Analysis by: Jeanne Jocson
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Rootkit

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Tamaño del archivo 548,968 bytes
Tipo de archivo SYS
Fecha de recepción de las muestras iniciales 09 Dec 2016

Arrival Details

This rootkit arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This rootkit adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\vonetframecore

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
services\vonetframecore
DisplayName = "vonetframecore"

HKEY_LOCAL_MACHINE\SYTEM\ControlSet001\
services\vonetframecore
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYTEM\ControlSet001\
services\vonetframecore
Group = "PNP_TDI"

HKEY_LOCAL_MACHINE\SYTEM\ControlSet001\
services\vonetframecore
Start = "1"

HKEY_LOCAL_MACHINE\SYTEM\ControlSet001\
services\vonetframecore
Tag = "1"

HKEY_LOCAL_MACHINE\SYTEM\ControlSet001\
services\vonetframecore
Type = "1"

HKEY_LOCAL_MACHINE\SYTEM\ControlSet001\
services\vonetframecore
ImagePath = "system32\drivers\vonetframecore.sys"

Dropping Routine

This rootkit drops the following files:

  • C:\Users\Public\Documents\XMUpdate\conf.db

Other Details

This rootkit connects to the following possibly malicious URL:

  • http://dl.{BLOCKED}g.top/hffdbv.dat
  • http://dl.{BLOCKED}g.top/hffdb.dat
  • http://dl.{BLOCKED}g.top/vnlacfg.dat