Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'xmkkxnh' = '<LS_APPDATA>\wavbgw.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\unmst.exe
Malicious functions:
Injects code into
the following system processes:
- %WINDIR%\Explorer.EXE
the following user processes:
- skype.exe
Modifies file system :
Creates the following files:
- <LS_APPDATA>\wavbgw.exe
Sets the 'hidden' attribute to the following files:
- <LS_APPDATA>\wavbgw.exe
- %HOMEPATH%\Start Menu\Programs\Startup\unmst.exe
Network activity:
Connects to:
- '9.###.144.47':80
- '9.###.144.55':80
TCP:
HTTP POST requests:
- 9.###.144.47/query.php
- 9.###.144.55/query.php
UDP:
- DNS ASK ti##url.com
- DNS ASK tw###url.com
- DNS ASK tr#.kz
- DNS ASK tw##t.at
- DNS ASK tw##pwr.com
- DNS ASK ti#.li
- DNS ASK ti##up.net
- DNS ASK s3##.com
- DNS ASK tr###url.com
- DNS ASK to.ly
- DNS ASK sh###kster.com
- DNS ASK sh###kify.com
- DNS ASK sh###kurl.com
- DNS ASK ta##me.to
- DNS ASK sh##url.us
- DNS ASK sh##l.net
- DNS ASK tn##.org
- DNS ASK sh##url.com
- DNS ASK sh#####y.wikinote.com
- DNS ASK sh#t.st
- DNS ASK sh###adress.com
- DNS ASK tw#.bz
- DNS ASK sh##t.ie
- DNS ASK sh###ener.net
- DNS ASK t1##.net
- DNS ASK sh####omatic.com
- DNS ASK sh##ten.ws
- DNS ASK tu#o.us
- DNS ASK tw##l.at
- DNS ASK ti###url.net
- DNS ASK sh##tn.me
- DNS ASK sh##t.to
- DNS ASK sh###erlink.com
- DNS ASK th##ly.net
- DNS ASK ti#y.cc
- DNS ASK sh##rl.com
- DNS ASK th##fi.com
- DNS ASK tr.im
- DNS ASK sh##t.la
- DNS ASK sh##l.com
- DNS ASK tr#m.li
- DNS ASK th##nk.com
- DNS ASK sh####inks.co.uk
- DNS ASK tu##url.com
- DNS ASK ti###ink.com
- DNS ASK tw#.it
- DNS ASK tw###licks.com
- DNS ASK li###ala.com
- DNS ASK sh##tar.com
- DNS ASK tw##l.cc
- DNS ASK ti###url.com
- DNS ASK sh##t.com
- DNS ASK sh###url.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''