Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\I8OFLdbdSF] 'ImagePath' = '%WINDIR%\syswow64\I8OFLdbdSFP.sys'
Creates the following services
- 'I8OFLdbdSF' %WINDIR%\syswow64\I8OFLdbdSFP.sys
Malicious functions
Terminates or attempts to terminate
the following user processes:
- iexplore.exe
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system
Creates the following files
- %WINDIR%\tokwob.dll
- %WINDIR%\fppvhkcj\nbhgvm.dll
- %WINDIR%\fppvhkcj\cahoel.dll
- %WINDIR%\luxgnsti\tmudyv.dll
- %WINDIR%\luxgnsti\txrobi.dll
- %WINDIR%\luxgnsti\jmbsmjh.tmp
- %WINDIR%\luxgnsti\uvsqjjpa.dll
- %WINDIR%\syswow64\i8ofldbdsfp.sys
- %WINDIR%\temp\udddfd3.tmp
- %WINDIR%\syswow64\grouppolicy\gpt.ini
- %WINDIR%\veqxpqei\winloon.exe
- <SYSTEM32>\1e467fc0.dll
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\5ba09ce71dbdd2e0ce33708748b9f2e9_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
- %APPDATA%\microsoft\systemcertificates\my\certificates\f0e7317989414059114aa6551d3b41040b861581
- %APPDATA%\microsoft\systemcertificates\my\keys\131452879ae952c8139250d8e5ba08e95a30a6a9
Deletes the following files
- %WINDIR%\tokwob.dll
- %WINDIR%\fppvhkcj\nbhgvm.dll
- %WINDIR%\fppvhkcj\cahoel.dll
- %WINDIR%\luxgnsti\jmbsmjh.tmp
- %WINDIR%\luxgnsti\uvsqjjpa.dll
- %WINDIR%\temp\udddfd3.tmp
- %WINDIR%\syswow64\i8ofldbdsfp.sys
- %WINDIR%\luxgnsti\txrobi.dll
- %WINDIR%\veqxpqei\winloon.exe
- %APPDATA%\microsoft\systemcertificates\my\certificates\f0e7317989414059114aa6551d3b41040b861581
Moves the following files
- from %WINDIR%\luxgnsti\uvsqjjpa.dll to %WINDIR%\luxgnsti\pomjfjusc.dll
Modifies the following files
- C:\users\public\desktop\google chrome.lnk
- C:\users\public\desktop\mozilla firefox.lnk
- %APPDATA%\microsoft\internet explorer\quick launch\google chrome.lnk
- %APPDATA%\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk
- %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\google chrome.lnk
- %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\internet explorer.lnk
- %HOMEPATH%\favorites\links\web slice gallery.url
Substitutes the following executable files
- <Full path to file>
Substitutes the following files
- %WINDIR%\luxgnsti\uvsqjjpa.dll
- %WINDIR%\veqxpqei\winloon.exe
- %ALLUSERSPROFILE%\ntuser.pol
Deletes itself.
Network activity
Connects to
- 'ip##8.com':80
- 'ud#.#xwan.com':80
- 'cf#.##pinwan.com':80
- 'bk.##7wan.com':80
- 'r.###gyou.com':80
- 'us###.qzone.qq.com':80
- 'gc.#b51.com':80
- 'dl#.#xwan.com':80
- 'ip.cn':80
- 'ip.##sexit.com':80
TCP
HTTP GET requests
- http://www.ip##8.com/
- http://ud#.#xwan.com/index/getcfg?id######
- http://cf#.##pinwan.com/index/getcfg?id######
- http://bk.##7wan.com/index/getcfg?id######
- http://us###.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?ui############
- http://gc.#b51.com/index/getcfg?id######
- http://dl#.#xwan.com/d2/CDClient.dll
- http://www.ip.cn/
- http://ip.##sexit.com/
UDP
- DNS ASK ip##8.com
- DNS ASK ha#.#ebnav.top
- DNS ASK ie.##kanyx.cc
- DNS ASK wb.##wanyx.lol
- DNS ASK ha#.#1wanyx.lol
- DNS ASK 99##.com
- DNS ASK 12#.#6kb.xyz
- DNS ASK 23###ini.com
- DNS ASK in###.2345wb.com
- DNS ASK ha#.#6kb.xyz
- DNS ASK t.#n
- DNS ASK mp.#2dp.cn
- DNS ASK mk.##o2016.net
- DNS ASK ie.##wanyx.win
- DNS ASK so.com
- DNS ASK mr.#5wv.cn
- DNS ASK ha#.#cxrb.xyz
- DNS ASK ha##74.com
- DNS ASK hu###.87vu.cn
- DNS ASK ha#.qq.com
- DNS ASK in###.6-6.cn
- DNS ASK ha#.#vrarmr.xyz
- DNS ASK ha#.#rarmrm.xyz
- DNS ASK xi###huou.xyz
- DNS ASK ff#.#eihuo.com
- DNS ASK ha#.#zwqw.xyz
- DNS ASK ru#.#19ky.cn
- DNS ASK li###n.630fg.cn
- DNS ASK i.####ang2016.com
- DNS ASK cd#.#14wb.net
- DNS ASK in###.114wb.net
- DNS ASK cf#.##pinwan.com
- DNS ASK bk.##7wan.com
- DNS ASK r.###gyou.com
- DNS ASK us###.qzone.qq.com
- DNS ASK gc.#b51.com
- DNS ASK dl#.#xwan.com
- DNS ASK ha##23.com
- DNS ASK ba##u.com
- DNS ASK cn.##o123.com
- DNS ASK 23##.com
- DNS ASK 12#.#ogou.com
- DNS ASK ip.cn
- DNS ASK ud#.#xwan.com
- DNS ASK so##u.com
- DNS ASK 52###hang.com
- DNS ASK we#.#ogou.com
- DNS ASK du##.com
- DNS ASK in###.56wanyx.win
- DNS ASK ic###.#aohang2016.com
- DNS ASK we#.##ohang2016.com
- DNS ASK in###.hao2016.net
- DNS ASK wb.##o2016.net
- DNS ASK 12#.##site2016.net
- DNS ASK ie.###ite2016.net
- DNS ASK li####qi.baidu.com
- DNS ASK ha#.360.cn
- DNS ASK da###ng.qq.com
- DNS ASK ip.##sexit.com
- '255.255.255.255':6880
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: 'Progman' WindowName: 'Program Manager'
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: 'FolderView'
- ClassName: 'TApplication' WindowName: 'eyoorun'
- ClassName: 'hqghumeayln' WindowName: 'hqghumeayln'
- ClassName: 'ReBarWindow32' WindowName: ''
- ClassName: 'MSTaskSwWClass' WindowName: ''
- ClassName: 'MSTaskListWClass' WindowName: ''
- ClassName: 'RTGameMenuUI' WindowName: 'ÈñÆð°ËצÓãÓÎÏ·²Ëµ¥'
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\veqxpqei\winloon.exe"
- '<SYSTEM32>\raserver.exe' /offerraupdate