Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,<LS_APPDATA>\jwaroevi\rarexsdb.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'RarExsdb' = '<LS_APPDATA>\jwaroevi\rarexsdb.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\rarexsdb.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%TEMP%\byjjjqlf.exe'
Executes the following:
- '<SYSTEM32>\svchost.exe'
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
the following user processes:
- byjjjqlf.exe
Modifies file system:
Creates the following files:
- %ALLUSERSPROFILE%\Application Data\ybfcuwpc.log
- <LS_APPDATA>\lawhwilb.log
- <LS_APPDATA>\jwaroevi\rarexsdb.exe
- %TEMP%\byjjjqlf.exe
- %TEMP%\ifqydaby.exe
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\rarexsdb.exe
Network activity:
Connects to:
- 'bp###pydih.com':443
- 'is####fiyevmi.com':443
- 'nf####stisllhlm.com':443
- 'yp####aitcljoq.com':443
- 'vq###slnbqt.com':443
- 'yk####ixrqgid.com':443
- 'rg#####lxmqivfmcs.com':443
- 'ju####bdhf72938.com':443
- '74.##5.232.51':80
- 'wx#####fyauvrpqfuv.com':443
- 'wg###lbadxo.com':443
- 'uc####kfanhh.com':443
UDP:
- DNS ASK jh#####atltxunklfwk.com
- DNS ASK ww####sfaiyrrg.com
- DNS ASK ts###cseq.com
- DNS ASK ht####ofuirwkgn.com
- DNS ASK ec###pdvcd.com
- DNS ASK at###ouljn.com
- DNS ASK mw####cbllxhchd.com
- DNS ASK yn#####oxqyjxrfqa.com
- DNS ASK br#####uvqpyjlmwr.com
- DNS ASK nm###ovjmcd.com
- DNS ASK nt####moegeif.com
- DNS ASK ue###hbacte.com
- DNS ASK fc####btdcswh.com
- DNS ASK xy####xxkgmxs.com
- DNS ASK ve#####iewgrpyaai.com
- DNS ASK fo#####lwlwinayk.com
- DNS ASK bing.com
- DNS ASK cq####xtqsosfed.com
- DNS ASK wx####cgahcnxq.com
- DNS ASK ha#####tukdegysigtv.com
- DNS ASK rm####uvboixif.com
- DNS ASK hi###jcvux.com
- DNS ASK kn#####kkrwaknrusx.com
- DNS ASK qd#####tkslghpmunuk.com
- DNS ASK qm#####kltqfbbtxxc.com
- DNS ASK mb#####tigrijncw.com
- DNS ASK xk####brwnayscq.com
- DNS ASK yk####ixrqgid.com
- DNS ASK bp###pydih.com
- DNS ASK is####fiyevmi.com
- DNS ASK yi#####yonkkdjqoraa.com
- DNS ASK yp####aitcljoq.com
- DNS ASK vq###slnbqt.com
- DNS ASK nf####stisllhlm.com
- DNS ASK rg#####lxmqivfmcs.com
- DNS ASK ju####bdhf72938.com
- DNS ASK google.com
- DNS ASK wx#####fyauvrpqfuv.com
- DNS ASK wg###lbadxo.com
- DNS ASK uc####kfanhh.com
- DNS ASK iw####ebhavmei.com
- DNS ASK mf####rxwcevjrp.com
- DNS ASK gw####asgcluo.com
- DNS ASK dl####tundbuov.com
- DNS ASK mf#####skjbdvgbk.com
- DNS ASK sa####gpkuins.com
- DNS ASK nm#####ccghddndnil.com
- DNS ASK fb#####efdwstuivosx.com
- DNS ASK bw###jlesbf.com
- DNS ASK es####pgcyyvoim.com
- DNS ASK yb####xwwmoymuv.com
- DNS ASK ua#####rdgqscbwb.com
- DNS ASK ff###uvufw.com