Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\gwrurj] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\xiifsp] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\AudioSrv] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- C:\hwuuvoogjj a -sc:\server.exe
- C:\server.exe
- C:\moon92.exe
Executes the following:
- <SYSTEM32>\sc.exe stop xiifsp
- <SYSTEM32>\sc.exe create gwrurj type= kernel start= auto binpath= "%ALLUSERSPROFILE%\Application Data\ZTMWQCW\gwrurj.bin"
- <SYSTEM32>\sc.exe start xiifsp
- <SYSTEM32>\sc.exe create xiifsp type= kernel binpath= "%ALLUSERSPROFILE%\Application Data\ZTMWQCW\xiifsp.bin" start= auto
- <SYSTEM32>\sc.exe stop null
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\pab[1].php
- %WINDIR%\msapps\sz9082.nfo
- <SYSTEM32>\drbccsssac
- <SYSTEM32>\dbpujvupnw
- %WINDIR%\Help\myr5606
- %ALLUSERSPROFILE%\Application Data\ZTMWQCW\gwrurj.bin
- %WINDIR%\Temp\{0712c22e-baee-4f3e-0092-8601fd8ec55f}
- %WINDIR%\Web\rf5675.htt
- %WINDIR%\msagent\pz3444.tlb
- C:\hwuuvoogjj
- <Current directory>\erbrictkk
- C:\moon92.exe
- C:\server.exe
- %TEMP%\iereddbtvd.dat
- %ALLUSERSPROFILE%\Application Data\ZTMWQCW\xiifsp.bin
- <SYSTEM32>\51e92691.rdb
- %ALLUSERSPROFILE%\Application Data\ZTMWQCW\xqv5294.lex
- %TEMP%\2.tmp
Sets the 'hidden' attribute to the following files:
- C:\server.exe
- C:\moon92.exe
Deletes the following files:
- <SYSTEM32>\dbpujvupnw
- C:\hwu
- %ALLUSERSPROFILE%\Application Data\ZTMWQCW\xiifsp.bin
- %TEMP%\2.tmp
- %ALLUSERSPROFILE%\Application Data\ZTMWQCW\gwrurj.bin
- <SYSTEM32>\drbccsssac
- <Current directory>\erbrictkk
- C:\server.exe
- <SYSTEM32>\config\AppEvent.Evt
- <SYSTEM32>\config\SysEvent.Evt
- <SYSTEM32>\config\SecEvent.Evt
Moves the following files:
- from %TEMP%\iereddbtvd.dat to %ALLUSERSPROFILE%\Application Data\Storm\update\%SESSIONNAME%\rqtlf.cc3
- from C:\hwuuvoogjj to C:\hwu
Network activity:
Connects to:
- 'wh###5.3322.org':8086
- 'rp.##q88.com':80
- 'rp##.21civ.com':80
- 'up##.21civ.com':80
TCP:
HTTP GET requests:
- rp.##q88.com/rp.php?om###################################################################################
- up##.21civ.com/pab.php?b=######################################
- rp##.21civ.com/az.php?st######################################################
UDP:
- DNS ASK u1.##et.com.cn
- DNS ASK um##.eset.com
- DNS ASK do#######2.kaspersky-labs.com
- DNS ASK up#####.jiangmin.com
- DNS ASK 08#####e1.jiangmin.com
- DNS ASK ex###.eset.com
- DNS ASK 08#####e2.jiangmin.com
- DNS ASK u3.##et.com.cn
- DNS ASK do#######4.kaspersky-labs.com
- DNS ASK 08#####e4.jiangmin.com
- DNS ASK u2.##et.com.cn
- DNS ASK do#######3.kaspersky-labs.com
- DNS ASK 08#####e3.jiangmin.com
- DNS ASK gt###kg.avg.com
- DNS ASK mm#.#xplabs.net
- DNS ASK li########.symantecliveupdate.com
- DNS ASK gt###nt.avg.com
- DNS ASK gt###yc.avg.com
- DNS ASK gt####lf.avg.com
- DNS ASK ll###.avast.com
- DNS ASK cu###.www.duba.net
- DNS ASK cs#.#uba.net
- DNS ASK do#######1.kaspersky-labs.com
- DNS ASK ia#.###ndmicro.com.cn
- DNS ASK dn####.#eo.kaspersky.com
- DNS ASK rs###.rising.com.cn
- DNS ASK u4.##et.com.cn
- DNS ASK cs##.duba.net
- DNS ASK do#######10.kaspersky-labs.com
- DNS ASK up#####0.jiangmin.com
- DNS ASK 08#####e9.jiangmin.com
- DNS ASK u9.##et.com.cn
- DNS ASK rs####.rising.com.cn
- DNS ASK 08#####e10.jiangmin.com
- DNS ASK 08#####e11.jiangmin.com
- DNS ASK do#######12.kaspersky-labs.com
- DNS ASK up#####2.jiangmin.com
- DNS ASK u1#.#set.com.cn
- DNS ASK do#######11.kaspersky-labs.com
- DNS ASK up#####1.jiangmin.com
- DNS ASK do#######6.kaspersky-labs.com
- DNS ASK 08#####e6.jiangmin.com
- DNS ASK u6.##et.com.cn
- DNS ASK do#######5.kaspersky-labs.com
- DNS ASK 08#####e5.jiangmin.com
- DNS ASK u5.##et.com.cn
- DNS ASK do#######7.kaspersky-labs.com
- DNS ASK 08#####e8.jiangmin.com
- DNS ASK u8.##et.com.cn
- DNS ASK do#######9.kaspersky-labs.com
- DNS ASK 08#####e7.jiangmin.com
- DNS ASK u7.##et.com.cn
- DNS ASK do#######8.kaspersky-labs.com
- DNS ASK up####.360safe.com
- DNS ASK rp.##q88.com
- DNS ASK up#####s.360safe.com
- DNS ASK qd.###e.qihoo.com
- DNS ASK st##.#60safe.com
- DNS ASK st####.360safe.com
- DNS ASK tr.#.360.cn
- DNS ASK sd#.#60safe.com
- DNS ASK dl.##0safe.com
- DNS ASK dl.##-lb.com
- DNS ASK up####h.360safe.com
- DNS ASK w.##0.cn
- DNS ASK st##.sd.360.cn
- DNS ASK wh###5.3322.org
- DNS ASK qu#.#.360.cn
- DNS ASK u.###l.f.360.cn
- DNS ASK rp##.21civ.com
- DNS ASK up##.21civ.com
- DNS ASK co##.f.360.cn
- DNS ASK qu##.f.360.cn
- DNS ASK sd##.qh-lb.com
- DNS ASK sd###.360.cn
- DNS ASK qd.##de.360.cn
- DNS ASK qu##.qh-lb.com
- DNS ASK qu#.#h-lb.com
- DNS ASK sd##.360.cn
- DNS ASK www.ba##u.com
- DNS ASK www.ri###g.com.cn
- DNS ASK z.###ing.com.cn
- DNS ASK rs######ad.rising.com.cn
- DNS ASK f-####s.duba.net
- DNS ASK ap#.#c120.com
- DNS ASK hd.#uba.net
- DNS ASK ms#####.rising.com.cn
- DNS ASK su####t.eset.com.cn
- DNS ASK up###e.nai.com
- DNS ASK gu##.avg.com
- DNS ASK re#####.rising.com.cn
- DNS ASK rs######to.rising.com.cn
- DNS ASK ka#####ky.fastcdn.com
- DNS ASK so#####.update.360safe.com
- DNS ASK an#####.db.kingsoft.com
- DNS ASK bo.#uba.net
- DNS ASK www.36#.cn
- DNS ASK www.36##afe.com
- DNS ASK so###.##date.360safe.com
- DNS ASK f-##.beike.cn
- DNS ASK www.du##.net
- DNS ASK if#.#uba.net
- DNS ASK vi.##120.com
- DNS ASK www.be##e.cn
- DNS ASK vc##.beike.cn
- DNS ASK pu##.#ww.duba.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''