Setup: https://www.virustotal.com/en/file/4280f729d317156706db6e9c87503d636f806e09efdfcf00e73dd3e71740c966/analysis/ App: https://www.virustotal.com/en/file/2260f04aff68f77102525c61ccab4680b869b27672f6939693b23c1c04c7fe82/analysis/ Unpacked + partially-deobfuscated: https://www.virustotal.com/en/file/f754f949651f628b3f1c1fbe327d7b87ea63ecdab6c59b8431d459e67b11cbd2/analysis/
Deobfuscated taskscheduler .xml string:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2016-10-28T00:37:02.5049122</Date>
<Author>memOptimizer</Author>
</RegistrationInfo>
<Triggers>
<LogonTrigger>
<Repetition>
<Interval>PT1M</Interval>
<Duration>PT2M</Duration>
<StopAtDurationEnd>false</StopAtDurationEnd>
</Repetition>
<Enabled>true</Enabled>
<Delay>PT30S</Delay>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>-xUID-</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>false</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>"xAppPath"</Command>
</Exec>
</Actions>
</Task>
C&C: http://www.memoryopt.com/mem64_update.php?user=C: hd serial&chase=hash of that, detailed below
Also contacts: http://www.memoryopt.com/mem786_pix.php?user=C: hd serial&subid=subid provided to setup&chase=same hash as before
chase=
hash: php -r "$m1 = md5('C: hd serial'); $m2 = md5($m1[29].$m1[14].$m1[5].$m1[19].$m1[11].$m1[24].$m1[31].$m1[8]); echo $m2;
New sample 2017-01-13 21:04 UTC -- after 4 samples today, slowly automating the manual part of the unpacking work...
Setup: https://virustotal.com/en/file/dc88d544134cf6cf0d5e85f3170b48c53668606ea056e20932707a86e37d73b5/analysis/
Executable inside setup: https://virustotal.com/en/file/b0eede32224122b9380af24c04bf147bc51fca3478577ccd1df6188eca4734b4/analysis/
Unpacked + partially deobfuscated: https://virustotal.com/en/file/16847470734932c4ca9bd22a32ba91a524b8e1b55a9f1e35c74ec6ab05f2b6d4/analysis/
Changes: none, just a recompile it seems