Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'VmdaoPhvfQaC' = '%TEMP%\aUUNDJSd.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'iBmhXIzgJjb' = '%TEMP%\sqeZVBoZoUe.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'YxsHmsom' = '%TEMP%\uxVWaqCIgmj.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'VJllDDxVvrxa' = '%TEMP%\eJvZogjGVHPd.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'BhTLbIKvi' = '%TEMP%\TDFWunDu.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'NFAJEciWi' = '%TEMP%\yFMSFvLpgsIJ.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'WQMNNMNog' = '%TEMP%\KUijhwq.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'TVvhLnRk' = '%TEMP%\aGeaKUkrcTD.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'KNuWOSQOaczkt' = '%TEMP%\orVzqrssQhqKo.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'IdwNpSaD' = '%TEMP%\auzFKyEXrq.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'fTsCyAyDa' = '%TEMP%\kMOuKVFK.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'IjGRyVyq' = '%TEMP%\MBMLcdboBB.vbs'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'sFIcipTgXG' = '%TEMP%\mZjfcgVoMYlgM.vbs'
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\syswow64\notepad.exe
Modifies file system
Creates the following files
- %TEMP%\auundjsd.vbs
- %TEMP%\radd4701.tmp\pjdjrikekxe.exe
- %TEMP%\ageakukrctd.vbs
- %TEMP%\rad4052d.tmp\zwibtacmlzlx.exe
- %TEMP%\orvzqrssqhqko.vbs
- %TEMP%\rad50105.tmp\eadobynbvogwf.exe
- %TEMP%\raded99f.tmp\bvtzapxpmhodmmf.exe
- %TEMP%\auzfkyexrq.vbs
- %TEMP%\rad101d5.tmp\amgbbfdl.exe
- %TEMP%\rad138b1.tmp\tzwrzdgiy.exe
- %TEMP%\kmoukvfk.vbs
- %TEMP%\rad877a6.tmp\wrzmtzmimgkvquu.exe
- %TEMP%\raded353.tmp\exkpecucd.exe
- %TEMP%\mbmlcdbobb.vbs
- %TEMP%\radf1378.tmp\mmxyddhgumkbi.exe
- %TEMP%\rad60ff2.tmp\bfrovuoske.exe
- %TEMP%\rad101bc.tmp\koyylwadt.exe
- %TEMP%\rad15599.tmp\koyylwadt.exe
- %TEMP%\radd78ee.tmp\mcctbjmjzmsf.exe
- %TEMP%\rad3540c.tmp\exkpecucd.exe
- %TEMP%\radb9f43.tmp\exkpecucd.exe
- %TEMP%\sqezvbozoue.vbs
- %TEMP%\raddf9e9.tmp\amgbbfdl.exe
- %TEMP%\rad7f267.tmp\exkpecucd.exe
- %TEMP%\uxvwaqcigmj.vbs
- %TEMP%\rad6ed2d.tmp\eadobynbvogwf.exe
- %TEMP%\rad1d62a.tmp\amgbbfdl.exe
- %TEMP%\ejvzogjgvhpd.vbs
- %TEMP%\rad1727d.tmp\koyylwadt.exe
- %TEMP%\rad6941e.tmp\exkpecucd.exe
- %TEMP%\tdfwundu.vbs
- %TEMP%\yfmsfvlpgsij.vbs
- %TEMP%\rad34c21.tmp\eadobynbvogwf.exe
- %TEMP%\kuijhwq.vbs
- %TEMP%\rad7c78f.tmp\amgbbfdl.exe
- %TEMP%\rad9ac70.tmp\mmxyddhgumkbi.exe
- %TEMP%\mzjfcgvomylgm.vbs
Deletes the following files
- %TEMP%\radb9f43.tmp\exkpecucd.exe
- %TEMP%\raddf9e9.tmp\amgbbfdl.exe
- %TEMP%\rad7f267.tmp\exkpecucd.exe
- %TEMP%\rad6ed2d.tmp\eadobynbvogwf.exe
- %TEMP%\rad1d62a.tmp\amgbbfdl.exe
- %TEMP%\rad6941e.tmp\exkpecucd.exe
- %TEMP%\rad1727d.tmp\koyylwadt.exe
- %TEMP%\rad34c21.tmp\eadobynbvogwf.exe
- %TEMP%\rad7c78f.tmp\amgbbfdl.exe
- %TEMP%\rad3540c.tmp\exkpecucd.exe
- %TEMP%\rad9ac70.tmp\mmxyddhgumkbi.exe
- %TEMP%\rad101bc.tmp\koyylwadt.exe
- %TEMP%\radd4701.tmp\pjdjrikekxe.exe
- %TEMP%\rad4052d.tmp\zwibtacmlzlx.exe
Network activity
Connects to
- '3.##2.71.14':28193
- '3.###.157.76':28193
TCP
Other
- '3.##2.71.14':28193
Miscellaneous
Creates and executes the following
- '%TEMP%\radf1378.tmp\mmxyddhgumkbi.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\KUijhwq.vbs"
- '%TEMP%\rad34c21.tmp\eadobynbvogwf.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\MBMLcdboBB.vbs"
- '%TEMP%\rad7c78f.tmp\amgbbfdl.exe'
- '%TEMP%\raded353.tmp\exkpecucd.exe'
- '%TEMP%\rad9ac70.tmp\mmxyddhgumkbi.exe'
- '%TEMP%\rad101bc.tmp\koyylwadt.exe'
- '%TEMP%\rad877a6.tmp\wrzmtzmimgkvquu.exe'
- '%TEMP%\radd78ee.tmp\mcctbjmjzmsf.exe'
- '%TEMP%\radd4701.tmp\pjdjrikekxe.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\kMOuKVFK.vbs"
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\aGeaKUkrcTD.vbs"
- '%TEMP%\rad4052d.tmp\zwibtacmlzlx.exe'
- '%TEMP%\rad138b1.tmp\tzwrzdgiy.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\orVzqrssQhqKo.vbs"
- '%TEMP%\rad101d5.tmp\amgbbfdl.exe'
- '%TEMP%\rad50105.tmp\eadobynbvogwf.exe'
- '%TEMP%\rad3540c.tmp\exkpecucd.exe'
- '%TEMP%\raded99f.tmp\bvtzapxpmhodmmf.exe'
- '%TEMP%\rad7f267.tmp\exkpecucd.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\TDFWunDu.vbs"
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\auzFKyEXrq.vbs"
- '%TEMP%\rad1727d.tmp\koyylwadt.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\aUUNDJSd.vbs"
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\sqeZVBoZoUe.vbs"
- '%TEMP%\raddf9e9.tmp\amgbbfdl.exe'
- '%TEMP%\rad60ff2.tmp\bfrovuoske.exe'
- '%TEMP%\radb9f43.tmp\exkpecucd.exe'
- '%TEMP%\rad6ed2d.tmp\eadobynbvogwf.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\mZjfcgVoMYlgM.vbs"
- '%TEMP%\rad1d62a.tmp\amgbbfdl.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\uxVWaqCIgmj.vbs"
- '%TEMP%\rad6941e.tmp\exkpecucd.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\eJvZogjGVHPd.vbs"
- '%TEMP%\rad15599.tmp\koyylwadt.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\yFMSFvLpgsIJ.vbs"
- '%TEMP%\rad15599.tmp\koyylwadt.exe' ' (with hidden window)
- '%TEMP%\radd5766.tmp\pjdjrikekxe.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\auzFKyEXrq.vbs"' (with hidden window)
- '%TEMP%\rad60ff2.tmp\bfrovuoske.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\yFMSFvLpgsIJ.vbs"' (with hidden window)
- '%TEMP%\rad96a1d.tmp\zwibtacmlzlx.exe' ' (with hidden window)
- '%TEMP%\raded353.tmp\exkpecucd.exe' ' (with hidden window)
- '%TEMP%\radcb2d9.tmp\skspnkfevaxagf.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\sqeZVBoZoUe.vbs"' (with hidden window)
- '%TEMP%\rad50105.tmp\eadobynbvogwf.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\kMOuKVFK.vbs"' (with hidden window)
- '%TEMP%\radf7be8.tmp\dykbmjpys.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\mZjfcgVoMYlgM.vbs"' (with hidden window)
- '%TEMP%\rad877a6.tmp\wrzmtzmimgkvquu.exe' ' (with hidden window)
- '%TEMP%\rad138b1.tmp\tzwrzdgiy.exe' ' (with hidden window)
- '%WINDIR%\syswow64\notepad.exe' ' (with hidden window)
- '%TEMP%\radd78ee.tmp\mcctbjmjzmsf.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\aUUNDJSd.vbs"' (with hidden window)
- '%TEMP%\radf1378.tmp\mmxyddhgumkbi.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\lvznhu.vbs"' (with hidden window)
- '%TEMP%\radb9f43.tmp\exkpecucd.exe' ' (with hidden window)
- '%TEMP%\rad6ed2d.tmp\eadobynbvogwf.exe' ' (with hidden window)
- '%TEMP%\raddf9e9.tmp\amgbbfdl.exe' ' (with hidden window)
- '%TEMP%\raded99f.tmp\bvtzapxpmhodmmf.exe' ' (with hidden window)
- '%TEMP%\rad1727d.tmp\koyylwadt.exe' ' (with hidden window)
- '%TEMP%\rad6941e.tmp\exkpecucd.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\MBMLcdboBB.vbs"' (with hidden window)
- '%TEMP%\rad1d62a.tmp\amgbbfdl.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\uxVWaqCIgmj.vbs"' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\TDFWunDu.vbs"' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\eJvZogjGVHPd.vbs"' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\KUijhwq.vbs"' (with hidden window)
- '%TEMP%\rad101d5.tmp\amgbbfdl.exe' ' (with hidden window)
- '%TEMP%\rad4052d.tmp\zwibtacmlzlx.exe' ' (with hidden window)
- '%TEMP%\rad3540c.tmp\exkpecucd.exe' ' (with hidden window)
- '%TEMP%\rad9ac70.tmp\mmxyddhgumkbi.exe' ' (with hidden window)
- '%TEMP%\rad101bc.tmp\koyylwadt.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\YQlFnjHUenuL.vbs"' (with hidden window)
- '%TEMP%\radd4701.tmp\pjdjrikekxe.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\aGeaKUkrcTD.vbs"' (with hidden window)
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\orVzqrssQhqKo.vbs"' (with hidden window)
- '%TEMP%\rad7f267.tmp\exkpecucd.exe' ' (with hidden window)
- '%TEMP%\rad34c21.tmp\eadobynbvogwf.exe' ' (with hidden window)
- '%TEMP%\rad7c78f.tmp\amgbbfdl.exe' ' (with hidden window)
- '%TEMP%\rad61d39.tmp\exdnctockz.exe' ' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\notepad.exe'
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\lvznhu.vbs"
- '%WINDIR%\syswow64\cscript.exe' "%TEMP%\YQlFnjHUenuL.vbs"