Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce] '9FD8E146' = '%TEMP%\mulkv.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\services\yddnaxteal] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%TEMP%\mulkv.exe' -svc
Executes the following:
- '<SYSTEM32>\rundll32.exe' dfdts.dll,DfdGetDefaultPolicyAndSMART
Modifies file system :
Creates the following files:
- <SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3PNY1M8\settings[1].cfg
- <SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3PNY1M8\remote[1].php
- %TEMP%\mulkv.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\iLog[1].php
Deletes the following files:
- <SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3PNY1M8\remote[1].php
- <SYSTEM32>\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3PNY1M8\settings[1].cfg
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\iLog[1].php
Network activity:
Connects to:
- 'aj#.##oneypot.net':80
- 'oy#####.ihelloyou.net':80
- 'wt####.ifollowya.com':80
- 'qs####.ihoneypot.net':80
- 'jj##.#helloyou.net':80
- 'um#.#mnosy.com':80
- 'al###.emnosy.com':80
- 'ql##.#crondyou.com':80
- 'ce#####.icrondyou.com':80
- 'dk##.#followya.com':80
- 'mn##.#opololo.com':80
- 'xu####.popokopo.com':80
- 'pi##.#opokopo.com':80
- 'xn####.topololo.com':80
- 'dl#####.popokopo.com':80
- 'px###.#tripthere.com':80
- 'jo##.#tripthere.com':80
- 'te#####.yournailed.net':80
- 'jq####.yournailed.net':80
TCP:
HTTP GET requests:
- aj#.##oneypot.net/mars/remote.php?os#########################################################################################
- oy#####.ihelloyou.net/mars/settings.cfg?bu###################
- wt####.ifollowya.com/mars/remote.php?os#########################################################################################
- qs####.ihoneypot.net/mars/settings.cfg?bu###################
- jj##.#helloyou.net/mars/remote.php?os#########################################################################################
- um#.#mnosy.com/mars/settings.cfg?bu###################
- al###.emnosy.com/mars/remote.php?os#########################################################################################
- ql##.#crondyou.com/mars/settings.cfg?bu###################
- ce#####.icrondyou.com/mars/remote.php?os#########################################################################################
- dk##.#followya.com/mars/settings.cfg?bu###################
- mn##.#opololo.com/mars/remote.php?os#########################################################################################
- xu####.popokopo.com/mars/settings.cfg?bu###################
- pi##.#opokopo.com/mars/iLog.php?dl#########################
- xn####.topololo.com/mars/settings.cfg?bu###################
- dl#####.popokopo.com/mars/remote.php?os#########################################################################################
- px###.#tripthere.com/mars/settings.cfg?bu###################
- jo##.#tripthere.com/mars/remote.php?os#########################################################################################
- te#####.yournailed.net/mars/settings.cfg?bu###################
- jq####.yournailed.net/mars/remote.php?os#########################################################################################
UDP:
- DNS ASK aj#.##oneypot.net
- DNS ASK oy#####.ihelloyou.net
- DNS ASK wt####.ifollowya.com
- DNS ASK qs####.ihoneypot.net
- DNS ASK jj##.#helloyou.net
- DNS ASK um#.#mnosy.com
- DNS ASK al###.emnosy.com
- DNS ASK ql##.#crondyou.com
- DNS ASK ce#####.icrondyou.com
- DNS ASK dk##.#followya.com
- DNS ASK mn##.#opololo.com
- DNS ASK xu####.popokopo.com
- DNS ASK pi##.#opokopo.com
- DNS ASK xn####.topololo.com
- DNS ASK dl#####.popokopo.com
- DNS ASK px###.#tripthere.com
- DNS ASK jo##.#tripthere.com
- DNS ASK te#####.yournailed.net
- DNS ASK jq####.yournailed.net