Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Resource DLL WLAN Cryptographic' = '<SYSTEM32>\stfggpl.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Trap Mapper Authentication] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\shqfsaxzayam.exe' "<SYSTEM32>\stfggpl.exe"
- '%WINDIR%\Temp\mmmaft2q4zdesc.exe' -r 44342 tcp
- '%TEMP%\mmmaft2lj6descw56wprf.exe'
- '<SYSTEM32>\stfggpl.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\anouytoeyl\run
- <SYSTEM32>\anouytoeyl\rng
- %WINDIR%\Temp\mmmaft2q4zdesc.exe
- <SYSTEM32>\anouytoeyl\cfg
- <SYSTEM32>\shqfsaxzayam.exe
- %TEMP%\mmmaft2lj6descw56wprf.exe
- <SYSTEM32>\anouytoeyl\tst
- <SYSTEM32>\stfggpl.exe
- <SYSTEM32>\anouytoeyl\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\shqfsaxzayam.exe
- <SYSTEM32>\stfggpl.exe
Deletes the following files:
- %WINDIR%\Temp\mmmaft2q4zdesc.exe
- <DRIVERS>\etc\hosts
- %TEMP%\mmmaft2lj6descw56wprf.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'hu###fish.net':80
- 'ha###ish.net':80
- 'hu###lady.net':80
- 'ha###ady.net':80
- 'ya###ing.net':80
- 'mu###past.net':80
- 'ya###ady.net':80
- 'mu###wing.net':80
- 'ya###ast.net':80
- 'ha###ast.net':80
- 'wr###guide.net':80
- 'ma###uide.net':80
- 'wr###name.net':80
- 'ma###ame.net':80
- 'wr###late.net':80
- 'ha###ing.net':80
- 'hu###past.net':80
- 'ma###ate.net':80
- 'hu###wing.net':80
- 'mu###lady.net':80
- 'fr###past.net':80
- 'of###past.net':80
- 'fr###wing.net':80
- 'of###wing.net':80
- 'fr###lady.net':80
- 'of###fish.net':80
- 'se####berwing.net':80
- 'of###lady.net':80
- 'fr###fish.net':80
- 'sp###fish.net':80
- 'we###ing.net':80
- 'sp###wing.net':80
- 'ya###ish.net':80
- 'mu###fish.net':80
- 'we###ast.net':80
- 'sp###lady.net':80
- 'we###ish.net':80
- 'sp###past.net':80
- 'we###ady.net':80
- 'ma###alf.net':80
- 'fr###late.net':80
- 'of###late.net':80
- 'be##lxc.com':80
- 'of###guide.net':80
- 'ha###alf.net':80
- 'se####bername.net':80
- 'ha###uide.net':80
- 'se####berhalf.net':80
- 'ha###ame.net':80
- 'ri###nstorm.net':80
- 'mo###ugust.net':80
- 'mi###hown.net':80
- 'cr#####onaraminta.net':80
- 'le###form.net':80
- 'ab###ell.net':80
- 'ca####nbring.net':80
- 'al###being.net':80
- 'mo###olor.net':80
- 'pr####tbottom.net':80
- 'se####berguide.net':80
- 'de###ame.net':80
- 'ro###ame.net':80
- 'de###alf.net':80
- 'ro###alf.net':80
- 'de###uide.net':80
- 'ro###ate.net':80
- 'wr###half.net':80
- 'ro###uide.net':80
- 'de###ate.net':80
- 'wi###ate.net':80
- 'jo###alf.net':80
- 'wi###alf.net':80
- 'ha###ate.net':80
- 'se####berlate.net':80
- 'jo###ame.net':80
- 'wi###uide.net':80
- 'jo###ate.net':80
- 'wi###ame.net':80
- 'jo###uide.net':80
TCP:
HTTP GET requests:
- http://hu###fish.net/index.php
- http://ha###ish.net/index.php
- http://hu###lady.net/index.php
- http://ha###ady.net/index.php
- http://ya###ing.net/index.php
- http://mu###past.net/index.php
- http://ya###ady.net/index.php
- http://mu###wing.net/index.php
- http://ya###ast.net/index.php
- http://ha###ast.net/index.php
- http://wr###guide.net/index.php
- http://ma###uide.net/index.php
- http://wr###name.net/index.php
- http://ma###ame.net/index.php
- http://wr###late.net/index.php
- http://ha###ing.net/index.php
- http://hu###past.net/index.php
- http://ma###ate.net/index.php
- http://hu###wing.net/index.php
- http://mu###lady.net/index.php
- http://fr###past.net/index.php
- http://of###past.net/index.php
- http://fr###wing.net/index.php
- http://of###wing.net/index.php
- http://fr###lady.net/index.php
- http://of###fish.net/index.php
- http://se####berwing.net/index.php
- http://of###lady.net/index.php
- http://fr###fish.net/index.php
- http://sp###fish.net/index.php
- http://we###ing.net/index.php
- http://sp###wing.net/index.php
- http://ya###ish.net/index.php
- http://mu###fish.net/index.php
- http://we###ast.net/index.php
- http://sp###lady.net/index.php
- http://we###ish.net/index.php
- http://sp###past.net/index.php
- http://we###ady.net/index.php
- http://ma###alf.net/index.php
- http://fr###late.net/index.php
- http://of###late.net/index.php
- http://be##lxc.com/index.php
- http://of###guide.net/index.php
- http://ha###alf.net/index.php
- http://se####bername.net/index.php
- http://ha###uide.net/index.php
- http://se####berhalf.net/index.php
- http://ha###ame.net/index.php
- http://ri###nstorm.net/index.php
- http://mo###ugust.net/index.php
- http://mi###hown.net/index.php
- http://cr#####onaraminta.net/index.php
- http://le###form.net/index.php
- http://ab###ell.net/index.php
- http://ca####nbring.net/index.php
- http://al###being.net/index.php
- http://mo###olor.net/index.php
- http://pr####tbottom.net/index.php
- http://se####berguide.net/index.php
- http://de###ame.net/index.php
- http://ro###ame.net/index.php
- http://de###alf.net/index.php
- http://ro###alf.net/index.php
- http://de###uide.net/index.php
- http://ro###ate.net/index.php
- http://wr###half.net/index.php
- http://ro###uide.net/index.php
- http://de###ate.net/index.php
- http://wi###ate.net/index.php
- http://jo###alf.net/index.php
- http://wi###alf.net/index.php
- http://ha###ate.net/index.php
- http://se####berlate.net/index.php
- http://jo###ame.net/index.php
- http://wi###uide.net/index.php
- http://jo###ate.net/index.php
- http://wi###ame.net/index.php
- http://jo###uide.net/index.php
UDP:
- DNS ASK hu###fish.net
- DNS ASK ha###ish.net
- DNS ASK ha###ady.net
- DNS ASK ha###ast.net
- DNS ASK hu###lady.net
- DNS ASK mu###past.net
- DNS ASK ya###ady.net
- DNS ASK ya###ast.net
- DNS ASK ya###ing.net
- DNS ASK mu###wing.net
- DNS ASK wr###guide.net
- DNS ASK ma###uide.net
- DNS ASK ma###ame.net
- DNS ASK ma###alf.net
- DNS ASK wr###name.net
- DNS ASK ha###ing.net
- DNS ASK hu###past.net
- DNS ASK hu###wing.net
- DNS ASK wr###late.net
- DNS ASK ma###ate.net
- DNS ASK fr###past.net
- DNS ASK of###past.net
- DNS ASK of###wing.net
- DNS ASK sp###fish.net
- DNS ASK fr###wing.net
- DNS ASK of###fish.net
- DNS ASK se####berwing.net
- DNS ASK fr###fish.net
- DNS ASK fr###lady.net
- DNS ASK of###lady.net
- DNS ASK we###ing.net
- DNS ASK sp###wing.net
- DNS ASK mu###fish.net
- DNS ASK mu###lady.net
- DNS ASK ya###ish.net
- DNS ASK sp###lady.net
- DNS ASK we###ish.net
- DNS ASK we###ady.net
- DNS ASK we###ast.net
- DNS ASK sp###past.net
- DNS ASK fr###late.net
- DNS ASK of###late.net
- DNS ASK be##lxc.com
- DNS ASK of###guide.net
- DNS ASK ha###alf.net
- DNS ASK se####bername.net
- DNS ASK ha###uide.net
- DNS ASK se####berhalf.net
- DNS ASK ha###ame.net
- DNS ASK ri###nstorm.net
- DNS ASK mo###ugust.net
- DNS ASK mi###hown.net
- DNS ASK cr#####onaraminta.net
- DNS ASK le###form.net
- DNS ASK ab###ell.net
- DNS ASK ca####nbring.net
- DNS ASK al###being.net
- DNS ASK mo###olor.net
- DNS ASK pr####tbottom.net
- DNS ASK se####berguide.net
- DNS ASK de###ame.net
- DNS ASK ro###ame.net
- DNS ASK de###alf.net
- DNS ASK ro###alf.net
- DNS ASK de###uide.net
- DNS ASK ro###ate.net
- DNS ASK wr###half.net
- DNS ASK ro###uide.net
- DNS ASK de###ate.net
- DNS ASK wi###ate.net
- DNS ASK jo###alf.net
- DNS ASK wi###alf.net
- DNS ASK ha###ate.net
- DNS ASK se####berlate.net
- DNS ASK jo###ame.net
- DNS ASK wi###uide.net
- DNS ASK jo###ate.net
- DNS ASK wi###ame.net
- DNS ASK jo###uide.net
- '23#.#55.255.250':1900