Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\yrcvbg] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\yrcvbg] 'ImagePath' = '<SYSTEM32>\yrcvbg\npkbsmtm.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\yrcvbg] 'ImagePath' = '<SYSTEM32>\yrcvbg\npkbsmtm.exe'
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\npkbsmtm.exe
- C:\documents and settings\localservice:.repos
Moves the following files
- from %TEMP%\npkbsmtm.exe to <SYSTEM32>\yrcvbg\npkbsmtm.exe
Deletes itself.
Network activity
Connects to
- 'mt##.##0.yahoodns.net':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'google.com':443
- 'alt2.gmail-smtp-in.l.google.com':25
- 'na#.###.#rotection.outlook.com':25
- 'ma####.kpnmail.nl':25
- 'mx.########er.ca.cust.a.hostedemail.com':25
- 'im####p1.stc.com.sa':25
- 'im###.netflash.net':25
- 'sm##.##cureserver.net':25
- 'sp######.saudireadymix.com':25
- 'mx##.#waterloo.ca':25
- 'ms#####p-mx2.hinet.net':25
TCP
HTTP GET requests
- http://www.google.com/ncr
- http://www.google.com/
HTTP POST requests
- http://al####alarabi.com/wp-content/uploads/2019/07/ambsc.php
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK ma##.##imaogroup.com
- DNS ASK ka###.edu.sa
- DNS ASK re#####.kacst.edu.sa
- DNS ASK po###a.onet.pl
- DNS ASK mx.###zta.onet.pl
- DNS ASK bs##t.it
- DNS ASK sm##s.com
- DNS ASK ms#####.##c.protection.outlook.com
- DNS ASK mx#.#mics.com
- DNS ASK sc###dreams.net
- DNS ASK sm##.##cureserver.net
- DNS ASK ez#.net
- DNS ASK mx.###.###.cust.b.hostedemail.com
- DNS ASK sa####izowner.com
- DNS ASK sh###ogroup.com
- DNS ASK mx.##l.com.br
- DNS ASK uo#.com.br
- DNS ASK mx#######901.gslb.pphosted.com
- DNS ASK ca###four.com
- DNS ASK jc#########.mail.protection.outlook.com
- DNS ASK jc##.com.sa
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK ka##.edu.sa
- DNS ASK mx##.#lanetel.it
- DNS ASK ms#.com
- DNS ASK mx.#p.pl
- DNS ASK wp.pl
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK ho##ail.com
- DNS ASK mx.##oeuro.com
- DNS ASK pa##hoi.dk
- DNS ASK al####alarabi.com
- DNS ASK ki#####schools.edu.sa
- DNS ASK ki############-edu-sa.mail.protection.outlook.com
- DNS ASK sa#####aileysalon.com
- DNS ASK me##o.com
- DNS ASK ps#######2.express-scripts.com
- DNS ASK ho###tes.net
- DNS ASK d1#####.##s.barracudanetworks.com
- DNS ASK gr###te.mb.ca
- DNS ASK mx.#######.mb.ca.cust.a.hostedemail.com
- DNS ASK ch###enger.ca
- DNS ASK d1######.#ss.barracudanetworks.com
- DNS ASK mx.########er.ca.cust.a.hostedemail.com
- DNS ASK bw##ed.ca
- DNS ASK im###.netflash.net
- DNS ASK ne###mail.net
- DNS ASK sa#####adymix.com.sa
- DNS ASK sp######.saudireadymix.com
- DNS ASK im####p1.stc.com.sa
- DNS ASK mx#######703.gslb.pphosted.com
- DNS ASK st#.com.sa
- DNS ASK ur##orp.com
- DNS ASK mx##.##spamfilter.com
- DNS ASK we##v.net
- DNS ASK td#.net
- DNS ASK mx.#ds.net
- DNS ASK sa####brothers.com
- DNS ASK mx#.##tsolmail.net
- DNS ASK wa#####.uwaterloo.ca
- DNS ASK gc#.net
- DNS ASK ms#####p-mx1.hinet.net
- DNS ASK co###serve.com
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK go###e.co.uk
- DNS ASK al###nsi.com.sa
- DNS ASK ma##.##fransi.com.sa
- DNS ASK in###nd.gci.net
- DNS ASK it###u.com.sa
- DNS ASK sc#.gov.sa
- DNS ASK om###el.net.om
- DNS ASK be###outh.com
- DNS ASK mx######91d01.pphosted.com
- DNS ASK ya##o.de
- DNS ASK wi###ifters.com
- DNS ASK wa####wclaims.com
- DNS ASK ba######a.wardlawclaims.com
- DNS ASK ma###.#adawul.com.sa
- DNS ASK alt4.gmail-smtp-in.l.google.com
- DNS ASK wa###art.com
- DNS ASK mx#######201.gslb.pphosted.com
- DNS ASK cy###ia.net.sa
- DNS ASK alt3.gmail-smtp-in.l.google.com
- DNS ASK ASPMX.L.GOOGLE.COM
- DNS ASK ms##.hinet.net
- DNS ASK et###.#ail.tiscali.it
- DNS ASK ti##ali.it
- DNS ASK gi###d.org.sa
- DNS ASK gmail-smtp-in.l.google.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK ya##o.fr
- DNS ASK wi########eyards.com.mx1.rcimx.com
- DNS ASK mx#.#otmail.com
- DNS ASK ta###ul.com.sa
- DNS ASK wi#####vineyards.com
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK ms#####p-mx2.hinet.net
- DNS ASK ma####.kpnmail.nl
- DNS ASK mb##.net
- DNS ASK ar#####-homes.com.sa
- DNS ASK go##le.ru
- DNS ASK ba#####da.melsa.com.sa
- DNS ASK alt1.gmail-smtp-in.l.google.com
- DNS ASK me###.com.sa
- DNS ASK sm###.globalpc.net
- DNS ASK la####.globalpc.net
- DNS ASK mb###.#x.proofpoint.com
- DNS ASK ho###all.co.uk
- DNS ASK ne####s.hinet.net
- DNS ASK hi##t.net
- DNS ASK ri####ank.com.sa
- DNS ASK mx##.1and1.com
- DNS ASK ar##sa.net
- DNS ASK mk########-2.mail.uk.tiscali.com
- DNS ASK mx#.##antel.net.om
- DNS ASK mx##.#waterloo.ca
- DNS ASK e-#####.kfshrc.edu.sa
- DNS ASK ee.#om.sa
- DNS ASK ma##.###bian-homes.com.sa
- DNS ASK wi###wslive.com
- DNS ASK na#.###.#rotection.outlook.com
- DNS ASK ya##o.com
- DNS ASK alt2.gmail-smtp-in.l.google.com
- DNS ASK we##ome.be
- DNS ASK he##et.nl
- DNS ASK google.com
- DNS ASK di#####.mobily.com.sa
- DNS ASK ma###ystem.net
- DNS ASK mx.#####.orange-business.com
- DNS ASK tu###iana.com
- DNS ASK kf###c.edu.sa
- DNS ASK ms#.#inet.net
- DNS ASK mx#.ovh.net
- '<DNS_SERVER>':53
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\yrcvbg\npkbsmtm.exe' /d"<Full path to file>"
- '<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\yrcvbg\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\npkbsmtm.exe" <SYSTEM32>\yrcvbg\' (with hidden window)
- '<SYSTEM32>\sc.exe' create yrcvbg binPath= "<SYSTEM32>\yrcvbg\npkbsmtm.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '<SYSTEM32>\sc.exe' description yrcvbg "wifi internet conection"' (with hidden window)
- '<SYSTEM32>\sc.exe' start yrcvbg' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\yrcvbg\
- '<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\npkbsmtm.exe" <SYSTEM32>\yrcvbg\
- '<SYSTEM32>\sc.exe' create yrcvbg binPath= "<SYSTEM32>\yrcvbg\npkbsmtm.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '<SYSTEM32>\sc.exe' description yrcvbg "wifi internet conection"
- '<SYSTEM32>\sc.exe' start yrcvbg
- '<SYSTEM32>\svchost.exe'