Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MciGkrwk' = '<LS_APPDATA>\eyqtaont\mcigkrwk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,<LS_APPDATA>\eyqtaont\mcigkrwk.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\mcigkrwk.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%TEMP%\ekdbmtyq.exe' admin
- '%TEMP%\ekdbmtyq.exe' elevate
Executes the following:
- '<SYSTEM32>\cmd.exe' /C ""%TEMP%\ekdbmtyq.exe"" admin
- '<SYSTEM32>\svchost.exe'
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtOpenKey, handler: tqgnnosw.sys
- NtCreateKey, handler: tqgnnosw.sys
Modifies file system :
Creates the following files:
- %TEMP%\tqgnnosw.sys
- %WINDIR%\Temp\6decd52f
- %WINDIR%\Temp\7fffffb1
- <LS_APPDATA>\eyqtaont\mcigkrwk.exe
- %TEMP%\ekdbmtyq.exe
- %ALLUSERSPROFILE%\Application Data\bjdwbfvf.log
- <LS_APPDATA>\niuydqre.log
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\mcigkrwk.exe
Deletes the following files:
- %TEMP%\tqgnnosw.sys
Network activity:
Connects to:
- 'xx####yvyfvirbp.com':443
- 'ne####fbmkbvmf.com':443
- 're####ihcxhjj.com':443
- 'cn####hkocdbps.com':443
- 'de###awup.com':443
- 'jp#####afxjqvaga.com':443
- 'su###qbos.com':443
- 'dq#####slaemuixxak.com':443
UDP:
- DNS ASK tn#####kojxrqhhjfvi.com
- DNS ASK wh####votltifj.com
- DNS ASK ut###pia.com
- DNS ASK dj####lvppmrjm.com
- DNS ASK eq###dqtsyh.com
- DNS ASK au####symisdi.com
- DNS ASK mb####pqvvtty.com
- DNS ASK mk####kmghlh.com
- DNS ASK fh#####cqnsserdoan.com
- DNS ASK ry####dufabqc.com
- DNS ASK en####mmosror.com
- DNS ASK ws###amk.com
- DNS ASK ya##o.com
- DNS ASK dg####uptldoiis.com
- DNS ASK uc####pcjspuoe.com
- DNS ASK cb####hmpkyuub.com
- DNS ASK mm####pdwagcg.com
- DNS ASK yn#####yjkpgtugtwo.com
- DNS ASK ig#####oluspcljm.com
- DNS ASK wd#####ualkbapofta.com
- DNS ASK sd#####aetkjbaadd.com
- DNS ASK hf###hngo.com
- DNS ASK cc####sdggihuue.com
- DNS ASK ux#####jptiupnhdafy.com
- DNS ASK vu###mcu.com
- DNS ASK vg#####tefriixwohwm.com
- DNS ASK nv###jhhbmy.com
- DNS ASK xl###wpy.com
- DNS ASK xy#####kiyljsyimbwy.com
- DNS ASK vp###cbo.com
- DNS ASK vm####vmtfjtboi.com
- DNS ASK gm###ugko.com
- DNS ASK qf###fuv.com
- DNS ASK vr###vexnj.com
- DNS ASK df####apewrb.com
- DNS ASK yt####ambvydsa.com
- DNS ASK ri#####toushpqkybt.com
- DNS ASK bk#####wwqjowkdcd.com
- DNS ASK rg####lheqob.com
- DNS ASK fp#####myglqqdly.com
- DNS ASK bk###pgyhl.com
- DNS ASK iw####qhwchjkjd.com
- DNS ASK ot###ynobjj.com
- DNS ASK hw#####jokhwxuplfr.com
- DNS ASK sy####accqplk.com
- DNS ASK yx####qdqbinut.com
- DNS ASK sy###mrbjvj.com
- DNS ASK lx#####lvufyvndmyy.com
- DNS ASK nn#####cfrulntvgq.com
- DNS ASK ge####wunfkxht.com
- DNS ASK bb####wngdrw.com
- DNS ASK uj#####sbistbokq.com
- DNS ASK su###qbos.com
- DNS ASK ne####fbmkbvmf.com
- DNS ASK dq#####slaemuixxak.com
- DNS ASK jp#####afxjqvaga.com
- DNS ASK de###awup.com
- DNS ASK ex###wmpaed.com
- DNS ASK google.com
- DNS ASK re####ihcxhjj.com
- DNS ASK xx####yvyfvirbp.com
- DNS ASK cn####hkocdbps.com
- DNS ASK dx#####delyjvdjlrij.com
- DNS ASK pf###juoph.com
- DNS ASK wn###idtgxt.com
- DNS ASK ta#####kemwisnkgxuc.com
- DNS ASK ho####noafxlrj.com
- DNS ASK hw####qwgtlkvgu.com
- DNS ASK jh####wikxuuqh.com
- DNS ASK iv###axod.com
- DNS ASK kr#####rymwnkddomby.com
- DNS ASK mb###ftevl.com
- DNS ASK aa#####tpewjjcxu.com
- DNS ASK oo####qkkpbpcd.com
- DNS ASK bh####aalssy.com
- DNS ASK gb###hgybo.com
- DNS ASK kp#####dhnhieswds.com
- DNS ASK py#####nrcinuankpaa.com
- DNS ASK yv####ohnvdb.com
- DNS ASK ea####wstvpc.com
- DNS ASK tf####ljqmpeai.com
- DNS ASK bing.com
- DNS ASK cf####cdbeurv.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
- ClassName: 'unityApps' WindowName: ''