exe'
- ClassName: '' WindowName: 'HTTPDebuggerUI.exe'
- ClassName: '' WindowName: 'HTTPDebuggerSvc.exe'
- ClassName: '' WindowName: 'FolderChangesView.exe'
- ClassName: '' WindowName: 'ProcessHacker.exe'
- ClassName: '' WindowName: 'procmon.exe'
- ClassName: '' WindowName: 'idaq.exe'
- ClassName: '' WindowName: 'idaq64.exe'
- ClassName: '' WindowName: 'Wireshark.exe'
- ClassName: '' WindowName: 'Xenos64.exe'
- ClassName: '' WindowName: 'HTTP Debugger'
- ClassName: '' WindowName: 'Cheat Engine.exe'
- ClassName: '' WindowName: 'HTTP Debugger Windows Service (32 bit).exe'
- ClassName: '' WindowName: 'KsDumper.exe'
- ClassName: '' WindowName: 'x64dbg.exe'
- ClassName: '' WindowName: 'IDA: Quick start'
- ClassName: '' WindowName: 'Memory Viewer'
- ClassName: '' WindowName: 'Process List'
- ClassName: '' WindowName: 'KsDumper'
- ClassName: '' WindowName: 'OllyDbg'
- ClassName: '' WindowName: 'Process Hacker 2'
Executes the following
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq KsDumperClient*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq FolderChangesView*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq HTTPDebuggerUI*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq procmon*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq idaq64*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c certutil -hashfile "<Full path to file>" MD5 | find /i /v "md5" | find /i /v "certutil"
- '<SYSTEM32>\certutil.exe' -hashfile "<Full path to file>" MD5
- '<SYSTEM32>\find.exe' /i /v "md5"
- '<SYSTEM32>\find.exe' /i /v "certutil"
- '<SYSTEM32>\cmd.exe' /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq idaq*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq HTTPDebuggerSvc*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
- '<SYSTEM32>\net1.exe' stop FACEIT
- '<SYSTEM32>\cmd.exe' /c net stop ESEADriver2 >nul 2>&1
- '<SYSTEM32>\net1.exe' stop ESEADriver2
- '<SYSTEM32>\cmd.exe' /c sc stop HTTPDebuggerPro >nul 2>&1
- '<SYSTEM32>\sc.exe' stop HTTPDebuggerPro
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker3 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker3
- '<SYSTEM32>\cmd.exe' /c net stop FACEIT >nul 2>&1
- '<SYSTEM32>\cmd.exe' /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker2
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker1 >nul 2>&1
- '<SYSTEM32>\sc.exe' stop KProcessHacker1
- '<SYSTEM32>\cmd.exe' /c sc stop wireshark >nul 2>&1
- '<SYSTEM32>\sc.exe' stop wireshark
- '<SYSTEM32>\cmd.exe' /c sc stop npf >nul 2>&1
- '<SYSTEM32>\sc.exe' stop npf
- '<SYSTEM32>\cmd.exe' /c sc stop KProcessHacker2 >nul 2>&1
- '<SYSTEM32>\cmd.exe' /C "color b && title Error && echo SSL connect error && timeout /t 5"
- '<SYSTEM32>\timeout.exe' /t 5
