We have observed variants of this threat exhibit various behaviors. This analysis is based on the following sample files (SHA-256):
- 0a93b5aa6842c92672551cd07a323395b628aa6706f4ce7019d3d4391af78e8b
- 6e5de2363825ea1f2d921dd6b76aca80b52327bfb0e80e9de2ecbce7abc0989d
- dca9ebe7ad2194174a56bbd13f9af3d8713e0ba4f6b6368a368127a3a6a72ef4
Installation
When executed, this threat creates a copy of itself using one of the following file names:
In one of the following folders:
- %Windows%\M-<number>\
- %UserProfile%\M-<number>\
- %Temp%\M-<number>\
To run automatically, it creates one or more autorun registry entries for the dropped copy. If it has administrator privileges, it creates the following registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: Microsoft Windows Driver <OR> Microsoft Windows Manager
With data: <path of dropped file>
If it doesn't have admin privileges, it creates this entry instead:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: Microsoft Windows Driver <OR> Microsoft Windows Manager
With data: <path of dropped file>
Propagation
To spread, this threat creates a folder named "_" in the root folder of removable and network drives. It then creates a copy of itself in that folder:
<root>\_\DeviceConfigManager.exe
It also creates the following files in the root folder:
- autorun.inf - drive autorun file
- DeviceConfigManager.vbs - VBS file that launches the dropped copy
- .lnk - shortcut file that launches the dropped copy
It moves all other files found in the root folder to the newly created folder. It might delete files with the following extensions instead of moving them:
- .lnk
- .vbs
- .bat
- .js
- .scr
- .com
- .jse
- .cmd
- .pif
- .jar
- .dll
Evasion
This threat attempts to turn off Microsoft Defender Antivirus by modifying its management control in the policy hive of the registry. To be successful, it needs administrator privileges.
It also attempts to modify the following registry entry to add itself as an authorized application on the Windows Defender Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
Backdoor payload
This threat attempts to connect to an IRC server, join a channel, and await commands. Once this backdoor channel is established, an attacker can perform a number of actions on the infected computer, including:
- Join a particular IRC channel
- Upload and run arbitrary files
- Update the malware
The threat appears to connect to the following hardcoded address:
220.181.87.80
