Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\zmhjwrxn] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\zmhjwrxn] 'ImagePath' = '<SYSTEM32>\zmhjwrxn\ugfteowq.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\zmhjwrxn] 'ImagePath' = '<SYSTEM32>\zmhjwrxn\ugfteowq.exe'
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\ugfteowq.exe
- C:\documents and settings\localservice:.repos
Moves the following files
- from %TEMP%\ugfteowq.exe to <SYSTEM32>\zmhjwrxn\ugfteowq.exe
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://www.google.com/
- http://ip#####.#hatismyipaddress.com/
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK re##flex.de
- DNS ASK mx##.#spgateway.de
- DNS ASK si####-closures.com
- DNS ASK ma###n1.rmx.de
- DNS ASK na#.it
- DNS ASK ab######technologies.com
- DNS ASK d1######.#ss.barracudanetworks.com
- DNS ASK sa###nia.net
- DNS ASK mx##.1and1.it
- DNS ASK hv##f.org
- DNS ASK sa####iatravel.net
- DNS ASK mx.####iniatravel.net
- DNS ASK ms#.com
- DNS ASK ms#####.##c.protection.outlook.com
- DNS ASK st###ocmr.it
- DNS ASK em##l.com
- DNS ASK mx#.#mpal.com
- DNS ASK ka##k.com
- DNS ASK cl######.us.messagelabs.com
- DNS ASK ga##aldi.it
- DNS ASK mx###.gastaldi.it
- DNS ASK la####rna.com.mx
- DNS ASK sm####.lamoderna.com.mx
- DNS ASK lg#.com
- DNS ASK lg###tp.lge.com
- DNS ASK co#.net
- DNS ASK cx#.##.#.cloudfilter.net
- DNS ASK ya##o.gr
- DNS ASK sa###egar.com
- DNS ASK mx.####o.locaweb.com.br
- DNS ASK gl##o.com
- DNS ASK sg.#bm.com
- DNS ASK ma##.#rotonmail.ch
- DNS ASK wp.pl
- DNS ASK mx.#p.pl
- DNS ASK ne###ctory.pl
- DNS ASK ma##.#etfactory.pl
- DNS ASK we####solutions.com
- DNS ASK hi####torrance.com
- DNS ASK ma##.##ltontorrance.com
- DNS ASK ge###.ge.com
- DNS ASK mx#######a02.gslb.pphosted.com
- DNS ASK po###dorova.com
- DNS ASK td#.net
- DNS ASK mx#######701.gslb.pphosted.com
- DNS ASK mx.#ds.net
- DNS ASK ng###abia.com
- DNS ASK he####ks-groep.nl
- DNS ASK fi####.esgpro.nl
- DNS ASK ge.com
- DNS ASK eb##et.net
- DNS ASK mx###.ebtnet.net
- DNS ASK we##v.net
- DNS ASK na#.###.#rotection.outlook.com
- DNS ASK ko###dekasa.com
- DNS ASK tr####ndgroup.com
- DNS ASK sm##.##ansindgroup.com
- DNS ASK co#####towncuties.com
- DNS ASK ch##lo.nl
- DNS ASK mx.##.##il.iss.as9143.net
- DNS ASK em####hventures.com
- DNS ASK ms#####p-mx1.hinet.net
- DNS ASK re###tcom.com
- DNS ASK mx.#########el.net.cust.b.hostedemail.com
- DNS ASK mx##.###.pandasecurity.com
- DNS ASK tv##.co.mz
- DNS ASK av##tis.com
- DNS ASK in##adi.com
- DNS ASK re##ult.com
- DNS ASK sm##.renault.fr
- DNS ASK ch###ra.co.nz
- DNS ASK fi#####am1.btg.co.nz
- DNS ASK ma##.com
- DNS ASK mx##.mail.com
- DNS ASK sa###m-sa.com
- DNS ASK ha###iantel.net
- DNS ASK mx#.####em.c3s2.iphmx.com
- DNS ASK ve##rte.com
- DNS ASK ae.com
- DNS ASK ho##ail.fr
- DNS ASK mu###-prets.com
- DNS ASK sm##.#atrixhst.com
- DNS ASK al##a.com
- DNS ASK ad#####mx402.alcoa.com
- DNS ASK go##ms.com
- DNS ASK ma##.goaims.com
- DNS ASK hi####techno.com
- DNS ASK up#.com
- DNS ASK mx#######001.gslb.pphosted.com
- DNS ASK ma#.com
- DNS ASK on##.lmcu.org
- DNS ASK tr#############vest-com03c.mail.protection.outlook.com
- DNS ASK mx#######f01.gslb.pphosted.com
- DNS ASK tr######antic-invest.com
- DNS ASK ma##.cf2m.be
- DNS ASK ec##ld.de
- DNS ASK ja##er.dk
- DNS ASK ma##.jabber.dk
- DNS ASK e-##6.com
- DNS ASK ma##.e-816.com
- DNS ASK om###bio.com
- DNS ASK co###nlaw.com
- DNS ASK bing.com
- DNS ASK us#######nbound-2.mimecast.com
- DNS ASK gi##.org
- DNS ASK wo###roup.com
- DNS ASK mx#######602.gslb.pphosted.com
- DNS ASK vd####8.sivit.org
- DNS ASK vd####.sivit.org
- DNS ASK ma####.mail-gw.de
- DNS ASK zf##e.co.nz
- DNS ASK wp##.bns.it
- DNS ASK de##y.com
- DNS ASK ma##.detry.com
- DNS ASK er###.com.pl
- DNS ASK po####.eraga.com.pl
- DNS ASK in#####m-telecom.com
- DNS ASK ex######.intracom-telecom.com
- DNS ASK mt#.mc
- DNS ASK mx#.mtv.mc
- DNS ASK or##.co.nz
- DNS ASK bo#.##apithd.com
- DNS ASK cf#m.be
- DNS ASK eu###pro.com
- DNS ASK xu###press.com
- DNS ASK pr###nmail.com
- DNS ASK mx#.##jorisp.net
- DNS ASK ma###isp.net
- DNS ASK ma##.ccft.ch
- DNS ASK vi###tal.co.uk
- DNS ASK a2#####.mx.mailhop.org
- DNS ASK co##ast.net
- DNS ASK mx#.#omcast.net
- DNS ASK at###a.com.br
- DNS ASK mx#######-farm64.kinghost.net
- DNS ASK se##ts.com
- DNS ASK ma##hon.com
- DNS ASK ma#########.mail.protection.outlook.com
- DNS ASK cn#.com
- DNS ASK MX#####.FIATGROUP.com
- DNS ASK mx#.qq.com
- DNS ASK qq.com
- DNS ASK mx.##ra.co.nz
- DNS ASK st###oli.com
- DNS ASK ya##o.es
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK ln#.com
- DNS ASK te##2.se
- DNS ASK mx.#ele2.se
- DNS ASK in##ria.eu
- DNS ASK mx.##teria.pl
- DNS ASK si##i.com
- DNS ASK mx#######401.gslb.pphosted.com
- DNS ASK li###a-jp.com
- DNS ASK ar#y.sk
- DNS ASK ASPMX.L.GOOGLE.com
- DNS ASK xp###net.com
- DNS ASK mx.########.com.cust.a.hostedemail.com
- DNS ASK si#####sosungil.com.ar
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK gw###1.mil.sk
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK em##l.cz
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK mx#.#eznam.cz
- DNS ASK ho##ail.com
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK ya##o.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK mo###webs.com
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK ma######er.moorewebs.com
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK si##.com
- DNS ASK mi##omes.it
- DNS ASK ti###linet.it
- DNS ASK et###.#ail.tiscali.it
- DNS ASK ro##rs.com
- DNS ASK mx#######.mail.am0.yahoodns.net
- DNS ASK ao#.com
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK gm##l.com
- DNS ASK gmail-smtp-in.l.google.com
- DNS ASK gi####inancial.com
- DNS ASK im##f.com
- DNS ASK im#######.#ail.protection.outlook.com
- DNS ASK ho###il.co.uk
- DNS ASK fr#####.#inamail.sina.com.cn
- DNS ASK mx#.##il.icloud.com
- DNS ASK re##########m.mail.protection.outlook.com
- DNS ASK ms##.hinet.net
- DNS ASK fr###opca.com
- DNS ASK sm###in.iol.it
- DNS ASK do###ent.co.uk
- DNS ASK bo####.document.co.uk
- DNS ASK ya##o.no
- DNS ASK kf##ail.ch
- DNS ASK mx.##il.fcom.ch
- DNS ASK at#.com
- DNS ASK mx######91d01.pphosted.com
- DNS ASK fi###health.com
- DNS ASK in######mail.aei.aetna.com
- DNS ASK bl##win.ch
- DNS ASK te##2.nl
- DNS ASK mx##.#b.bluewin.ch
- DNS ASK io#.it
- DNS ASK ma##.bn-paf.de
- DNS ASK ei##mann.de
- DNS ASK mx##.##ndenserver.de
- DNS ASK po#t.sk
- DNS ASK cb#.##rusfree.cz
- DNS ASK el##sy.de
- DNS ASK ma##.gbc.net
- DNS ASK ea###link.net
- DNS ASK mx#.##rthlink.net
- DNS ASK ib#.com
- DNS ASK mx######b2d01.pphosted.com
- DNS ASK cc#t.ch
- DNS ASK pf###enhofen.de
- DNS ASK xt##.co.nz
- DNS ASK rb###bourin.fr
- DNS ASK mx##.#e.isp-net.nl
- DNS ASK ta###hsteel.com
- DNS ASK se##am.cz
- DNS ASK fr####telecom.com
- DNS ASK re#######s241.francetelecom.com
- DNS ASK la#####dbankleasing.com
- DNS ASK gg##o.cn
- DNS ASK mx###1.qq.com
- DNS ASK so###obile.com
- DNS ASK mx#######702.gslb.pphosted.com
- DNS ASK at#.net
- DNS ASK ff######x-vip2.prodigy.net
- DNS ASK ro###mco.com
- DNS ASK mx#####.ppe-hosted.com
- DNS ASK so###cape.net
- DNS ASK fi##########.mail.protection.outlook.com
- DNS ASK mx#.##amgateway.cn
- DNS ASK ms#####p-mx2.hinet.net
- DNS ASK ir###sainc.com
- DNS ASK dc#######9572c2.irisusainc.com
- DNS ASK qu####nloans.com
- DNS ASK mx#.###314-6.iphmx.com
- DNS ASK google.com
- DNS ASK aq###ais.net
- DNS ASK zh###in.com.cn
- DNS ASK mx#.##aopin.com.cn
- DNS ASK mi##cle.dk
- DNS ASK alt2.aspmx.l.google.com
- DNS ASK la.com
- DNS ASK tr####irium.com.bo
- DNS ASK ms#.#inet.net
- DNS ASK an#####m0.MegaLink.com
- DNS ASK fi###ity.com
- DNS ASK go##i.cn
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\zmhjwrxn\ugfteowq.exe' /d"<Full path to file>"
- '<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\zmhjwrxn\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\ugfteowq.exe" <SYSTEM32>\zmhjwrxn\' (with hidden window)
- '<SYSTEM32>\sc.exe' create zmhjwrxn binPath= "<SYSTEM32>\zmhjwrxn\ugfteowq.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '<SYSTEM32>\sc.exe' description zmhjwrxn "wifi internet conection"' (with hidden window)
- '<SYSTEM32>\sc.exe' start zmhjwrxn' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\zmhjwrxn\
- '<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\ugfteowq.exe" <SYSTEM32>\zmhjwrxn\
- '<SYSTEM32>\sc.exe' create zmhjwrxn binPath= "<SYSTEM32>\zmhjwrxn\ugfteowq.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '<SYSTEM32>\sc.exe' description zmhjwrxn "wifi internet conection"
- '<SYSTEM32>\sc.exe' start zmhjwrxn
- '<SYSTEM32>\svchost.exe'