Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'AuthIP UserMode Cache Net.Tcp Engine Foundation' = '<SYSTEM32>\phhonabwk.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Connection Registrar Receiver Removal] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\jygcwuhcqu.exe' "<SYSTEM32>\phhonabwk.exe"
- '%WINDIR%\Temp\fwovim2zj3jf.exe' -r 46637 tcp
- '%TEMP%\fwovim2uaajftdpphwk.exe'
- '<SYSTEM32>\phhonabwk.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\mjfkprqhbzx\run
- <SYSTEM32>\mjfkprqhbzx\rng
- %WINDIR%\Temp\fwovim2zj3jf.exe
- <SYSTEM32>\mjfkprqhbzx\cfg
- <SYSTEM32>\jygcwuhcqu.exe
- %TEMP%\fwovim2uaajftdpphwk.exe
- <SYSTEM32>\mjfkprqhbzx\tst
- <SYSTEM32>\phhonabwk.exe
- <SYSTEM32>\mjfkprqhbzx\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\jygcwuhcqu.exe
- <SYSTEM32>\phhonabwk.exe
Deletes the following files:
- %WINDIR%\Temp\fwovim2zj3jf.exe
- <DRIVERS>\etc\hosts
- %TEMP%\fwovim2uaajftdpphwk.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'pi###ress.net':80
- 'so###ress.net':80
- 'so###oat.net':80
- 'ab###pen.net':80
- 'pi###oat.net':80
- 'so###pen.net':80
- 'ro###oat.net':80
- 'pi###pen.net':80
- 'pi###est.net':80
- 'so###est.net':80
- 'kn###oat.net':80
- 'ab###oat.net':80
- 'wi###ind.net':80
- 'wi###egan.net':80
- 'dr###kind.net':80
- 'ab###est.net':80
- 'kn###pen.net':80
- 'kn###est.net':80
- 'kn###ress.net':80
- 'ab###ress.net':80
- 'mo###pen.net':80
- 'ju###pen.net':80
- 'ju###est.net':80
- 'ju###ress.net':80
- 'mo###est.net':80
- 'wh###ress.net':80
- 'hi###est.net':80
- 'hi###ress.net':80
- 'hi###oat.net':80
- 'wh###oat.net':80
- 'ro###est.net':80
- 'si###est.net':80
- 'si###ress.net':80
- 'si###oat.net':80
- 'ro###ress.net':80
- 'ju###oat.net':80
- 'mo###ress.net':80
- 'mo###oat.net':80
- 'ro###pen.net':80
- 'si###pen.net':80
- 'mo###ind.net':80
- 'ju###ind.net':80
- 'ju###egan.net':80
- 'ju###une.net':80
- 'mo###egan.net':80
- 'wh###une.net':80
- 'hi###egan.net':80
- 'hi###une.net':80
- 'hi###ild.net':80
- 'wh###ild.net':80
- 'de###lxc.com':80
- 'si###egan.net':80
- 'be##lxc.com':80
- 'ri###nstorm.net':80
- 'af###sllc.com':80
- 'ju###ild.net':80
- 'mo###une.net':80
- 'mo###ild.net':80
- 'ro###ind.net':80
- 'si###ind.net':80
- 'th###began.net':80
- 'th###kind.net':80
- 'th###june.net':80
- 'lo###ind.net':80
- 'th###wild.net':80
- 'wi###une.net':80
- 'dr###began.net':80
- 'dr###june.net':80
- 'dr###wild.net':80
- 'wi###ild.net':80
- 'fe###ild.net':80
- 'lo###ild.net':80
- 'wh###ind.net':80
- 'wh###egan.net':80
- 'hi###ind.net':80
- 'lo###egan.net':80
- 'fe###ind.net':80
- 'fe###egan.net':80
- 'fe###une.net':80
- 'lo###une.net':80
TCP:
HTTP GET requests:
- http://pi###ress.net/index.php
- http://so###ress.net/index.php
- http://so###oat.net/index.php
- http://ab###pen.net/index.php
- http://pi###oat.net/index.php
- http://so###pen.net/index.php
- http://ro###oat.net/index.php
- http://pi###pen.net/index.php
- http://pi###est.net/index.php
- http://so###est.net/index.php
- http://kn###oat.net/index.php
- http://ab###oat.net/index.php
- http://wi###ind.net/index.php
- http://wi###egan.net/index.php
- http://dr###kind.net/index.php
- http://ab###est.net/index.php
- http://kn###pen.net/index.php
- http://kn###est.net/index.php
- http://kn###ress.net/index.php
- http://ab###ress.net/index.php
- http://mo###pen.net/index.php
- http://ju###pen.net/index.php
- http://ju###est.net/index.php
- http://ju###ress.net/index.php
- http://mo###est.net/index.php
- http://wh###ress.net/index.php
- http://hi###est.net/index.php
- http://hi###ress.net/index.php
- http://hi###oat.net/index.php
- http://wh###oat.net/index.php
- http://ro###est.net/index.php
- http://si###est.net/index.php
- http://si###ress.net/index.php
- http://si###oat.net/index.php
- http://ro###ress.net/index.php
- http://ju###oat.net/index.php
- http://mo###ress.net/index.php
- http://mo###oat.net/index.php
- http://ro###pen.net/index.php
- http://si###pen.net/index.php
- http://mo###ind.net/index.php
- http://ju###ind.net/index.php
- http://ju###egan.net/index.php
- http://ju###une.net/index.php
- http://mo###egan.net/index.php
- http://wh###une.net/index.php
- http://hi###egan.net/index.php
- http://hi###une.net/index.php
- http://hi###ild.net/index.php
- http://wh###ild.net/index.php
- http://de###lxc.com/index.php
- http://si###egan.net/index.php
- http://be##lxc.com/index.php
- http://ri###nstorm.net/index.php
- http://af###sllc.com/index.php
- http://ju###ild.net/index.php
- http://mo###une.net/index.php
- http://mo###ild.net/index.php
- http://ro###ind.net/index.php
- http://si###ind.net/index.php
- http://th###began.net/index.php
- http://th###kind.net/index.php
- http://th###june.net/index.php
- http://lo###ind.net/index.php
- http://th###wild.net/index.php
- http://wi###une.net/index.php
- http://dr###began.net/index.php
- http://dr###june.net/index.php
- http://dr###wild.net/index.php
- http://wi###ild.net/index.php
- http://fe###ild.net/index.php
- http://lo###ild.net/index.php
- http://wh###ind.net/index.php
- http://wh###egan.net/index.php
- http://hi###ind.net/index.php
- http://lo###egan.net/index.php
- http://fe###ind.net/index.php
- http://fe###egan.net/index.php
- http://fe###une.net/index.php
- http://lo###une.net/index.php
UDP:
- DNS ASK pi###ress.net
- DNS ASK so###ress.net
- DNS ASK so###oat.net
- DNS ASK ab###pen.net
- DNS ASK pi###oat.net
- DNS ASK so###pen.net
- DNS ASK ro###oat.net
- DNS ASK pi###pen.net
- DNS ASK pi###est.net
- DNS ASK so###est.net
- DNS ASK kn###oat.net
- DNS ASK ab###oat.net
- DNS ASK wi###ind.net
- DNS ASK wi###egan.net
- DNS ASK dr###kind.net
- DNS ASK ab###est.net
- DNS ASK kn###pen.net
- DNS ASK kn###est.net
- DNS ASK kn###ress.net
- DNS ASK ab###ress.net
- DNS ASK si###oat.net
- DNS ASK ju###pen.net
- DNS ASK hi###oat.net
- DNS ASK mo###pen.net
- DNS ASK mo###est.net
- DNS ASK ju###est.net
- DNS ASK hi###est.net
- DNS ASK wh###est.net
- DNS ASK wh###ress.net
- DNS ASK wh###oat.net
- DNS ASK hi###ress.net
- DNS ASK si###est.net
- DNS ASK ro###pen.net
- DNS ASK ro###est.net
- DNS ASK ro###ress.net
- DNS ASK si###ress.net
- DNS ASK mo###ress.net
- DNS ASK ju###ress.net
- DNS ASK ju###oat.net
- DNS ASK si###pen.net
- DNS ASK mo###oat.net
- DNS ASK mo###ind.net
- DNS ASK ju###ind.net
- DNS ASK ju###egan.net
- DNS ASK ju###une.net
- DNS ASK mo###egan.net
- DNS ASK wh###une.net
- DNS ASK hi###egan.net
- DNS ASK hi###une.net
- DNS ASK hi###ild.net
- DNS ASK wh###ild.net
- DNS ASK de###lxc.com
- DNS ASK si###egan.net
- DNS ASK be##lxc.com
- DNS ASK ri###nstorm.net
- DNS ASK af###sllc.com
- DNS ASK ju###ild.net
- DNS ASK mo###une.net
- DNS ASK mo###ild.net
- DNS ASK ro###ind.net
- DNS ASK si###ind.net
- DNS ASK th###began.net
- DNS ASK th###kind.net
- DNS ASK th###june.net
- DNS ASK lo###ind.net
- DNS ASK th###wild.net
- DNS ASK wi###une.net
- DNS ASK dr###began.net
- DNS ASK dr###june.net
- DNS ASK dr###wild.net
- DNS ASK wi###ild.net
- DNS ASK fe###ild.net
- DNS ASK lo###ild.net
- DNS ASK wh###ind.net
- DNS ASK wh###egan.net
- DNS ASK hi###ind.net
- DNS ASK lo###egan.net
- DNS ASK fe###ind.net
- DNS ASK fe###egan.net
- DNS ASK fe###une.net
- DNS ASK lo###une.net
- '23#.#55.255.250':1900