Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Tracking Storage Player Identity Experience' = '<SYSTEM32>\rglmecdowiu.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\rglmecdowiu.exe
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\BitLocker Connect Cryptographic Firewall] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '%WINDIR%\Temp\pegsq9zm4lj7mo4qs.exe' -r 21642 tcp
- '%WINDIR%\Temp\pegsq9zm5bpwmo4qs.exe' -r 38770 tcp
- '<SYSTEM32>\vgpvjuxc.exe' "<SYSTEM32>\rglmecdowiu.exe"
- '%TEMP%\pegsq9zm4bnqmo4qjigusn.exe'
- '<SYSTEM32>\rglmecdowiu.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\dadsztuh\cfg
- <SYSTEM32>\dadsztuh\run
- %WINDIR%\Temp\pegsq9zm4lj7mo4qs.exe
- <SYSTEM32>\dadsztuh\por
- %WINDIR%\Temp\pegsq9zm5bpwmo4qs.exe
- <SYSTEM32>\dadsztuh\rng
- %TEMP%\pegsq9zm4bnqmo4qjigusn.exe
- <SYSTEM32>\dadsztuh\tst
- <SYSTEM32>\dadsztuh\etc
- <SYSTEM32>\vgpvjuxc.exe
- <SYSTEM32>\rglmecdowiu.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\vgpvjuxc.exe
- <SYSTEM32>\rglmecdowiu.exe
Deletes the following files:
- %WINDIR%\Temp\pegsq9zm4lj7mo4qs.exe
- %WINDIR%\Temp\pegsq9zm5bpwmo4qs.exe
- %TEMP%\pegsq9zm4bnqmo4qjigusn.exe
- <DRIVERS>\etc\hosts
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'kn###ree.net':80
- 'wi###nce.net':80
- 'dr###once.net':80
- 'kn###ther.net':80
- 'ab###orty.net':80
- 'kn###orty.net':80
- 'dr###study.net':80
- 'wi###ncle.net':80
- 'dr###uncle.net':80
- 'wi###oss.net':80
- 'dr###loss.net':80
- 'wi###tudy.net':80
- 'ab###ther.net':80
- 'pi###all.net':80
- 'so###ther.net':80
- 'pi###ther.net':80
- 'si###ree.net':80
- 'ro###ree.net':80
- 'so###all.net':80
- 'pi###ree.net':80
- 'ab###all.net':80
- 'kn###all.net':80
- 'so###orty.net':80
- 'pi###orty.net':80
- 'so###ree.net':80
- 'wh###tudy.net':80
- 'hi###tudy.net':80
- 'am###stol.com':80
- 'hi###nce.net':80
- 'wh###oss.net':80
- 'hi###oss.net':80
- 'ja###uter.com':80
- 'el#####arimagine.com':80
- 'do####club-grup.com':80
- 'vi###mojo.com':80
- 'mo###uia.com':80
- 'mo###itio.com':80
- 'wh###nce.net':80
- 'th###uncle.net':80
- 'lo###nce.net':80
- 'fe###nce.net':80
- 'th###once.net':80
- 'th###loss.net':80
- 'th###study.net':80
- 'fe###tudy.net':80
- 'lo###ncle.net':80
- 'fe###ncle.net':80
- 'lo###oss.net':80
- 'fe###oss.net':80
- 'lo###tudy.net':80
TCP:
HTTP GET requests:
- kn###ree.net/forum/search.php?me#########################################
- wi###nce.net/forum/search.php?me#########################################
- dr###once.net/forum/search.php?me#########################################
- kn###ther.net/forum/search.php?me#########################################
- ab###orty.net/forum/search.php?me#########################################
- kn###orty.net/forum/search.php?me#########################################
- dr###study.net/forum/search.php?me#########################################
- wi###ncle.net/forum/search.php?me#########################################
- dr###uncle.net/forum/search.php?me#########################################
- wi###oss.net/forum/search.php?me#########################################
- dr###loss.net/forum/search.php?me#########################################
- wi###tudy.net/forum/search.php?me#########################################
- ab###ther.net/forum/search.php?me#########################################
- pi###all.net/forum/search.php?me#########################################
- so###ther.net/forum/search.php?me#########################################
- pi###ther.net/forum/search.php?me#########################################
- si###ree.net/forum/search.php?me#########################################
- ro###ree.net/forum/search.php?me#########################################
- so###all.net/forum/search.php?me#########################################
- pi###ree.net/forum/search.php?me#########################################
- ab###all.net/forum/search.php?me#########################################
- kn###all.net/forum/search.php?me#########################################
- so###orty.net/forum/search.php?me#########################################
- pi###orty.net/forum/search.php?me#########################################
- so###ree.net/forum/search.php?me#########################################
- wh###tudy.net/forum/search.php?me#########################################
- hi###tudy.net/forum/search.php?me#########################################
- am###stol.com/forum/search.php?me#########################################
- hi###nce.net/forum/search.php?me#########################################
- wh###oss.net/forum/search.php?me#########################################
- hi###oss.net/forum/search.php?me#########################################
- ja###uter.com/forum/search.php?me#########################################
- el#####arimagine.com/forum/search.php?me#########################################
- do####club-grup.com/forum/search.php?me#########################################
- vi###mojo.com/forum/search.php?me#########################################
- mo###uia.com/forum/search.php?me#########################################
- mo###itio.com/forum/search.php?me#########################################
- wh###nce.net/forum/search.php?me#########################################
- th###uncle.net/forum/search.php?me#########################################
- lo###nce.net/forum/search.php?me#########################################
- fe###nce.net/forum/search.php?me#########################################
- th###once.net/forum/search.php?me#########################################
- th###loss.net/forum/search.php?me#########################################
- th###study.net/forum/search.php?me#########################################
- fe###tudy.net/forum/search.php?me#########################################
- lo###ncle.net/forum/search.php?me#########################################
- fe###ncle.net/forum/search.php?me#########################################
- lo###oss.net/forum/search.php?me#########################################
- fe###oss.net/forum/search.php?me#########################################
- lo###tudy.net/forum/search.php?me#########################################
UDP:
- DNS ASK kn###orty.net
- DNS ASK ab###ree.net
- DNS ASK kn###ree.net
- DNS ASK ab###ther.net
- DNS ASK kn###ther.net
- DNS ASK ab###orty.net
- DNS ASK wi###nce.net
- DNS ASK wi###tudy.net
- DNS ASK dr###study.net
- DNS ASK wi###ncle.net
- DNS ASK dr###once.net
- DNS ASK wi###oss.net
- DNS ASK dr###loss.net
- DNS ASK so###all.net
- DNS ASK pi###all.net
- DNS ASK so###ther.net
- DNS ASK ro###orty.net
- DNS ASK si###ree.net
- DNS ASK ro###ree.net
- DNS ASK pi###ther.net
- DNS ASK pi###ree.net
- DNS ASK ab###all.net
- DNS ASK kn###all.net
- DNS ASK so###orty.net
- DNS ASK pi###orty.net
- DNS ASK so###ree.net
- DNS ASK dr###uncle.net
- DNS ASK wh###tudy.net
- DNS ASK hi###tudy.net
- DNS ASK am###stol.com
- DNS ASK hi###nce.net
- DNS ASK wh###oss.net
- DNS ASK hi###oss.net
- DNS ASK ja###uter.com
- DNS ASK el#####arimagine.com
- DNS ASK do####club-grup.com
- DNS ASK vi###mojo.com
- DNS ASK mo###uia.com
- DNS ASK mo###itio.com
- DNS ASK wh###nce.net
- DNS ASK th###uncle.net
- DNS ASK lo###nce.net
- DNS ASK fe###nce.net
- DNS ASK th###once.net
- DNS ASK th###loss.net
- DNS ASK th###study.net
- DNS ASK fe###tudy.net
- DNS ASK lo###ncle.net
- DNS ASK fe###ncle.net
- DNS ASK lo###oss.net
- DNS ASK fe###oss.net
- DNS ASK lo###tudy.net
- '23#.#55.255.250':1900