Worm.PS1.LEMONDUCK.YAAA-A

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It takes advantage of software vulnerabilities to propagate across networks.

Arrival Details

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Worm drops the following files:

• {Removable Drive}:\Dblue3.lnk
• {Removable Drive}:\Eblue3.lnk
• {Removable Drive}:\Fblue3.lnk
• {Removable Drive}:\Gblue3.lnk
• {Removable Drive}:\Hblue3.lnk
• {Removable Drive}:\Iblue3.lnk
• {Removable Drive}:\Jblue3.lnk
• {Removable Drive}:\Kblue3.lnk
• {Removable Drive}:\blue3.bin
• {Removable Drive}:\Dblue6.lnk
• {Removable Drive}:\Eblue6.lnk
• {Removable Drive}:\Fblue6.lnk
• {Removable Drive}:\Gblue6.lnk
• {Removable Drive}:\Hblue6.lnk
• {Removable Drive}:\Iblue6.lnk
• {Removable Drive}:\Jblue6.lnk
• {Removable Drive}:\Kblue6.lnk
• {Removable Drive}:\blue6.bin
• {Removable Drive}:\UTFsync\inf_data
• %User Temp%\{7 random uppercase characters}.tmp -deleted afterwards
• %User Temp%\{8 random characters}.out -deleted afterwards
• %User Temp%\{8 random characters}.cmdline -deleted afterwards
• %User Temp%\{8 random characters}.err -deleted afterwards
• %User Temp%\{8 random characters}.pdb -deleted afterwards
• %User Temp%\{8 random characters}.0.cs -deleted afterwards
• %User Temp%\{8 random characters}.tmp -deleted afterwards
• %User Temp%\{8 random characters}.dll -deleted afterwards

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%System%\NETSTAT.EXE" -anop TCP
• "%System%\ipconfig.exe" /all
• "%System%\ipconfig.exe" /displaydns
• "%System%\NETSTAT.EXE" -ano

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It creates the following folders:

• {Removable Drive}:\UTFsync

Propagation

This Worm takes advantage of the following software vulnerabilities to propagate across networks:

• Microsoft Windows SMB Server (MS17-010) Vulnerability

Process Termination

This Worm terminates the following services if found on the affected system:

• xWinWpdSrv
• SVSHost
• Microsoft Telemetry
• lsass
• Microsoft
• system
• Oracleupdate
• CLR
• sysmgt
• \gm
• WmdnPnSN
• Sougoudl
• National
• Nationaaal
• Natimmonal
• Nationaloll
• Nationalmll
• Nationalaie
• Nationalwpi
• WinHelp32
• WinHelp64
• Samserver
• RpcEptManger
• NetMsmqActiv Media NVIDIA
• Sncryption Media Playeq
• SxS
• WinSvc
• mssecsvc2.1
• mssecsvc2.0
• Windows_Update
• Windows Managers
• SvcNlauser
• WinVaultSvc
• Xtfy 
• Xtfya
• Xtfyxxx
• 360rTys
• IPSECS
• MpeSvc
• SRDSL
• WifiService
• ALGM
• wmiApSrvs
• wmiApServs
• taskmgr1
• WebServers
• ExpressVNService
• WWW.DDOS.{BLOCKED}N.COM
• WinHelpSvcs
• aspnet_staters
• clr_optimization
• AxInstSV
• Zational 
• DNS Server
• Serhiez
• SuperProServer
• .Net CLR
• WissssssnHelp32
• WinHasdadelp32
• WinHasdelp32
• ClipBooks

It terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• SC
• WerMgr
• WerFault
• DW20
• msinfo
• XMR
• xmrig
• minerd
• MinerGate
• Carbon
• yamm1
• upgeade
• auto-upgeade
• svshost
• SystemIIS
• SystemIISSec
• WindowsUpdater
• WindowsDefender
• update
• carss
• service
• csrsc
• cara
• javaupd
• gxdrv
• lsmosee
• secuams
• SQLEXPRESS_X64_86
• Calligrap
• Sqlceqp
• Setting
• Uninsta
• conhoste
• Setring
• Galligrp
• Imaging
• taskegr
• Terms.EXE
• 360
• 8866
• 9966
• 9696
• 9797
• svchosti
• SearchIndex
• Avira
• cohernece
• win
• SQLforwin
• xig
• taskmgr1
• Workstation
• ress
• explores

Dropping Routine

This Worm takes advantage of the following software vulnerabilities to drop malicious files:

• CVE-2017-8464

Information Theft

This Worm gathers the following data:

• User Credentials
• OS Version
• User Name
• Domain Name

Other Details

This Worm does the following:

• It deletes the following scheduled tasks:
  • AdobeFlashPlayer
  • Bluetooths
  • Credentials
  • Ddrivers
  • DNS
  • DNS2
  • DnsCore
  • DnsCore
  • DnsScan
  • ECDnsCore
  • Flash
  • FlashPlayer1
  • FlashPlayer2
  • FlashPlayer3
  • gm
  • GooglePingConfigs
  • HispDemorn
  • HomeGroupProvider
  • IIS
  • LimeRAT-Admin
  • Microsoft Telemetry
  • Miscfost
  • MiscfostNsi
  • my1
  • Mysa
  • Mysa1
  • Mysa2
  • Mysa3
  • Netframework
  • ngm
  • ok
  • Oracle Java
  • Oracle Java Update
  • Oracle Products Reporter
  • RavTask
  • skycmd
  • Sorry
  • Spooler SubSystem Service
  • SYSTEM
  • System Log Security Check
  • SYSTEMa
  • TablteInputout
  • Update
  • Update service for Windows Service
  • Update service for products
  • Update_windows
  • Update1
  • Update2
  • Update3
  • Update4
  • WebServers
  • werclpsyport
  • Windows_Update
  • WindowsLogTasks
  • WindowsUpdate1
  • WindowsUpdate2
  • WindowsUpdate3
  • WwANsvc
  
  
• It terminates the processes that contain the following strings in its command line:
  • pool.monero.hashvault.pro
  • blazepool
  • blockmasters
  • blockmasterscoins
  • bohemianpool
  • cryptmonero
  • cryptonight
  • crypto-pool
  • --donate-level
  • dwarfpool
  • hashrefinery
  • hashvault.pro
  • iwanttoearn.money
  • --max-cpu-usage
  • mine.bz
  • minercircle.com
  • minergate
  • miners.pro
  • minexmr
  • mineXMR
  • miningpoolhubcoins
  • mixpools.org
  • mixpools.org
  • monero
  • monero.lindon-pool.win
  • moriaxmr.com
  • mypool.online
  • nanopool.org
  • nicehash
  • -p x
  • pool.electroneum.hashvault.pro
  • pool.xmr
  • poolto.be
  • prohash
  • prohash.net
  • ratchetmining.com
  • slushpool
  • stratum+
  • suprnova.cc
  • teracycle.net
  • usxmrpool
  • viaxmr.com
  • xmrpool
  • yiimp
  • zergpool
  • zergpoolcoins
  • zpool
  
  
• It is capable of propagating in the local network via the following means:
  • SMB Exploit (MS17-010)
  • MSSQL Brute forcing
  • Dumping Windows Domain Credentials using any of the following techniques/tools:
  • Mimikatz
  • Pass-The-Hash
  
  
• Capable of performing Brute Force Attack. It uses the following credentials:
  • Username:
  • Administrator
  • admin
  • Password:
  • !@#$%^&*
  • 000000
  • 1
  • 1111
  • 111111
  • 111111111
  • 112233
  • 11223344
  • 12
  • 121212
  • 123
  • 123!@#qwe
  • 123.com
  • 123@abc
  • 123123
  • 123123123
  • 123321
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 123456789a
  • 123456a
  • 123qwe
  • 123qwe!@#
  • 1q2w3e4r
  • 1q2w3e4r5t
  • 1qaz!QAZ
  • 1qaz@WSX
  • 1qaz2wsx
  • 21
  • 222222
  • 321
  • 5201314
  • 555555
  • 654321
  • 666666
  • 888888
  • 88888888
  • 987654321
  • 999999
  • a123456
  • A123456
  • a123456789
  • Aa123456
  • aa123456
  • Aa123456.
  • Aa12345678
  • aaaaaa
  • Ab123
  • abc
  • abc@123
  • Abc123
  • abc123
  • ABCabc123
  • abcd@1234
  • abcd1234
  • abcdefg
  • admin
  • admin@123
  • Admin@123
  • Admin123
  • admin888
  • Administrator
  • administrator
  • asdf
  • baseball
  • charlie
  • dragon
  • dubsmash
  • football
  • fuckyou
  • g_czechout
  • golden
  • hello
  • homelesspa
  • Huawei@123
  • iloveyou
  • login
  • love
  • master
  • monkey
  • p@ssw0rd
  • P@ssw0rd
  • P@SSW0RD
  • p@ssword
  • P@ssword
  • P@SSWORD
  • P@w0rd
  • pass
  • Passw0rd
  • passw0rd
  • password
  • PASSWORD
  • password1
  • princess
  • qazwsx
  • qwe123
  • qwe1234
  • qwe1234A
  • qwe1234a
  • qwer12345
  • qwerty
  • qwertyuiop
  • sa
  • sa123
  • sa2008
  • saadmin
  • sapassword
  • sasa
  • sql2005
  • sql2008
  • sqlpassword
  • sunshine
  • superman
  • test1
  • welcome
  • zinch
  • zxcvbn
  • NTLM hashes:
  • 648AFF3A042261BAB4978076DE2C6B8C
  • 32ED87BDB5FDC5E9CBA88547376818D4
  • AACD12D27C87CAC8FC0B8538AED6F058
  • C1790553DBB8362FA7F16D564585B4D1
  • B9ACFD3C52ED0D6988BED8EB9AC636D6
  • E5810F3C99AE2ABB2232ED8458A61309
  • 0E032B9D51A580AC6CDFABAD8BC97A38
  • 6AA8BC1D5018300D54E51C9860FA961C
  • 8846F7EAEE8FB117AD06BDD830B7586C
  • 7B592E4F8178B4C75788531B2E747687
  • AFFFEBA176210FAD4628F0524BFE1942
  • 579DA618CFBFA85247ACF1F800A280A4
  • 47BF8039A8506CD67C524A03FF84BA4E
  • 5AE7B89B3AFEA28D448ED31B5C704289
  • 3F9F5F112DA330AC4C20BE279C6ADDFA
  • 73F5D97549F033374FA6D9F9CE247FFD
  • 6F12C0AB327E099821BD938F39FAAB0D
  • E5AE562DDFAA6B446C32764AB1EBF3ED
  • 161CFF084477FE596A5DB81874498A24
  • D30C2EF8389AC9E8516BAACB29463B7B
  • BC007082D32777855E253FD4DEFE70EE
  • E45A314C664D40A227F9540121D1A29D
  • D144986C6122B1B1654BA39932465528
  • F4BB18C1165A89248F9E853B269A8995
  • 570A9A65DB8FBA761C1008A51D4C95AB
  • E1A692BD23BDE99B327756E59308B4F8
  • A87F3A337D73085C45F9416BE5787D86
  • 00AFFD88FA323B00D4560BF9FEF0EC2F
  • 31FC0DC8F7DFAD0E8BD7CCC3842F2CE9
  • 674E48B68C5CD0EFD8F7E5FAA87B3D1E
  • 69943C5E63B4D2C104DBBCC15138B72B
  • 588FEB889288FB953B5F094D47D1565C
  • BCDF115FD9BA99336C31E176EE34B304
  • 3DBDE697D71690A769204BEB12283678
  • DF54DE3F3438343202C1DD523D0265BE
  • 7CE21F17C0AEE7FB9CEBA532D0546AD6
  • 7A21990FCD3D759941E45C490F143D5F
  • 579110C49145015C47ECD267657D3174
  • AF27EFB60C7B238910EFE2A7E0676A39
  • 2D7F1A5A61D3A96FB5159B5EEF17ADC6
  • 4057B60B514C5402DDE3D29A1845C366
  • E8CD0E4A9E89EAB931DC5338FCBEC54A
  • 6920C58D0DF184D829189C44FAFB7ECE
  • 3FA45A060BD2693AE4C05B601D05CA0C
  • BA07BA35933E5BF42DEA4AF8ADD09D1E
  • F1351AC828428D74F6DA2968089FC91F
  • E84D037613721532E6B6D84D215854B6
  • 2F2D544C53B3031F24D63402EA7FB4F9
  • 328727B81CA05805A68EF26ACB252039
  • 259745CB123A52AA2E693AAACCA2DB52
  • C22B315C040AE6E0EFEE3518D830362B
  • 162E829BE112225FEDF856E38E1C65FE
  • 209C6174DA490CAEB422F3FA5A7AE634
  • F9E37E83B83C47A93C2F09F66408631B
  • B3EC3E03E2A202CBD54FD104B8504FEF
  • 4ED91524CB54EAACC17A185646FB7491
  • AA647B916A1FAD374DF9C30711D58A7A
  • A80C9CC3F8439ADA25AF064A874EFE2D
  • 13B29964CC2480B4EF454C59562E675C
  • DE26CCE0356891A4A020E7C4957AFC72
  • E19CCF75EE54E06B06A5907AF13CEF42
  • 30FCAA8AD9A496B3E17F7FBFACC72993
  • 41630ABB825CA50DA31CE1FAC1E9F54D
  • F56A8399599F1BE040128B1DD9623C29
  • 2E4DBF83AA056289935DAEA328977B20
  • B963C57010F218EDC2CC3C229B5E4D0F
  • F2477A144DFF4F216AB81F2AC3E3207D
  • E6BD4CDB1E447131B60418F31D0B81D6
  • B9F917853E3DBF6E6831ECCE60725930
  • 6D3986E540A63647454A50E26477EF94
  • 066DDFD4EF0E9CD7C256FE77191EF43C
  • 152EFBCFAFEB22EABDA8FC5E68697A41
  • 5835048CE94AD0564E29A924A03510EF
  • 2D20D252A479F485CDF5E171D93985BF
  • 320A78179516C385E35A93FFA0B1C4AC
  • 0D757AD173D2FC249CE19364FD64C8EC
  • 72F5CFA80F07819CCBCFB72FEB9EB9B7
  • F67F5E3F66EFD7298BE6ACD32EEEB27C
  • 1C4ECC8938FB93812779077127E97662
  • AD70819C5BC807280974D80F45982011
  • A836EF24F0A529688BE2AF1479A95411
  • 36AA83BDCAB3C9FDAF321CA42A31C3FC
  • ACB98FD0478427CD18949050C5E87B47
  • 85DEEEC2D12F917783B689AE94990716
  • A4141712F19E9DD5ADF16919BB38A95C
  • E7380AE8EF85AE55BDCEAA59E418BD06
  • 81E5F1ADC94DD08B1A072F9C1AE3DD3F
  • 71C5391067DE41FAD6F3063162E5EEFF