Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,<LS_APPDATA>\jwaroevi\rarexsdb.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'RarExsdb' = '<LS_APPDATA>\jwaroevi\rarexsdb.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\rarexsdb.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%TEMP%\byjjjqlf.exe'
Executes the following:
- '<SYSTEM32>\svchost.exe'
- '%TEMP%\byjjjqlf.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system:
Creates the following files:
- %TEMP%\nst5.tmp
- %TEMP%\nsl6.tmp\System.dll
- %TEMP%\nsj3.tmp\System.dll
- %TEMP%\byjjjqlf.exe
- %ALLUSERSPROFILE%\Application Data\ybfcuwpc.log
- <LS_APPDATA>\lawhwilb.log
- %TEMP%\ifqydaby.exe
- <LS_APPDATA>\jwaroevi\rarexsdb.exe
- %TEMP%\UYsBy2yd.FMNp
- %TEMP%\xalan-c
- %TEMP%\ie6hacks.css
- %TEMP%\nsh2.tmp
- %TEMP%\embed1419049949.json
- %TEMP%\content_5356147.htm891597031.html
- %TEMP%\HnJEzYhDZZtfQF6V.m5
- %TEMP%\method-servers.jpg
- %TEMP%\common.js1903970752.javascript
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\rarexsdb.exe
Network activity:
Connects to:
- 'de####sasaui.com':443
- 'vl###lsilgr.com':443
- 've#####lerqplclarbp.com':443
- 'vr####txftvpfo.com':443
- 'gq#####pwgrhxolkhl.com':443
- 'yl#####kvglamfre.com':443
- 'nw#####shbwbgdfal.com':443
- 'ce########ionforinfinitylifeexp.com':443
- '74.##5.232.51':80
- 'hx#####hmnxipiqvi.com':443
- 'hg####hhebpmkm.com':443
- 'pl###yms.com':443
UDP:
- DNS ASK vr####txftvpfo.com
- DNS ASK nb####aairlbtvd.com
- DNS ASK yl#####kvglamfre.com
- DNS ASK gq#####pwgrhxolkhl.com
- DNS ASK xo#####iyerfklhbd.com
- DNS ASK yu###wanvky.com
- DNS ASK nk####tvubwvp.com
- DNS ASK xc#####ywbildnhpg.com
- DNS ASK de####sasaui.com
- DNS ASK nw#####shbwbgdfal.com
- DNS ASK pl###yms.com
- DNS ASK google.com
- DNS ASK ce########ionforinfinitylifeexp.com
- DNS ASK ve#####lerqplclarbp.com
- DNS ASK vl###lsilgr.com
- DNS ASK hg####hhebpmkm.com
- DNS ASK hx#####hmnxipiqvi.com