Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Link Spooler Encryption Proxy Routing Thread' = 'C:\uxqscgkkg\mbnfyozsl.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Removal DLL Auto-Discovery Net.Tcp VC] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- 'C:\uxqscgkkg\sojrmoxk.exe' "c:\uxqscgkkg\mbnfyozsl.exe"
- 'C:\uxqscgkkg\mbnfyozsl.exe'
- 'C:\uxqscgkkg\ubqa2tk9lixprlskx4ezp.exe'
Modifies file system :
Creates the following files:
- C:\uxqscgkkg\mbnfyozsl.exe
- C:\uxqscgkkg\sojrmoxk.exe
- C:\uxqscgkkg\a7ifenrx
- %WINDIR%\uxqscgkkg\ih4e1vdgbwbu
- C:\uxqscgkkg\ih4e1vdgbwbu
- C:\uxqscgkkg\ubqa2tk9lixprlskx4ezp.exe
Sets the 'hidden' attribute to the following files:
- C:\uxqscgkkg\sojrmoxk.exe
- C:\uxqscgkkg\mbnfyozsl.exe
Deletes the following files:
- C:\uxqscgkkg\ubqa2tk9lixprlskx4ezp.exe
- %WINDIR%\uxqscgkkg\ih4e1vdgbwbu
Network activity:
Connects to:
- 'th####hsingle.net':80
- 'ef####single.net':80
- 'su###revery.net':80
- 'ef####charge.net':80
- 'th#####difference.net':80
- 'ef#####ifference.net':80
- 'th####hcharge.net':80
- 'wi###nevery.net':80
- 'su####single.net':80
- 'wi####single.net':80
- 'th###every.net':80
- 'wi####charge.net':80
- 'su#####ifference.net':80
- 'wi#####ifference.net':80
- 'su####charge.net':80
- 'wo###single.net':80
- 'in####seevery.net':80
- 'fo###tevery.net':80
- 're####ersingle.net':80
- 'wo####ifference.net':80
- 're####ercharge.net':80
- 'wo###charge.net':80
- 'in#####edifference.net':80
- 'fo####single.net':80
- 'th####hevery.net':80
- 'ef###tevery.net':80
- 'in####sesingle.net':80
- 'fo#####ifference.net':80
- 'in####secharge.net':80
- 'fo####charge.net':80
- 'li####charge.net':80
- 'de####ycharge.net':80
- 'li####single.net':80
- 'de#####difference.net':80
- 'li###eevery.net':80
- 'de####yevery.net':80
- 'li#####ifference.net':80
- 'de####ysingle.net':80
- 'hu####dcharge.net':80
- 'jo####ycharge.net':80
- 'hu####dsingle.net':80
- 'jo#####difference.net':80
- 'hu####devery.net':80
- 'jo####yevery.net':80
- 'hu#####difference.net':80
- 'ch###charge.net':80
- 'th###single.net':80
- 'ch###single.net':80
- 'th###charge.net':80
- 'ch###every.net':80
- 'th####ifference.net':80
- 'ch####ifference.net':80
- 'be###gevery.net':80
- 'ri####charge.net':80
- 'be####single.net':80
- 'ri####single.net':80
- 'be####charge.net':80
- 'ri###nevery.net':80
- 'be#####ifference.net':80
- 'ri#####ifference.net':80
TCP:
HTTP GET requests:
- http://th####hsingle.net/index.php?me########
- http://ef####single.net/index.php?me########
- http://su###revery.net/index.php?me########
- http://ef####charge.net/index.php?me########
- http://th#####difference.net/index.php?me########
- http://ef#####ifference.net/index.php?me########
- http://th####hcharge.net/index.php?me########
- http://wi###nevery.net/index.php?me########
- http://su####single.net/index.php?me########
- http://wi####single.net/index.php?me########
- http://th###every.net/index.php?me########
- http://wi####charge.net/index.php?me########
- http://su#####ifference.net/index.php?me########
- http://wi#####ifference.net/index.php?me########
- http://su####charge.net/index.php?me########
- http://wo###single.net/index.php?me########
- http://in####seevery.net/index.php?me########
- http://fo###tevery.net/index.php?me########
- http://re####ersingle.net/index.php?me########
- http://wo####ifference.net/index.php?me########
- http://re####ercharge.net/index.php?me########
- http://wo###charge.net/index.php?me########
- http://in#####edifference.net/index.php?me########
- http://fo####single.net/index.php?me########
- http://th####hevery.net/index.php?me########
- http://ef###tevery.net/index.php?me########
- http://in####sesingle.net/index.php?me########
- http://fo#####ifference.net/index.php?me########
- http://in####secharge.net/index.php?me########
- http://fo####charge.net/index.php?me########
- http://li####charge.net/index.php?me########
- http://de####ycharge.net/index.php?me########
- http://li####single.net/index.php?me########
- http://de#####difference.net/index.php?me########
- http://li###eevery.net/index.php?me########
- http://de####yevery.net/index.php?me########
- http://li#####ifference.net/index.php?me########
- http://de####ysingle.net/index.php?me########
- http://hu####dcharge.net/index.php?me########
- http://jo####ycharge.net/index.php?me########
- http://hu####dsingle.net/index.php?me########
- http://jo#####difference.net/index.php?me########
- http://hu####devery.net/index.php?me########
- http://jo####yevery.net/index.php?me########
- http://hu#####difference.net/index.php?me########
- http://ch###charge.net/index.php?me########
- http://th###single.net/index.php?me########
- http://ch###single.net/index.php?me########
- http://th###charge.net/index.php?me########
- http://ch###every.net/index.php?me########
- http://th####ifference.net/index.php?me########
- http://ch####ifference.net/index.php?me########
- http://be###gevery.net/index.php?me########
- http://ri####charge.net/index.php?me########
- http://be####single.net/index.php?me########
- http://ri####single.net/index.php?me########
- http://be####charge.net/index.php?me########
- http://ri###nevery.net/index.php?me########
- http://be#####ifference.net/index.php?me########
- http://ri#####ifference.net/index.php?me########
UDP:
- DNS ASK ef####charge.net
- DNS ASK th####hsingle.net
- DNS ASK ef####single.net
- DNS ASK th####hcharge.net
- DNS ASK ef###tevery.net
- DNS ASK th#####difference.net
- DNS ASK ef#####ifference.net
- DNS ASK su###revery.net
- DNS ASK wi####charge.net
- DNS ASK su####single.net
- DNS ASK wi####single.net
- DNS ASK su####charge.net
- DNS ASK wi###nevery.net
- DNS ASK su#####ifference.net
- DNS ASK wi#####ifference.net
- DNS ASK re####ersingle.net
- DNS ASK wo###single.net
- DNS ASK in####seevery.net
- DNS ASK wo###charge.net
- DNS ASK re#####rdifference.net
- DNS ASK wo####ifference.net
- DNS ASK re####ercharge.net
- DNS ASK fo###tevery.net
- DNS ASK in####sesingle.net
- DNS ASK fo####single.net
- DNS ASK th####hevery.net
- DNS ASK fo####charge.net
- DNS ASK in#####edifference.net
- DNS ASK fo#####ifference.net
- DNS ASK in####secharge.net
- DNS ASK th###every.net
- DNS ASK li####charge.net
- DNS ASK de####ycharge.net
- DNS ASK li####single.net
- DNS ASK de#####difference.net
- DNS ASK li###eevery.net
- DNS ASK de####yevery.net
- DNS ASK li#####ifference.net
- DNS ASK de####ysingle.net
- DNS ASK hu####dcharge.net
- DNS ASK jo####ycharge.net
- DNS ASK hu####dsingle.net
- DNS ASK jo#####difference.net
- DNS ASK hu####devery.net
- DNS ASK jo####yevery.net
- DNS ASK hu#####difference.net
- DNS ASK ch###charge.net
- DNS ASK th###single.net
- DNS ASK ch###single.net
- DNS ASK th###charge.net
- DNS ASK ch###every.net
- DNS ASK th####ifference.net
- DNS ASK ch####ifference.net
- DNS ASK be###gevery.net
- DNS ASK ri####charge.net
- DNS ASK be####single.net
- DNS ASK ri####single.net
- DNS ASK be####charge.net
- DNS ASK ri###nevery.net
- DNS ASK be#####ifference.net
- DNS ASK ri#####ifference.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''