Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Microsoft Authentication Layer Event Routing' = 'C:\qeygvwrao\jmpdisck.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\WMI AutoConfig Application Copy] 'ImagePath' = 'C:\qeygvwrao\jmpdisck.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\WMI AutoConfig Application Copy] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- 'C:\qeygvwrao\scxrpoxc.exe' "c:\qeygvwrao\jmpdisck.exe"
- 'C:\qeygvwrao\jmpdisck.exe'
- 'C:\qeygvwrao\tdvc62vtuydzlyociegc.exe'
Modifies file system:
Creates the following files:
- C:\qeygvwrao\jmpdisck.exe
- C:\qeygvwrao\scxrpoxc.exe
- C:\qeygvwrao\tdvc62vtuydzlyociegc.exe
- %WINDIR%\qeygvwrao\ppcqf5yqxo
- C:\qeygvwrao\ppcqf5yqxo
Sets the 'hidden' attribute to the following files:
- C:\qeygvwrao\scxrpoxc.exe
- C:\qeygvwrao\jmpdisck.exe
Deletes the following files:
- C:\qeygvwrao\tdvc62vtuydzlyociegc.exe
- %WINDIR%\qeygvwrao\ppcqf5yqxo
Network activity:
Connects to:
- 'tr###space.net':80
- 'st####travel.net':80
- 'el####icclose.net':80
- 'st###tspace.net':80
- 'tr###yellow.net':80
- 'st###tclose.net':80
- 'tr###travel.net':80
- 'st####yellow.net':80
- 're###dclose.net':80
- 're###dspace.net':80
- 'el####icspace.net':80
- 'la###close.net':80
- 'ca####nclose.net':80
- 're####yellow.net':80
- 'el####icyellow.net':80
- 're####travel.net':80
- 'el####ictravel.net':80
- 'tr###close.net':80
- 'br###travel.net':80
- 'fl###yellow.net':80
- 'br###space.net':80
- 'fl###travel.net':80
- 'br###close.net':80
- 'qu###space.net':80
- 'br###yellow.net':80
- 'fl###close.net':80
- 'fl###space.net':80
- 'be####travel.net':80
- 'ga####travel.net':80
- 'be###rspace.net':80
- 'ga###rspace.net':80
- 'be###rclose.net':80
- 'ga###rclose.net':80
- 'be####yellow.net':80
- 'ga####yellow.net':80
- 'ca####nyellow.net':80
- 'se####object.net':80
- 'qu####hildhood.net':80
- 'se###nthird.net':80
- 'qu###object.net':80
- 'do###space.net':80
- 'ag####ttravel.net':80
- 'se####childhood.net':80
- 'ag####tspace.net':80
- 'qu###third.net':80
- 'fl###object.net':80
- 'br###object.net':80
- 'fl###third.net':80
- 'br###third.net':80
- 'qu####tation.net':80
- 'se####station.net':80
- 'fl####hildhood.net':80
- 'br####hildhood.net':80
- 'do###travel.net':80
- 'de###eclose.net':80
- 'la###space.net':80
- 'de####yellow.net':80
- 'ni###close.net':80
- 'ca####ntravel.net':80
- 'la###yellow.net':80
- 'ca####nspace.net':80
- 'la###travel.net':80
- 'ni###yellow.net':80
- 'ag####tclose.net':80
- 'do###close.net':80
- 'ag####tyellow.net':80
- 'do###yellow.net':80
- 'ni###travel.net':80
- 'de####travel.net':80
- 'ni###space.net':80
- 'de###espace.net':80
TCP:
HTTP GET requests:
- http://tr###space.net/index.php
- http://st####travel.net/index.php
- http://el####icclose.net/index.php
- http://st###tspace.net/index.php
- http://tr###yellow.net/index.php
- http://st###tclose.net/index.php
- http://tr###travel.net/index.php
- http://st####yellow.net/index.php
- http://re###dclose.net/index.php
- http://re###dspace.net/index.php
- http://el####icspace.net/index.php
- http://la###close.net/index.php
- http://ca####nclose.net/index.php
- http://re####yellow.net/index.php
- http://el####icyellow.net/index.php
- http://re####travel.net/index.php
- http://el####ictravel.net/index.php
- http://tr###close.net/index.php
- http://br###travel.net/index.php
- http://fl###yellow.net/index.php
- http://br###space.net/index.php
- http://fl###travel.net/index.php
- http://br###close.net/index.php
- http://qu###space.net/index.php
- http://br###yellow.net/index.php
- http://fl###close.net/index.php
- http://fl###space.net/index.php
- http://be####travel.net/index.php
- http://ga####travel.net/index.php
- http://be###rspace.net/index.php
- http://ga###rspace.net/index.php
- http://be###rclose.net/index.php
- http://ga###rclose.net/index.php
- http://be####yellow.net/index.php
- http://ga####yellow.net/index.php
- http://ca####nyellow.net/index.php
- http://se####object.net/index.php
- http://qu####hildhood.net/index.php
- http://se###nthird.net/index.php
- http://qu###object.net/index.php
- http://do###space.net/index.php
- http://ag####ttravel.net/index.php
- http://se####childhood.net/index.php
- http://ag####tspace.net/index.php
- http://qu###third.net/index.php
- http://fl###object.net/index.php
- http://br###object.net/index.php
- http://fl###third.net/index.php
- http://br###third.net/index.php
- http://qu####tation.net/index.php
- http://se####station.net/index.php
- http://fl####hildhood.net/index.php
- http://br####hildhood.net/index.php
- http://do###travel.net/index.php
- http://de###eclose.net/index.php
- http://la###space.net/index.php
- http://de####yellow.net/index.php
- http://ni###close.net/index.php
- http://ca####ntravel.net/index.php
- http://la###yellow.net/index.php
- http://ca####nspace.net/index.php
- http://la###travel.net/index.php
- http://ni###yellow.net/index.php
- http://ag####tclose.net/index.php
- http://do###close.net/index.php
- http://ag####tyellow.net/index.php
- http://do###yellow.net/index.php
- http://ni###travel.net/index.php
- http://de####travel.net/index.php
- http://ni###space.net/index.php
- http://de###espace.net/index.php
UDP:
- DNS ASK tr###space.net
- DNS ASK st####travel.net
- DNS ASK el####icclose.net
- DNS ASK st###tspace.net
- DNS ASK tr###travel.net
- DNS ASK st###tclose.net
- DNS ASK tr###close.net
- DNS ASK st####yellow.net
- DNS ASK tr###yellow.net
- DNS ASK re###dspace.net
- DNS ASK el####icspace.net
- DNS ASK la###close.net
- DNS ASK ca####nclose.net
- DNS ASK re####travel.net
- DNS ASK el####icyellow.net
- DNS ASK re###dclose.net
- DNS ASK el####ictravel.net
- DNS ASK re####yellow.net
- DNS ASK br###travel.net
- DNS ASK fl###yellow.net
- DNS ASK br###space.net
- DNS ASK fl###travel.net
- DNS ASK br###yellow.net
- DNS ASK qu###space.net
- DNS ASK se###nspace.net
- DNS ASK fl###close.net
- DNS ASK br###close.net
- DNS ASK be####travel.net
- DNS ASK ga####travel.net
- DNS ASK be###rspace.net
- DNS ASK ga###rspace.net
- DNS ASK be####yellow.net
- DNS ASK ga###rclose.net
- DNS ASK fl###space.net
- DNS ASK ga####yellow.net
- DNS ASK be###rclose.net
- DNS ASK se####object.net
- DNS ASK qu####hildhood.net
- DNS ASK se###nthird.net
- DNS ASK qu###object.net
- DNS ASK se####childhood.net
- DNS ASK ag####ttravel.net
- DNS ASK do###travel.net
- DNS ASK ag####tspace.net
- DNS ASK do###space.net
- DNS ASK fl###object.net
- DNS ASK br###object.net
- DNS ASK fl###third.net
- DNS ASK br###third.net
- DNS ASK fl####hildhood.net
- DNS ASK se####station.net
- DNS ASK qu###third.net
- DNS ASK br####hildhood.net
- DNS ASK qu####tation.net
- DNS ASK de###eclose.net
- DNS ASK la###space.net
- DNS ASK de####yellow.net
- DNS ASK ni###close.net
- DNS ASK ca####nspace.net
- DNS ASK la###yellow.net
- DNS ASK ca####nyellow.net
- DNS ASK la###travel.net
- DNS ASK ca####ntravel.net
- DNS ASK ag####tclose.net
- DNS ASK do###close.net
- DNS ASK ag####tyellow.net
- DNS ASK do###yellow.net
- DNS ASK ni###space.net
- DNS ASK de####travel.net
- DNS ASK ni###yellow.net
- DNS ASK de###espace.net
- DNS ASK ni###travel.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''