Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Machine DLL Bluetooth Studio AutoConfig' = '<SYSTEM32>\vcncgtl.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Defender Launcher Experience] 'ImagePath' = '<SYSTEM32>\vcncgtl.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Defender Launcher Experience] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Executes the following:
- '<SYSTEM32>\uhkqipjxj.exe' "<SYSTEM32>\vcncgtl.exe"
- '%WINDIR%\Temp\jleujhosrbtb9nkw3m5.exe' -r 31347 tcp
- '%TEMP%\jleujhost9hogqkw3m5uibvmr.exe'
- '<SYSTEM32>\vcncgtl.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\rfhfzzqrdgf\run
- <SYSTEM32>\rfhfzzqrdgf\rng
- %WINDIR%\Temp\jleujhosrbtb9nkw3m5.exe
- <SYSTEM32>\rfhfzzqrdgf\cfg
- %TEMP%\jleujhost9hogqkw3m5uibvmr.exe
- <SYSTEM32>\rfhfzzqrdgf\tst
- <SYSTEM32>\uhkqipjxj.exe
- <SYSTEM32>\vcncgtl.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\uhkqipjxj.exe
- <SYSTEM32>\vcncgtl.exe
Deletes the following files:
- %WINDIR%\Temp\jleujhosrbtb9nkw3m5.exe
- %TEMP%\jleujhost9hogqkw3m5uibvmr.exe
Network activity:
Connects to:
- 'ri###nstorm.net':80
- 'lo####thepings.ru':80
- '18#.#17.73.77':80
- '18#.#06.120.168':80
TCP:
HTTP GET requests:
- http://ri###nstorm.net/index.php
- http://lo####thepings.ru/index.php
- http://18#.#17.73.77/index.php
- http://18#.#06.120.168/index.php
UDP:
- DNS ASK fa####turday.net
- DNS ASK vi###tree.net
- DNS ASK wa####aturday.net
- DNS ASK wa####housand.net
- DNS ASK wa###loud.net
- DNS ASK wa###loud.ru
- DNS ASK fa####ousand.net
- DNS ASK vi###tree.ru
- DNS ASK sp####housand.net
- DNS ASK sp####housand.ru
- DNS ASK vi####aturday.net
- DNS ASK vi####housand.net
- DNS ASK sp###tree.net
- DNS ASK vi###loud.net
- DNS ASK sp###loud.net
- DNS ASK dr###tree.ru
- DNS ASK dr####housand.net
- DNS ASK th###oud.net
- DNS ASK dr###tree.net
- DNS ASK so###stock.net
- DNS ASK ar###stock.net
- DNS ASK th###ree.net
- DNS ASK dr###loud.net
- DNS ASK fa###ree.net
- DNS ASK wa###tree.net
- DNS ASK fa###oud.net
- DNS ASK dr####aturday.net
- DNS ASK th####ousand.net
- DNS ASK th####turday.net
- DNS ASK th###aturday.ru
- DNS ASK gl####turday.net
- DNS ASK sa###ree.net
- DNS ASK sp###ree.net
- DNS ASK ta####aturday.net
- DNS ASK ta####housand.net
- DNS ASK ta####housand.ru
- DNS ASK gl####ousand.net
- DNS ASK sp##tree.ru
- DNS ASK sa####turday.net
- DNS ASK sa###aturday.ru
- DNS ASK wa###reply.net
- DNS ASK sp####ousand.net
- DNS ASK sa###oud.net
- DNS ASK sp###oud.net
- DNS ASK sa####ousand.net
- DNS ASK gr###loud.ru
- DNS ASK eq###loud.net
- DNS ASK gr####housand.net
- DNS ASK gr###loud.net
- DNS ASK sp####aturday.net
- DNS ASK gr###tree.net
- DNS ASK eq###tree.net
- DNS ASK eq####housand.net
- DNS ASK gl###ree.net
- DNS ASK ta###loud.net
- DNS ASK gl###oud.net
- DNS ASK ta###tree.net
- DNS ASK gr####aturday.net
- DNS ASK eq####aturday.net
- DNS ASK eq####aturday.ru
- DNS ASK gr###throw.net
- DNS ASK eq###throw.net
- DNS ASK gr###stock.net
- DNS ASK gr###reply.net
- DNS ASK eq###whole.ru
- DNS ASK eq###whole.net
- DNS ASK eq###reply.net
- DNS ASK gr###stock.ru
- DNS ASK gl###eply.net
- DNS ASK gl###eply.ru
- DNS ASK ta###throw.net
- DNS ASK ta###reply.net
- DNS ASK eq###stock.net
- DNS ASK ta###whole.net
- DNS ASK gl###hole.net
- DNS ASK wa###stock.ru
- DNS ASK vi###whole.net
- DNS ASK sp###whole.net
- DNS ASK wa###stock.net
- DNS ASK fa###hrow.net
- DNS ASK wa###throw.net
- DNS ASK fa###tock.net
- DNS ASK vi###reply.net
- DNS ASK vi###stock.net
- DNS ASK sp###stock.net
- DNS ASK gr###whole.net
- DNS ASK sp###throw.net
- DNS ASK sp###reply.net
- DNS ASK vi###throw.net
- DNS ASK vi###throw.ru
- DNS ASK up###hrow.net
- DNS ASK wh###stock.net
- DNS ASK up###tock.net
- DNS ASK wh###throw.net
- DNS ASK wh###reply.net
- DNS ASK wh###reply.ru
- DNS ASK up###eply.net
- DNS ASK up###tock.ru
- DNS ASK so###throw.net
- DNS ASK so###throw.ru
- DNS ASK ar###throw.net
- DNS ASK ar###reply.net
- DNS ASK so###whole.net
- DNS ASK ar###whole.net
- DNS ASK so###reply.net
- DNS ASK sa###hole.ru
- DNS ASK sp###hole.net
- DNS ASK sa###eply.net
- DNS ASK sa###hole.net
- DNS ASK gl###hrow.net
- DNS ASK ta###stock.net
- DNS ASK gl###tock.net
- DNS ASK sp###eply.net
- DNS ASK sp###tock.net
- DNS ASK wh###whole.net
- DNS ASK up###hole.net
- DNS ASK sa###tock.net
- DNS ASK sa###hrow.net
- DNS ASK sp###hrow.net
- DNS ASK sp###hrow.ru
- DNS ASK dr###mark.ru
- DNS ASK so###mile.net
- DNS ASK wh###read.ru
- DNS ASK up###han.net
- DNS ASK sp###han.net
- DNS ASK sp##than.ru
- DNS ASK th###roke.net
- DNS ASK wh###read.net
- DNS ASK up###ing.net
- DNS ASK th###tate.net
- DNS ASK up###ile.net
- DNS ASK up###ead.net
- DNS ASK wh###than.net
- DNS ASK ar###king.net
- DNS ASK dr###broke.net
- DNS ASK ta###than.net
- DNS ASK gl##read.ru
- DNS ASK gl###han.net
- DNS ASK gl###ead.net
- DNS ASK ta###mile.net
- DNS ASK gl###ile.net
- DNS ASK ta###read.net
- DNS ASK sa###ing.net
- DNS ASK sa###ead.net
- DNS ASK sp###ead.net
- DNS ASK sa###han.net
- DNS ASK sp###ile.net
- DNS ASK sp###ing.net
- DNS ASK sa###ile.net
- DNS ASK sa##mile.ru
- DNS ASK wa###broke.ru
- DNS ASK wa###broke.net
- DNS ASK fa###roke.net
- DNS ASK fa##news.ru
- DNS ASK dr###mark.net
- DNS ASK ar###king.ru
- DNS ASK wa###state.net
- DNS ASK wa###mark.net
- DNS ASK lo####thepings.ru
- DNS ASK ri###nstorm.net
- DNS ASK sp####turday.net
- DNS ASK fa###tate.net
- DNS ASK fa###ark.net
- DNS ASK wa###news.net
- DNS ASK fa###ews.net
- DNS ASK so###king.net
- DNS ASK vi###news.net
- DNS ASK dr###state.net
- DNS ASK so###than.net
- DNS ASK sp###news.net
- DNS ASK wh###king.net
- DNS ASK so###read.net
- DNS ASK wh###mile.net
- DNS ASK so###than.ru
- DNS ASK th###ark.net
- DNS ASK ar###than.net
- DNS ASK th###ews.net
- DNS ASK ar###mile.net
- DNS ASK ar###read.net
- DNS ASK dr###news.net
- DNS ASK th###ing.net
- DNS ASK dr###king.net
- DNS ASK th###ile.net
- DNS ASK ar####aturday.net
- DNS ASK ar####housand.net
- DNS ASK so####aturday.net
- DNS ASK ar####housand.ru
- DNS ASK th##mile.ru
- DNS ASK dr###than.net
- DNS ASK dr###than.ru
- DNS ASK fa###ing.net
- DNS ASK dr###read.net
- DNS ASK dr###mile.net
- DNS ASK th###han.net
- DNS ASK th###ead.net
- DNS ASK up##loud.ru
- DNS ASK wh####housand.net
- DNS ASK up####ousand.net
- DNS ASK up###oud.net
- DNS ASK wh###tree.net
- DNS ASK up###ree.net
- DNS ASK wh###loud.net
- DNS ASK wh####aturday.net
- DNS ASK so###loud.net
- DNS ASK ar###loud.net
- DNS ASK so####housand.net
- DNS ASK ar###tree.net
- DNS ASK up####turday.net
- DNS ASK so###tree.net
- DNS ASK so###tree.ru
- DNS ASK eq###king.net
- DNS ASK gr###mile.net
- DNS ASK eq###mile.net
- DNS ASK gr###king.net
- DNS ASK vi###than.net
- DNS ASK vi###than.ru
- DNS ASK sp###than.net
- DNS ASK eq###mile.ru
- DNS ASK eq###than.net
- DNS ASK ta###king.ru
- DNS ASK gl###ing.net
- DNS ASK ta###king.net
- DNS ASK gr###read.net
- DNS ASK eq###read.net
- DNS ASK gr###than.net
- DNS ASK fa##read.ru
- DNS ASK wa###read.net
- DNS ASK fa###han.net
- DNS ASK fa###ead.net
- DNS ASK wa###king.net
- DNS ASK fa###ile.net
- DNS ASK wa###mile.net
- DNS ASK wa###than.net
- DNS ASK sp###mile.net
- DNS ASK sp###read.net
- DNS ASK vi###read.net
- DNS ASK vi###mile.net
- DNS ASK vi###king.net
- DNS ASK sp###king.net
- DNS ASK sp###king.ru
- '23#.#55.255.250':1900
