Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Enumerator Thread Encryption Volume SSDP' = '<SYSTEM32>\nqrfcgk.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Resource Disk DNS Call] 'ImagePath' = '<SYSTEM32>\nqrfcgk.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Resource Disk DNS Call] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\mpdiiqtkwhg.exe' "<SYSTEM32>\nqrfcgk.exe"
- '%WINDIR%\Temp\icx6oyi37nmdev.exe' -r 40912 tcp
- '%TEMP%\icx6oyi3340devlwybgirg.exe'
- '<SYSTEM32>\nqrfcgk.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\jhsjflxrk\run
- <SYSTEM32>\jhsjflxrk\rng
- %WINDIR%\Temp\icx6oyi37nmdev.exe
- <SYSTEM32>\jhsjflxrk\cfg
- <SYSTEM32>\mpdiiqtkwhg.exe
- %TEMP%\icx6oyi3340devlwybgirg.exe
- <SYSTEM32>\jhsjflxrk\tst
- <SYSTEM32>\nqrfcgk.exe
- <SYSTEM32>\jhsjflxrk\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\mpdiiqtkwhg.exe
- <SYSTEM32>\nqrfcgk.exe
Deletes the following files:
- %WINDIR%\Temp\icx6oyi37nmdev.exe
- <DRIVERS>\etc\hosts
- %TEMP%\icx6oyi3340devlwybgirg.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'eq###over.net':80
- 'gr###over.net':80
- 'eq###home.net':80
- 'gr###home.net':80
- 'eq###grain.net':80
- 'gr###gold.net':80
- 'sp###home.net':80
- 'gr###grain.net':80
- 'eq###gold.net':80
- 'ta###gold.net':80
- 'gl###ome.net':80
- 'ta###home.net':80
- 'sp###old.net':80
- 'sa###old.net':80
- 'gl###ver.net':80
- 'ta###grain.net':80
- 'gl###old.net':80
- 'ta###over.net':80
- 'gl###rain.net':80
- 'vi###home.net':80
- 'wa###gold.net':80
- 'fa###old.net':80
- 'wa###grain.net':80
- 'fa###rain.net':80
- 'dr###home.net':80
- 'th###ver.net':80
- 'dr###grain.net':80
- 'th###ome.net':80
- 'dr###over.net':80
- 'fa###ver.net':80
- 'sp###grain.net':80
- 'vi###grain.net':80
- 'sp###over.net':80
- 'vi###over.net':80
- 'sp###gold.net':80
- 'fa###ome.net':80
- 'wa###over.net':80
- 'vi###gold.net':80
- 'wa###home.net':80
- 'sa###rain.net':80
- 'dr###gift.net':80
- 'th###ift.net':80
- 'dr###house.net':80
- 'th###ouse.net':80
- 'dr####uesday.net':80
- 'th###eace.net':80
- 'ar###home.net':80
- 'th###uesday.net':80
- 'dr###peace.net':80
- 'fa###eace.net':80
- 'be##lxc.com':80
- 'de###lxc.com':80
- 'ri###nstorm.net':80
- 'af###sllc.com':80
- 'wa###gift.net':80
- 'fa###uesday.net':80
- 'wa###peace.net':80
- 'fa###ift.net':80
- 'wa####uesday.net':80
- 'so###home.net':80
- 'up###old.net':80
- 'wh###gold.net':80
- 'up###rain.net':80
- 'wh###grain.net':80
- 'sp###ome.net':80
- 'sa###ver.net':80
- 'sp###rain.net':80
- 'sa###ome.net':80
- 'sp###ver.net':80
- 'wh###over.net':80
- 'ar###grain.net':80
- 'so###grain.net':80
- 'ar###over.net':80
- 'so###over.net':80
- 'ar###gold.net':80
- 'wh###home.net':80
- 'up###ver.net':80
- 'so###gold.net':80
- 'up###ome.net':80
TCP:
HTTP GET requests:
- http://eq###over.net/index.php
- http://gr###over.net/index.php
- http://eq###home.net/index.php
- http://gr###home.net/index.php
- http://eq###grain.net/index.php
- http://gr###gold.net/index.php
- http://sp###home.net/index.php
- http://gr###grain.net/index.php
- http://eq###gold.net/index.php
- http://ta###gold.net/index.php
- http://gl###ome.net/index.php
- http://ta###home.net/index.php
- http://sp###old.net/index.php
- http://sa###old.net/index.php
- http://gl###ver.net/index.php
- http://ta###grain.net/index.php
- http://gl###old.net/index.php
- http://ta###over.net/index.php
- http://gl###rain.net/index.php
- http://vi###home.net/index.php
- http://wa###gold.net/index.php
- http://fa###old.net/index.php
- http://wa###grain.net/index.php
- http://fa###rain.net/index.php
- http://dr###home.net/index.php
- http://th###ver.net/index.php
- http://dr###grain.net/index.php
- http://th###ome.net/index.php
- http://dr###over.net/index.php
- http://fa###ver.net/index.php
- http://sp###grain.net/index.php
- http://vi###grain.net/index.php
- http://sp###over.net/index.php
- http://vi###over.net/index.php
- http://sp###gold.net/index.php
- http://fa###ome.net/index.php
- http://wa###over.net/index.php
- http://vi###gold.net/index.php
- http://wa###home.net/index.php
- http://sa###rain.net/index.php
- http://dr###gift.net/index.php
- http://th###ift.net/index.php
- http://dr###house.net/index.php
- http://th###ouse.net/index.php
- http://dr####uesday.net/index.php
- http://th###eace.net/index.php
- http://ar###home.net/index.php
- http://th###uesday.net/index.php
- http://dr###peace.net/index.php
- http://fa###eace.net/index.php
- http://be##lxc.com/index.php
- http://de###lxc.com/index.php
- http://ri###nstorm.net/index.php
- http://af###sllc.com/index.php
- http://wa###gift.net/index.php
- http://fa###uesday.net/index.php
- http://wa###peace.net/index.php
- http://fa###ift.net/index.php
- http://wa####uesday.net/index.php
- http://so###home.net/index.php
- http://up###old.net/index.php
- http://wh###gold.net/index.php
- http://up###rain.net/index.php
- http://wh###grain.net/index.php
- http://sp###ome.net/index.php
- http://sa###ver.net/index.php
- http://sp###rain.net/index.php
- http://sa###ome.net/index.php
- http://sp###ver.net/index.php
- http://wh###over.net/index.php
- http://ar###grain.net/index.php
- http://so###grain.net/index.php
- http://ar###over.net/index.php
- http://so###over.net/index.php
- http://ar###gold.net/index.php
- http://wh###home.net/index.php
- http://up###ver.net/index.php
- http://so###gold.net/index.php
- http://up###ome.net/index.php
UDP:
- DNS ASK gr###over.net
- DNS ASK eq###grain.net
- DNS ASK eq###over.net
- DNS ASK eq###home.net
- DNS ASK gr###home.net
- DNS ASK sp###home.net
- DNS ASK vi###home.net
- DNS ASK gr###gold.net
- DNS ASK gr###grain.net
- DNS ASK eq###gold.net
- DNS ASK ta###home.net
- DNS ASK gl###ver.net
- DNS ASK gl###ome.net
- DNS ASK sp###old.net
- DNS ASK sa###old.net
- DNS ASK gl###old.net
- DNS ASK ta###gold.net
- DNS ASK ta###grain.net
- DNS ASK ta###over.net
- DNS ASK gl###rain.net
- DNS ASK fa###old.net
- DNS ASK dr###home.net
- DNS ASK wa###gold.net
- DNS ASK wa###grain.net
- DNS ASK fa###rain.net
- DNS ASK dr###grain.net
- DNS ASK th###rain.net
- DNS ASK th###ver.net
- DNS ASK th###ome.net
- DNS ASK dr###over.net
- DNS ASK vi###grain.net
- DNS ASK sp###gold.net
- DNS ASK sp###grain.net
- DNS ASK sp###over.net
- DNS ASK vi###over.net
- DNS ASK wa###over.net
- DNS ASK fa###ver.net
- DNS ASK fa###ome.net
- DNS ASK vi###gold.net
- DNS ASK wa###home.net
- DNS ASK sa###rain.net
- DNS ASK dr###gift.net
- DNS ASK th###ift.net
- DNS ASK dr###house.net
- DNS ASK th###ouse.net
- DNS ASK dr####uesday.net
- DNS ASK th###eace.net
- DNS ASK ar###home.net
- DNS ASK th###uesday.net
- DNS ASK dr###peace.net
- DNS ASK fa###eace.net
- DNS ASK be##lxc.com
- DNS ASK de###lxc.com
- DNS ASK ri###nstorm.net
- DNS ASK af###sllc.com
- DNS ASK wa###gift.net
- DNS ASK fa###uesday.net
- DNS ASK wa###peace.net
- DNS ASK fa###ift.net
- DNS ASK wa####uesday.net
- DNS ASK so###home.net
- DNS ASK up###old.net
- DNS ASK wh###gold.net
- DNS ASK up###rain.net
- DNS ASK wh###grain.net
- DNS ASK sp###ome.net
- DNS ASK sa###ver.net
- DNS ASK sp###rain.net
- DNS ASK sa###ome.net
- DNS ASK sp###ver.net
- DNS ASK wh###over.net
- DNS ASK ar###grain.net
- DNS ASK so###grain.net
- DNS ASK ar###over.net
- DNS ASK so###over.net
- DNS ASK ar###gold.net
- DNS ASK wh###home.net
- DNS ASK up###ver.net
- DNS ASK so###gold.net
- DNS ASK up###ome.net
- '23#.#55.255.250':1900