•Modifies the listed registry keys.

•Creates or modifies the listed files.

•Sets a service to autorun.

•Creates the listed services.

•Changes the listed executable system files.

•Replaces the listed executable system files.

•Replaces system binary files.

•Replaces system binary files using a symbolic link.

•Infects the listed executable files.

•Creates the following files on removable media.

•Modifies master boot record (MBR).

•Creates or modifies files to ensure autorun:

▫in /init.d;

▫in /router;

▫in /cron;

▫on desktop;

▫in other folders.

•Creates or modifies files to ensure autorun using symbolic links:

▫in /cron.

•Creates or modifies symbolic links to ensure autorun:

▫in /init.d;

▫on desktop;

▫in other folders.

•Bypasses firewall, removes, or modifies the listed registry keys.

•To complicate detection of its presence in the operating system:

▫Forces the system to hide from view:

▪hidden files;

▪file extensions.

▫Blocks execution of the listed system utilities:

▪Command Prompt (CMD);

▪Windows Task Manager (Taskmgr);

▪Registry Editor (RegEdit).

▪Windows Firewall.

▪System Updates (Windows Update).

▪Windows Security Center.

▪System Anti-virus (Windows Defender).

▫Blocks the following features:

▪System Restore (SR);

▪Windows File Protection (WFP);

▪User Account Control (UAC);

▪System File Checker (SFC);

▪Windows Security Center.

▪Windows Support Center (Action Center).

▫Changes the listed system preferences:

▪changes the DNS server;

▪disables taskbar notifications.

▫removes shadow copies of volumes;

▫adds anti-virus exceptions using the listed registry keys.

•Creates and executes the listed processes:

▫creates and executes files (an exploit);

▫creates and loads libraries (an exploit);

▫downloads and executes files.

•Executes the listed processes.

•Injects code into the listed processes:

▫listed system processes;

▫listed user processes;

▫a large number of user processes.

•Installs hooks to intercept notifications:

▫About keystrokes:

▪Handler for all processes;

▪Handler for the listed processes.

•Terminates or attempts to terminate:

▫processes;

▫listed system processes;

▫listed user processes;

▫a large number of user processes.

▫processes of traffic analysis and program running applications;

▫processes by name.

•Searches for registry branches where third-party applications store passwords.

•Executes WMI operations.

•Registers a file system filter driver.

•Searches for the listed windows to:

▫bypass different anti-viruses;

▫bypass the Windows File Protection system;

▫detect analytics tools;

▫detect applications and games;

▫detect virtual machines.

•Creates an onion service.

•Loads the listed drivers.

•Hooks the following functions in the System Service Descriptor Table (SSDT):

▫a handler.

•Restores hooked functions in the System Service Descriptor Table (SSDT).

•Brute forces passwords of OS accounts.

•Performs a bruteforce attack in the network.

•Disables AMSI.

•Changes firewall settings.

•Changes router settings.

•Stops critical services.

•Manages services.

•Blocks through firewall:

▫SSH;

▫telnet;

▫standard web service ports.

•Modifies the listed settings of Windows Explorer.

•Modifies the listed settings of Windows Internet Explorer.

•Affects processes:

▫hides the listed processes;

▫traces processes;

▫injects itself in processes.

•Forces autorun for removable media.

•Sets a new unauthorized home page for Internet Explorer.

•Attempts to shut down Windows OS.

•Sends SMS.

•Executes the code of detectable threats.

•Downloads detectable threats from the internet.

•Sends contacts saved on the device to a remote server.

•Sends data on incoming SMS to a remote server.

•Overlays the interface preventing access to it.

•Sets a lock screen password.

•Prompts to install a third-party application.

•Hides its icon from screen.

•Ends incoming phone calls.

•Muffles incoming phone calls.

•Intercepts incoming SMS and terminates the process of their transmission to handlers of other apps.

•Deactivates a device administrator.

•Removes user data.

•Threat detection based on machine learning.

•Contains typical banking trojan/virus code.

•Contains typical locker code.

•Loads the listed detectable threats to be executed.

•Downloads the listed detectable threats from the internet.

•Launches a large number of processes.

•Creates the listed files.

•Appends the “hidden” attribute to the listed files.

•Deletes the listed files.

•Sets a written file as executable.

•Sets a file as executable.

•Deletes a file.

•Deletes a system binary file.

•Creates or modifies symbolic links.

•Writes to system directory:

▫files;

▫symbolic links.

•Writes to system subdirectory:

▫files;

▫symbolic links.

•Writes to temporary directory:

▫files;

▫symbolic links.

•Creates directories:

▫in system subdirectory;

▫in system directory;

▫in temporary subdirectory;

▫in temporary directory;

▫in other directories.

•Removes directories:

▫in system directory;

▫in system subdirectory;

▫in temporary subdirectory;

▫in other directories.

•Moves the listed system files.

•Moves the listed files.

•Replaces the listed executable files.

•Modifies the HOSTS file.

•Replaces the HOSTS file.

•Moves itself.

•Deletes itself.

•Creates files.

•Changes access rights:

▫for a file;

▫for a written file.

•Changes owner:

▫for a file;

▫for a written file.

•Locks files.

•Changes the time when the file was created, accessed, or modified.

•Mounts file systems.

•Unmounts file systems.

•Creates files and demands payment for file decoding (Trojan.Encoder).

•Changes a large amount of user data (Trojan.Encoder).

•Changes file extensions in user data (Trojan.Encoder).

•Sets permissions to execute files.

•Adds an exclusion to Microsoft Defender.

•Connects to a network resource.

•Opens a port.

•Sends data to a server.

•Receives data from a server.

•Accesses SSH.

•Connects to server through:

▫HTTP;

▫IRC.

•TCP:

▫HTTP GET requests;

▫HTTP POST requests;

▫HTTP HEAD requests;

▫HTTP PATCH requests;

▫HTTP PUT requests;

▫HTTP DELETE requests;

▫HTTP OPTIONS requests;

▫HTTP TRACE requests;

▫unknown HTTP requests.

•UDP:

▫DNS requests.

•Adds a root certificate.

•Disables certificate.

•Collects information:

▫on the OS;

▫on the CPU;

▫on the RAM;

▫on the network activity.

•Changes value of the AutoConfigURL parameter as follows.

•Substitutes an application name.

•Searches for the listed windows.

•Creates and executes files.

•File protected with the Themida packer by Oreans Technologies.

•Uses NTFS alternate data streams.

•Loads the listed drivers.

•Unloads the kernel module.

•Sets kernel module to autorun.

•Executes shell scripts.

•Runs as daemon.

•Compiles source code.

•Reads information from /proc/kallsyms.

•Loads dynamic libraries.

•Makes phone calls.

•Uses data encryption algorithms.

•Uses data decryption algorithms.

•Uses elevated privileges.

•Uses administrator rights.

•Gains root access.

•Accesses the ITelephony private interface.

•Uses libraries to hide executable bytecode.

•Can send SMS automatically.

•Accesses audio/video recording interfaces.

•Records audio/video.

•Accesses camera interface.

•Changes volume and vibration settings.

•Accesses location of the device.

•Accesses network information.

•Gets information about the device (phone number, IMEI, etc.).

•Gets information about APN settings.

•Gets information about active device administrators.

•Gets information about installed apps.

•Gets information about running apps.

•Gets information about accounts linked with the device.

•Adds tasks to the System Scheduler.

•Displays its windows over windows of other apps.

•Processes information from SMS.

•Gets information about incoming/outgoing phone calls.

•Gets information about sent/received SMS.

•Gets information about phone contacts.

•Enables/disables all cameras.

•Manages Wi-Fi connectivity.

•Checks for anti-virus applications.

•Intercepts notifications.

•Requests permission to display system alert windows.

•Sample from Google Play Store.

•Restarts the analyzed sample.