Техническая информация
Для обеспечения автозапуска и распространения
Модифицирует следующие ключи реестра
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 'tvncontrol' = '"C:\RMC9\RMC9.exe" -controlservice -slave'
Устанавливает следующие настройки сервисов
- [HKLM\System\CurrentControlSet\Services\W_OfficeService] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\W_OfficeService] 'ImagePath' = '%WINDIR%\OfficeService.exe'
- [HKLM\System\CurrentControlSet\Services\rmcserver] 'Start' = '00000002'
- [HKLM\System\CurrentControlSet\Services\rmcserver] 'ImagePath' = '"C:\RMC9\RMC9.exe" -service'
Создает следующие сервисы
- 'W_OfficeService' %WINDIR%\OfficeService.exe
- 'rmcserver' "C:\RMC9\RMC9.exe" -service
Вредоносные функции
Запускает на исполнение
- '%WINDIR%\syswow64\taskkill.exe' /F /IM OfficeAgent.exe
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="StarCat Officetools" dir=in action=allow program="%WINDIR%\OfficeTools.exe" profile=Any
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="StarCat Agent" dir=in action=allow program="%WINDIR%\sysmnt.exe" profile=Any
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="StarCat Agent" dir=in action=allow program="%WINDIR%\vistamnt.exe" profile=Any
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="StarCat Agent" dir=in program="%WINDIR%\OfficeAgent.exe" action=allow profile=Any
- '%WINDIR%\syswow64\net.exe' stop rmc7
- '%WINDIR%\syswow64\net.exe' stop rmc8
- '%WINDIR%\syswow64\net.exe' stop rmc9
- '%WINDIR%\syswow64\net.exe' stop rmcserver
- '%WINDIR%\syswow64\taskkill.exe' /F /IM RMC8.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /IM RMC7.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /IM RMC9.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /IM sysmnt.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /IM vistamnt.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /IM Officetools.exe
- '%WINDIR%\syswow64\taskkill.exe' /F /IM OfficeService.exe
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25010
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\installagent\hidecmd.vbs
- %WINDIR%\temp\tmp_45227.6374135301
- %WINDIR%\moscii\logs\officeagent.log
- %WINDIR%\moscii\config\log.cfg
- %TEMP%\installagent\nu
- C:\rmc9\screenhooks64.dll
- C:\rmc9\rmc9.exe
- C:\rmc9\license.txt
- %WINDIR%\moscii\logs\officeservice.log
- %WINDIR%\officetools.exe
- %WINDIR%\officeagent.exe
- %WINDIR%\officeservice.exe
- nul
- %TEMP%\installagent\net4\officetools.exe
- %TEMP%\installagent\net2\officetools.exe
- %TEMP%\installagent\officeagent.exe
- %TEMP%\installagent\rmc9_x86\screenhooks32.dll
- %TEMP%\installagent\rmc9_x86\rmc9.exe
- %TEMP%\installagent\rmc9_x86\license.txt
- %TEMP%\installagent\rmc9_x64\screenhooks64.dll
- %TEMP%\installagent\rmc9_x64\rmc9.exe
- %TEMP%\installagent\rmc9_x64\license.txt
- %TEMP%\installagent\officeservice.exe
- %TEMP%\installagent\install.bat
- %WINDIR%\vistamnt.exe
- %WINDIR%\sysmnt.exe
Удаляет следующие файлы
- %WINDIR%\temp\tmp_45227.6374135301
Другое
Ищет следующие окна
- ClassName: 'EDIT' WindowName: ''
- ClassName: '' WindowName: ''
Создает и запускает на исполнение
- '%WINDIR%\syswow64\wscript.exe' "%TEMP%\InstallAgent\hidecmd.vbs" /s
- '%WINDIR%\officeservice.exe' /install /silent
- '%WINDIR%\officeservice.exe'
- '%WINDIR%\officeagent.exe'
- 'C:\rmc9\rmc9.exe' -install -silent
- 'C:\rmc9\rmc9.exe' -service
- '%WINDIR%\vistamnt.exe'
- '%WINDIR%\sysmnt.exe'
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="STARCAT UDP"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="STARCAT UDP"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25010' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="STARCAT TCP"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="RMC9"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="StarCat Agent"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="StarCat Agent"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C wmic csproduct get UUID /value' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C hostname' (со скрытым окном)
- '%WINDIR%\sysmnt.exe' ' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' ^/C del %WINDIR%\TEMP\tmp_*.* >%WINDIR%\TEMP\\tmp_45227.6374135301' (со скрытым окном)
- '%WINDIR%\officeagent.exe' ' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c net start officeservice' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\InstallAgent\install.bat" "' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="STARCAT TCP"' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' ^/C wmic qfe get Caption, HotFixID, InstalledOn >%WINDIR%\TEMP\\tmp_45227.6380020255' (со скрытым окном)
Запускает на исполнение
- '%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\InstallAgent\install.bat" "
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="StarCat Agent"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="StarCat Tools"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="StarCat Officetools"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="RMC"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="RMC9"
- '%WINDIR%\syswow64\cmd.exe' /C hostname
- '%WINDIR%\syswow64\hostname.exe'
- '%WINDIR%\syswow64\cmd.exe' /C wmic csproduct get UUID /value
- '%WINDIR%\syswow64\wbem\wmic.exe' csproduct get UUID /value
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="RMC9"
- '%WINDIR%\syswow64\sc.exe' config rmcserver start= delayed-auto
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall show rule name="RMC9"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="StarCat Agent"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall show rule name="StarCat Agent"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="StarCat Agent"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="STARCAT TCP"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall show rule name="STARCAT TCP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="STARCAT TCP"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="STARCAT TCP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall add rule name="STARCAT TCP" dir=in action=allow protocol=TCP localport=25001-25010
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall show rule name="STARCAT UDP"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall show rule name="STARCAT UDP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall delete rule name="STARCAT UDP"
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall delete rule name="STARCAT UDP"
- '%WINDIR%\syswow64\cmd.exe' /C netsh advfirewall firewall add rule name="STARCAT UDP" dir=in action=allow protocol=UDP localport=25000,25001,26000
- '%WINDIR%\syswow64\cmd.exe' ^/C del %WINDIR%\TEMP\tmp_*.* >%WINDIR%\TEMP\\tmp_45227.6374135301
- '%WINDIR%\syswow64\cmd.exe' ^/C wmic qfe get Caption, HotFixID, InstalledOn >%WINDIR%\TEMP\\tmp_45227.6380020255
- '%WINDIR%\syswow64\net1.exe' start rmc9
- '%WINDIR%\syswow64\net1.exe' start rmcserver
- '%WINDIR%\syswow64\net1.exe' stop rmcserver
- '%WINDIR%\syswow64\net1.exe' stop rmc9
- '%WINDIR%\syswow64\net1.exe' stop rmc8
- '%WINDIR%\syswow64\net1.exe' stop rmc7
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 2
- '%WINDIR%\syswow64\sc.exe' delete "w_Officeservice"
- '%WINDIR%\syswow64\sc.exe' delete "rmcserver"
- '%WINDIR%\syswow64\sc.exe' delete "rmc9"
- '%WINDIR%\syswow64\sc.exe' delete "rmc8"
- '%WINDIR%\syswow64\sc.exe' delete "rmc7"
- '%WINDIR%\syswow64\cmd.exe' /S /D /c" VER "
- '%WINDIR%\syswow64\findstr.exe' /IL "5.0."
- '%WINDIR%\syswow64\findstr.exe' /IL "5.1."
- '%WINDIR%\syswow64\findstr.exe' /IL "5.2."
- '%WINDIR%\syswow64\findstr.exe' /IL "6.0."
- '%WINDIR%\syswow64\findstr.exe' /IL "6.1."
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 5
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 10
- '%WINDIR%\syswow64\cmd.exe' /c net start officeservice
- '%WINDIR%\syswow64\net.exe' start officeservice
- '%WINDIR%\syswow64\net1.exe' start officeservice
- '%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 3
- '%WINDIR%\syswow64\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v SoftwareSASgeneration /t REG_dword /d 1 /F
- '%WINDIR%\syswow64\reg.exe' ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v SoftwareSASgeneration /t REG_dword /d 1 /F reg:64
- '%WINDIR%\syswow64\net.exe' start rmcserver
- '%WINDIR%\syswow64\net.exe' start rmc9
- '%WINDIR%\syswow64\wbem\wmic.exe' qfe get Caption, HotFixID, InstalledOn
