Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Isolation Machine IPsec Tracking Search Color' = 'C:\bwtaxkatf\yquvdxdvugbe.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Receiver Media Cryptographic] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- 'C:\bwtaxkatf\glgcrvcct.exe' "c:\bwtaxkatf\yquvdxdvugbe.exe"
- 'C:\bwtaxkatf\yquvdxdvugbe.exe'
- 'C:\bwtaxkatf\ogak2ymjjxx0sxba.exe'
Modifies file system :
Creates the following files:
- C:\bwtaxkatf\yquvdxdvugbe.exe
- C:\bwtaxkatf\glgcrvcct.exe
- C:\bwtaxkatf\ogak2ymjjxx0sxba.exe
- %WINDIR%\bwtaxkatf\nue2fpdeost
- C:\bwtaxkatf\nue2fpdeost
Sets the 'hidden' attribute to the following files:
- C:\bwtaxkatf\glgcrvcct.exe
- C:\bwtaxkatf\yquvdxdvugbe.exe
Deletes the following files:
- C:\bwtaxkatf\ogak2ymjjxx0sxba.exe
- %WINDIR%\bwtaxkatf\nue2fpdeost
Network activity:
Connects to:
- 'ou####ecomplete.net':80
- 'bu####ngwelcome.net':80
- 'ou####eproud.net':80
- 'mo#####tcomplete.net':80
- 'ev####garound.net':80
- 'bu####ngproud.net':80
- 'ev####gwelcome.net':80
- 'bu####ngaround.net':80
- 'mo####ntproud.net':80
- 'st####thkitchen.net':80
- 'st#####hprobable.net':80
- 'st###wagon.net':80
- 'st####thwithout.net':80
- 'mo####ntaround.net':80
- 'ou####earound.net':80
- 'mo####ntwelcome.net':80
- 'ou####ewelcome.net':80
- 'ev####gproud.net':80
- 'pr####welcome.net':80
- 'do####around.net':80
- 'mi####omplete.net':80
- 'do####welcome.net':80
- 'pr###yproud.net':80
- 'do####complete.net':80
- 'pr####around.net':80
- 'do###rproud.net':80
- 'st####omplete.net':80
- 'st####elcome.net':80
- 'mi####elcome.net':80
- 'bu#####gcomplete.net':80
- 'ev####gcomplete.net':80
- 'st###proud.net':80
- 'mi###proud.net':80
- 'st###around.net':80
- 'mi###around.net':80
- 'st####thwagon.net':80
- 'pr####kitchen.net':80
- 'do####probable.net':80
- 'pr####without.net':80
- 'do####kitchen.net':80
- 'do###ewagon.net':80
- 'fe####without.net':80
- 'pr####probable.net':80
- 'fe###wwagon.net':80
- 'do####without.net':80
- 'st####itchen.net':80
- 'mi####itchen.net':80
- 'st####ithout.net':80
- 'mi####ithout.net':80
- 'do###rwagon.net':80
- 'pr###ywagon.net':80
- 'st####robable.net':80
- 'mi####robable.net':80
- 'fe####kitchen.net':80
- 'pr####ewithout.net':80
- 'de####without.net':80
- 'pr####ewagon.net':80
- 'de###ewagon.net':80
- 'pr####eprobable.net':80
- 'de####probable.net':80
- 'pr####ekitchen.net':80
- 'de####kitchen.net':80
- 're####probable.net':80
- 're###twagon.net':80
- 'br####without.net':80
- 'fe####probable.net':80
- 'br###nwagon.net':80
- 're####kitchen.net':80
- 'br####probable.net':80
- 're####without.net':80
- 'br####kitchen.net':80
TCP:
HTTP GET requests:
- http://ou####ecomplete.net/index.php
- http://bu####ngwelcome.net/index.php
- http://ou####eproud.net/index.php
- http://mo#####tcomplete.net/index.php
- http://ev####garound.net/index.php
- http://bu####ngproud.net/index.php
- http://ev####gwelcome.net/index.php
- http://bu####ngaround.net/index.php
- http://mo####ntproud.net/index.php
- http://st####thkitchen.net/index.php
- http://st#####hprobable.net/index.php
- http://st###wagon.net/index.php
- http://st####thwithout.net/index.php
- http://mo####ntaround.net/index.php
- http://ou####earound.net/index.php
- http://mo####ntwelcome.net/index.php
- http://ou####ewelcome.net/index.php
- http://ev####gproud.net/index.php
- http://pr####welcome.net/index.php
- http://do####around.net/index.php
- http://mi####omplete.net/index.php
- http://do####welcome.net/index.php
- http://pr###yproud.net/index.php
- http://do####complete.net/index.php
- http://pr####around.net/index.php
- http://do###rproud.net/index.php
- http://st####omplete.net/index.php
- http://st####elcome.net/index.php
- http://mi####elcome.net/index.php
- http://bu#####gcomplete.net/index.php
- http://ev####gcomplete.net/index.php
- http://st###proud.net/index.php
- http://mi###proud.net/index.php
- http://st###around.net/index.php
- http://mi###around.net/index.php
- http://st####thwagon.net/index.php
- http://pr####kitchen.net/index.php
- http://do####probable.net/index.php
- http://pr####without.net/index.php
- http://do####kitchen.net/index.php
- http://do###ewagon.net/index.php
- http://fe####without.net/index.php
- http://pr####probable.net/index.php
- http://fe###wwagon.net/index.php
- http://do####without.net/index.php
- http://st####itchen.net/index.php
- http://mi####itchen.net/index.php
- http://st####ithout.net/index.php
- http://mi####ithout.net/index.php
- http://do###rwagon.net/index.php
- http://pr###ywagon.net/index.php
- http://st####robable.net/index.php
- http://mi####robable.net/index.php
- http://fe####kitchen.net/index.php
- http://pr####ewithout.net/index.php
- http://de####without.net/index.php
- http://pr####ewagon.net/index.php
- http://de###ewagon.net/index.php
- http://pr####eprobable.net/index.php
- http://de####probable.net/index.php
- http://pr####ekitchen.net/index.php
- http://de####kitchen.net/index.php
- http://re####probable.net/index.php
- http://re###twagon.net/index.php
- http://br####without.net/index.php
- http://fe####probable.net/index.php
- http://br###nwagon.net/index.php
- http://re####kitchen.net/index.php
- http://br####probable.net/index.php
- http://re####without.net/index.php
- http://br####kitchen.net/index.php
UDP:
- DNS ASK ou####ecomplete.net
- DNS ASK bu####ngwelcome.net
- DNS ASK ou####eproud.net
- DNS ASK mo#####tcomplete.net
- DNS ASK ev####gwelcome.net
- DNS ASK bu####ngproud.net
- DNS ASK ev####gproud.net
- DNS ASK bu####ngaround.net
- DNS ASK ev####garound.net
- DNS ASK st####thkitchen.net
- DNS ASK st#####hprobable.net
- DNS ASK st###wagon.net
- DNS ASK st####thwithout.net
- DNS ASK mo####ntwelcome.net
- DNS ASK ou####earound.net
- DNS ASK mo####ntproud.net
- DNS ASK ou####ewelcome.net
- DNS ASK mo####ntaround.net
- DNS ASK pr####welcome.net
- DNS ASK do####around.net
- DNS ASK mi####omplete.net
- DNS ASK do####welcome.net
- DNS ASK pr####around.net
- DNS ASK do####complete.net
- DNS ASK pr####complete.net
- DNS ASK do###rproud.net
- DNS ASK pr###yproud.net
- DNS ASK st####elcome.net
- DNS ASK mi####elcome.net
- DNS ASK bu#####gcomplete.net
- DNS ASK ev####gcomplete.net
- DNS ASK st###around.net
- DNS ASK mi###proud.net
- DNS ASK st####omplete.net
- DNS ASK mi###around.net
- DNS ASK st###proud.net
- DNS ASK pr####kitchen.net
- DNS ASK do####probable.net
- DNS ASK pr####without.net
- DNS ASK do####kitchen.net
- DNS ASK pr####probable.net
- DNS ASK fe####without.net
- DNS ASK fe####kitchen.net
- DNS ASK fe###wwagon.net
- DNS ASK do###ewagon.net
- DNS ASK st####itchen.net
- DNS ASK mi####itchen.net
- DNS ASK st####ithout.net
- DNS ASK mi####ithout.net
- DNS ASK st####robable.net
- DNS ASK pr###ywagon.net
- DNS ASK do####without.net
- DNS ASK mi####robable.net
- DNS ASK do###rwagon.net
- DNS ASK pr####ewithout.net
- DNS ASK de####without.net
- DNS ASK pr####ewagon.net
- DNS ASK de###ewagon.net
- DNS ASK pr####ekitchen.net
- DNS ASK de####probable.net
- DNS ASK st####thwagon.net
- DNS ASK de####kitchen.net
- DNS ASK pr####eprobable.net
- DNS ASK re###twagon.net
- DNS ASK br####without.net
- DNS ASK fe####probable.net
- DNS ASK br###nwagon.net
- DNS ASK re####without.net
- DNS ASK br####probable.net
- DNS ASK re####probable.net
- DNS ASK br####kitchen.net
- DNS ASK re####kitchen.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''