Setup: https://www.virustotal.com/en/file/4280f729d317156706db6e9c87503d636f806e09efdfcf00e73dd3e71740c966/analysis/ App: https://www.virustotal.com/en/file/2260f04aff68f77102525c61ccab4680b869b27672f6939693b23c1c04c7fe82/analysis/ Unpacked + partially-deobfuscated: https://www.virustotal.com/en/file/f754f949651f628b3f1c1fbe327d7b87ea63ecdab6c59b8431d459e67b11cbd2/analysis/
Deobfuscated taskscheduler .xml string:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2016-10-28T00:37:02.5049122</Date>
<Author>memOptimizer</Author>
</RegistrationInfo>
<Triggers>
<LogonTrigger>
<Repetition>
<Interval>PT1M</Interval>
<Duration>PT2M</Duration>
<StopAtDurationEnd>false</StopAtDurationEnd>
</Repetition>
<Enabled>true</Enabled>
<Delay>PT30S</Delay>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>-xUID-</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>false</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>"xAppPath"</Command>
</Exec>
</Actions>
</Task>
C&C: http://www.memoryopt.com/mem64_update.php?user=C: hd serial&chase=hash of that, detailed below
Also contacts: http://www.memoryopt.com/mem786_pix.php?user=C: hd serial&subid=subid provided to setup&chase=same hash as before
chase=
hash: php -r "$m1 = md5('C: hd serial'); $m2 = md5($m1[29].$m1[14].$m1[5].$m1[19].$m1[11].$m1[24].$m1[31].$m1[8]); echo $m2;
New sample, 2017-01-13 18:58 UTC
Setup: https://virustotal.com/en/file/8ab3022c80f21729205e4a6ce6717c0a4f32bb6572682aeba1eb70ae2732de6b/analysis/
Executable inside setup: https://virustotal.com/en/file/05507fbea96d53ad9144425db095f75e9057a1bef5f0a80500d826653a237b86/analysis/
Unpacked + partially deobfuscated: https://virustotal.com/en/file/e8d3779f8c53e4afcd81d766703f8056f904e13d2f4460d33be5b8675e9cc194/analysis/
Changes:
chase=
hash changed again:php -r "$m1 = md5('C: hd serial'); $m2 = md5($m1[22].$m1[12].$m1[17].$m1[24].$m1[18].$m1[13].$m1[31].$m1[13]); echo $m2;