Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Input Assistant Link-Layer HomeGroup' = 'C:\zcxdbbwbc\evfoayh.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\WWAN Resolution List Source Access Host] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- 'C:\zcxdbbwbc\zsfnwpy.exe' "c:\zcxdbbwbc\evfoayh.exe"
- 'C:\zcxdbbwbc\evfoayh.exe'
- 'C:\zcxdbbwbc\ouof2p0mai2sbzlloan.exe'
Modifies file system :
Creates the following files:
- C:\zcxdbbwbc\evfoayh.exe
- C:\zcxdbbwbc\zsfnwpy.exe
- C:\zcxdbbwbc\qkkszbabjsj
- %WINDIR%\zcxdbbwbc\oretxznp3l
- C:\zcxdbbwbc\oretxznp3l
- C:\zcxdbbwbc\ouof2p0mai2sbzlloan.exe
Sets the 'hidden' attribute to the following files:
- C:\zcxdbbwbc\zsfnwpy.exe
- C:\zcxdbbwbc\evfoayh.exe
Deletes the following files:
- C:\zcxdbbwbc\ouof2p0mai2sbzlloan.exe
- %WINDIR%\zcxdbbwbc\oretxznp3l
Network activity:
Connects to:
- 'fo###tfound.net':80
- 'in####sefound.net':80
- 'ef####banker.net':80
- 'th####hbanker.net':80
- 'fo####success.net':80
- 'in####sesuccess.net':80
- 'fo####spring.net':80
- 'in####sespring.net':80
- 'ef###tfound.net':80
- 'th####hfound.net':80
- 'wi####banker.net':80
- 'su####banker.net':80
- 'ef####success.net':80
- 'th####hsuccess.net':80
- 'ef####spring.net':80
- 'th####hspring.net':80
- 'fo####banker.net':80
- 'hu####dairplane.net':80
- 'jo####ystraight.net':80
- 're####erbanker.net':80
- 'jo####yairplane.net':80
- 'hu####dguard.net':80
- 'jo####yfence.net':80
- 'hu####dstraight.net':80
- 'jo####yguard.net':80
- 're####erfound.net':80
- 'wo###spring.net':80
- 'in####sebanker.net':80
- 'wo###found.net':80
- 're####ersuccess.net':80
- 'wo###banker.net':80
- 're####erspring.net':80
- 'wo####uccess.net':80
- 'su####success.net':80
- 'de####ybanker.net':80
- 'li####banker.net':80
- 'de####ysuccess.net':80
- 'li####success.net':80
- 'ri####spring.net':80
- 'be####spring.net':80
- 'ri###nfound.net':80
- 'be###gfound.net':80
- 'jo####ybanker.net':80
- 'hu####dbanker.net':80
- 'jo####ysuccess.net':80
- 'hu####dsuccess.net':80
- 'de####yspring.net':80
- 'li####spring.net':80
- 'de####yfound.net':80
- 'li###efound.net':80
- 'ri####success.net':80
- 'th###banker.net':80
- 'wi###nfound.net':80
- 'th####uccess.net':80
- 'ch###banker.net':80
- 'su####spring.net':80
- 'wi####success.net':80
- 'su###rfound.net':80
- 'wi####spring.net':80
- 'be####banker.net':80
- 'ch###found.net':80
- 'be####success.net':80
- 'ri####banker.net':80
- 'th###spring.net':80
- 'ch####uccess.net':80
- 'th###found.net':80
- 'ch###spring.net':80
TCP:
HTTP GET requests:
- http://fo###tfound.net/index.php?me########
- http://in####sefound.net/index.php?me########
- http://ef####banker.net/index.php?me########
- http://th####hbanker.net/index.php?me########
- http://fo####success.net/index.php?me########
- http://in####sesuccess.net/index.php?me########
- http://fo####spring.net/index.php?me########
- http://in####sespring.net/index.php?me########
- http://ef###tfound.net/index.php?me########
- http://th####hfound.net/index.php?me########
- http://wi####banker.net/index.php?me########
- http://su####banker.net/index.php?me########
- http://ef####success.net/index.php?me########
- http://th####hsuccess.net/index.php?me########
- http://ef####spring.net/index.php?me########
- http://th####hspring.net/index.php?me########
- http://fo####banker.net/index.php?me########
- http://hu####dairplane.net/index.php?me########
- http://jo####ystraight.net/index.php?me########
- http://re####erbanker.net/index.php?me########
- http://jo####yairplane.net/index.php?me########
- http://hu####dguard.net/index.php?me########
- http://jo####yfence.net/index.php?me########
- http://hu####dstraight.net/index.php?me########
- http://jo####yguard.net/index.php?me########
- http://re####erfound.net/index.php?me########
- http://wo###spring.net/index.php?me########
- http://in####sebanker.net/index.php?me########
- http://wo###found.net/index.php?me########
- http://re####ersuccess.net/index.php?me########
- http://wo###banker.net/index.php?me########
- http://re####erspring.net/index.php?me########
- http://wo####uccess.net/index.php?me########
- http://su####success.net/index.php?me########
- http://de####ybanker.net/index.php?me########
- http://li####banker.net/index.php?me########
- http://de####ysuccess.net/index.php?me########
- http://li####success.net/index.php?me########
- http://ri####spring.net/index.php?me########
- http://be####spring.net/index.php?me########
- http://ri###nfound.net/index.php?me########
- http://be###gfound.net/index.php?me########
- http://jo####ybanker.net/index.php?me########
- http://hu####dbanker.net/index.php?me########
- http://jo####ysuccess.net/index.php?me########
- http://hu####dsuccess.net/index.php?me########
- http://de####yspring.net/index.php?me########
- http://li####spring.net/index.php?me########
- http://de####yfound.net/index.php?me########
- http://li###efound.net/index.php?me########
- http://ri####success.net/index.php?me########
- http://th###banker.net/index.php?me########
- http://wi###nfound.net/index.php?me########
- http://th####uccess.net/index.php?me########
- http://ch###banker.net/index.php?me########
- http://su####spring.net/index.php?me########
- http://wi####success.net/index.php?me########
- http://su###rfound.net/index.php?me########
- http://wi####spring.net/index.php?me########
- http://be####banker.net/index.php?me########
- http://ch###found.net/index.php?me########
- http://be####success.net/index.php?me########
- http://ri####banker.net/index.php?me########
- http://th###spring.net/index.php?me########
- http://ch####uccess.net/index.php?me########
- http://th###found.net/index.php?me########
- http://ch###spring.net/index.php?me########
UDP:
- DNS ASK in####sefound.net
- DNS ASK fo####spring.net
- DNS ASK th####hbanker.net
- DNS ASK fo###tfound.net
- DNS ASK in####sesuccess.net
- DNS ASK fo####banker.net
- DNS ASK in####sespring.net
- DNS ASK fo####success.net
- DNS ASK ef####banker.net
- DNS ASK ef###tfound.net
- DNS ASK th####hfound.net
- DNS ASK wi####banker.net
- DNS ASK su####banker.net
- DNS ASK ef####success.net
- DNS ASK th####hsuccess.net
- DNS ASK ef####spring.net
- DNS ASK th####hspring.net
- DNS ASK jo####ystraight.net
- DNS ASK hu####dstraight.net
- DNS ASK jo####yairplane.net
- DNS ASK hu####dairplane.net
- DNS ASK jo####yfence.net
- DNS ASK hu####dfence.net
- DNS ASK jo####yguard.net
- DNS ASK hu####dguard.net
- DNS ASK re####erbanker.net
- DNS ASK re####erfound.net
- DNS ASK wo###spring.net
- DNS ASK in####sebanker.net
- DNS ASK wo###found.net
- DNS ASK re####ersuccess.net
- DNS ASK wo###banker.net
- DNS ASK re####erspring.net
- DNS ASK wo####uccess.net
- DNS ASK li####banker.net
- DNS ASK ri###nfound.net
- DNS ASK li####success.net
- DNS ASK de####ybanker.net
- DNS ASK be####spring.net
- DNS ASK ri####success.net
- DNS ASK be###gfound.net
- DNS ASK ri####spring.net
- DNS ASK de####ysuccess.net
- DNS ASK jo####ybanker.net
- DNS ASK hu####dbanker.net
- DNS ASK jo####ysuccess.net
- DNS ASK hu####dsuccess.net
- DNS ASK de####yspring.net
- DNS ASK li####spring.net
- DNS ASK de####yfound.net
- DNS ASK li###efound.net
- DNS ASK wi###nfound.net
- DNS ASK su###rfound.net
- DNS ASK ch###banker.net
- DNS ASK th###banker.net
- DNS ASK wi####success.net
- DNS ASK su####success.net
- DNS ASK wi####spring.net
- DNS ASK su####spring.net
- DNS ASK th####uccess.net
- DNS ASK be####banker.net
- DNS ASK ch###found.net
- DNS ASK be####success.net
- DNS ASK ri####banker.net
- DNS ASK th###spring.net
- DNS ASK ch####uccess.net
- DNS ASK th###found.net
- DNS ASK ch###spring.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''