Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Sharing Video Logs File Drive' = '<SYSTEM32>\pchjasbesx.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Extender Time Auto-Discovery Awareness] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\kjyzwzobf.exe' "<SYSTEM32>\pchjasbesx.exe"
- '%WINDIR%\Temp\t8bue33l34r3j.exe' -r 43490 tcp
- '%TEMP%\t8bue33emxr3jesnerz.exe'
- '<SYSTEM32>\pchjasbesx.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\wxisddktjbjlj\run
- <SYSTEM32>\wxisddktjbjlj\rng
- %WINDIR%\Temp\t8bue33l34r3j.exe
- <SYSTEM32>\wxisddktjbjlj\cfg
- <SYSTEM32>\kjyzwzobf.exe
- %TEMP%\t8bue33emxr3jesnerz.exe
- <SYSTEM32>\wxisddktjbjlj\tst
- <SYSTEM32>\pchjasbesx.exe
- <SYSTEM32>\wxisddktjbjlj\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\kjyzwzobf.exe
- <SYSTEM32>\pchjasbesx.exe
Deletes the following files:
- %WINDIR%\Temp\t8bue33l34r3j.exe
- <DRIVERS>\etc\hosts
- %TEMP%\t8bue33emxr3jesnerz.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'ha###ast.net':80
- 'hu###lady.net':80
- 'hu###past.net':80
- 'hu###wing.net':80
- 'ha###ing.net':80
- 'ya###ing.net':80
- 'mu###wing.net':80
- 'ha###ish.net':80
- 'ha###ady.net':80
- 'hu###fish.net':80
- 'ma###alf.net':80
- 'wr###name.net':80
- 'wr###half.net':80
- 'de###ate.net':80
- 'ro###ate.net':80
- 'wr###late.net':80
- 'ma###ate.net':80
- 'ma###uide.net':80
- 'ma###ame.net':80
- 'wr###guide.net':80
- 'sp###fish.net':80
- 'fr###wing.net':80
- 'we###ish.net':80
- 'we###ady.net':80
- 'sp###lady.net':80
- 'fr###lady.net':80
- 'of###lady.net':80
- 'of###past.net':80
- 'of###wing.net':80
- 'fr###past.net':80
- 'mu###lady.net':80
- 'ya###ish.net':80
- 'ya###ady.net':80
- 'ya###ast.net':80
- 'mu###past.net':80
- 'we###ast.net':80
- 'sp###past.net':80
- 'sp###wing.net':80
- 'mu###fish.net':80
- 'we###ing.net':80
- 'of###name.net':80
- 'fr###guide.net':80
- 'fr###name.net':80
- 'fr###half.net':80
- 'of###half.net':80
- 'ha###alf.net':80
- 'se####berhalf.net':80
- 'of###late.net':80
- 'of###guide.net':80
- 'fr###late.net':80
- 'de###lxc.com':80
- 'we###ame.net':80
- 'be##lxc.com':80
- 'ri###nstorm.net':80
- 'af###sllc.com':80
- 'we###ate.net':80
- 'sp###late.net':80
- 'sp###guide.net':80
- 'sp###name.net':80
- 'we###uide.net':80
- 'wi###ate.net':80
- 'de###alf.net':80
- 'jo###ate.net':80
- 'jo###uide.net':80
- 'wi###uide.net':80
- 'de###uide.net':80
- 'ro###uide.net':80
- 'ro###ame.net':80
- 'ro###alf.net':80
- 'de###ame.net':80
- 'se####berguide.net':80
- 'ha###ate.net':80
- 'ha###uide.net':80
- 'ha###ame.net':80
- 'se####bername.net':80
- 'jo###ame.net':80
- 'wi###ame.net':80
- 'wi###alf.net':80
- 'se####berlate.net':80
- 'jo###alf.net':80
TCP:
HTTP GET requests:
- http://ha###ast.net/index.php
- http://hu###lady.net/index.php
- http://hu###past.net/index.php
- http://hu###wing.net/index.php
- http://ha###ing.net/index.php
- http://ya###ing.net/index.php
- http://mu###wing.net/index.php
- http://ha###ish.net/index.php
- http://ha###ady.net/index.php
- http://hu###fish.net/index.php
- http://ma###alf.net/index.php
- http://wr###name.net/index.php
- http://wr###half.net/index.php
- http://de###ate.net/index.php
- http://ro###ate.net/index.php
- http://wr###late.net/index.php
- http://ma###ate.net/index.php
- http://ma###uide.net/index.php
- http://ma###ame.net/index.php
- http://wr###guide.net/index.php
- http://sp###fish.net/index.php
- http://fr###wing.net/index.php
- http://we###ish.net/index.php
- http://we###ady.net/index.php
- http://sp###lady.net/index.php
- http://fr###lady.net/index.php
- http://of###lady.net/index.php
- http://of###past.net/index.php
- http://of###wing.net/index.php
- http://fr###past.net/index.php
- http://mu###lady.net/index.php
- http://ya###ish.net/index.php
- http://ya###ady.net/index.php
- http://ya###ast.net/index.php
- http://mu###past.net/index.php
- http://we###ast.net/index.php
- http://sp###past.net/index.php
- http://sp###wing.net/index.php
- http://mu###fish.net/index.php
- http://we###ing.net/index.php
- http://of###name.net/index.php
- http://fr###guide.net/index.php
- http://fr###name.net/index.php
- http://fr###half.net/index.php
- http://of###half.net/index.php
- http://ha###alf.net/index.php
- http://se####berhalf.net/index.php
- http://of###late.net/index.php
- http://of###guide.net/index.php
- http://fr###late.net/index.php
- http://de###lxc.com/index.php
- http://we###ame.net/index.php
- http://be##lxc.com/index.php
- http://ri###nstorm.net/index.php
- http://af###sllc.com/index.php
- http://we###ate.net/index.php
- http://sp###late.net/index.php
- http://sp###guide.net/index.php
- http://sp###name.net/index.php
- http://we###uide.net/index.php
- http://wi###ate.net/index.php
- http://de###alf.net/index.php
- http://jo###ate.net/index.php
- http://jo###uide.net/index.php
- http://wi###uide.net/index.php
- http://de###uide.net/index.php
- http://ro###uide.net/index.php
- http://ro###ame.net/index.php
- http://ro###alf.net/index.php
- http://de###ame.net/index.php
- http://se####berguide.net/index.php
- http://ha###ate.net/index.php
- http://ha###uide.net/index.php
- http://ha###ame.net/index.php
- http://se####bername.net/index.php
- http://jo###ame.net/index.php
- http://wi###ame.net/index.php
- http://wi###alf.net/index.php
- http://se####berlate.net/index.php
- http://jo###alf.net/index.php
UDP:
- DNS ASK ha###ast.net
- DNS ASK hu###lady.net
- DNS ASK hu###past.net
- DNS ASK hu###wing.net
- DNS ASK ha###ing.net
- DNS ASK ya###ing.net
- DNS ASK mu###wing.net
- DNS ASK ha###ish.net
- DNS ASK ha###ady.net
- DNS ASK hu###fish.net
- DNS ASK ma###alf.net
- DNS ASK wr###name.net
- DNS ASK wr###half.net
- DNS ASK de###ate.net
- DNS ASK ro###ate.net
- DNS ASK wr###late.net
- DNS ASK ma###ate.net
- DNS ASK ma###uide.net
- DNS ASK ma###ame.net
- DNS ASK wr###guide.net
- DNS ASK sp###fish.net
- DNS ASK fr###wing.net
- DNS ASK we###ish.net
- DNS ASK we###ady.net
- DNS ASK sp###lady.net
- DNS ASK fr###lady.net
- DNS ASK of###lady.net
- DNS ASK of###past.net
- DNS ASK of###wing.net
- DNS ASK fr###past.net
- DNS ASK mu###lady.net
- DNS ASK ya###ish.net
- DNS ASK ya###ady.net
- DNS ASK ya###ast.net
- DNS ASK mu###past.net
- DNS ASK we###ast.net
- DNS ASK sp###past.net
- DNS ASK sp###wing.net
- DNS ASK mu###fish.net
- DNS ASK we###ing.net
- DNS ASK ro###uide.net
- DNS ASK fr###name.net
- DNS ASK of###name.net
- DNS ASK fr###half.net
- DNS ASK of###half.net
- DNS ASK fr###guide.net
- DNS ASK of###late.net
- DNS ASK ha###alf.net
- DNS ASK of###guide.net
- DNS ASK fr###late.net
- DNS ASK sp###late.net
- DNS ASK be##lxc.com
- DNS ASK de###lxc.com
- DNS ASK ri###nstorm.net
- DNS ASK af###sllc.com
- DNS ASK we###ame.net
- DNS ASK sp###guide.net
- DNS ASK we###ate.net
- DNS ASK sp###name.net
- DNS ASK we###uide.net
- DNS ASK se####berhalf.net
- DNS ASK jo###ate.net
- DNS ASK wi###ate.net
- DNS ASK jo###uide.net
- DNS ASK wi###uide.net
- DNS ASK de###alf.net
- DNS ASK ro###ame.net
- DNS ASK de###uide.net
- DNS ASK ro###alf.net
- DNS ASK de###ame.net
- DNS ASK wi###ame.net
- DNS ASK ha###uide.net
- DNS ASK se####berguide.net
- DNS ASK ha###ame.net
- DNS ASK se####bername.net
- DNS ASK ha###ate.net
- DNS ASK wi###alf.net
- DNS ASK jo###ame.net
- DNS ASK se####berlate.net
- DNS ASK jo###alf.net
- '23#.#55.255.250':1900