Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Initiator DHCP Audio TPM Tracking' = 'C:\y7wbtiqcuoxps\rypfwlra.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Network Defender WWAN Input] 'ImagePath' = 'C:\y7wbtiqcuoxps\rypfwlra.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Network Defender WWAN Input] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- 'C:\y7wbtiqcuoxps\tthavfjdtt2j.exe' "c:\y7wbtiqcuoxps\rypfwlra.exe"
- 'C:\y7wbtiqcuoxps\rypfwlra.exe'
- 'C:\y7wbtiqcuoxps\lgaxcyj2q9rkrkfkc5cr.exe'
Modifies file system:
Creates the following files:
- C:\y7wbtiqcuoxps\rypfwlra.exe
- C:\y7wbtiqcuoxps\tthavfjdtt2j.exe
- C:\y7wbtiqcuoxps\icmuud
- %WINDIR%\y7wbtiqcuoxps\pht1puy
- C:\y7wbtiqcuoxps\pht1puy
- C:\y7wbtiqcuoxps\lgaxcyj2q9rkrkfkc5cr.exe
Sets the 'hidden' attribute to the following files:
- C:\y7wbtiqcuoxps\tthavfjdtt2j.exe
- C:\y7wbtiqcuoxps\rypfwlra.exe
Deletes the following files:
- C:\y7wbtiqcuoxps\lgaxcyj2q9rkrkfkc5cr.exe
- %WINDIR%\y7wbtiqcuoxps\pht1puy
Substitutes the following files:
- %WINDIR%\y7wbtiqcuoxps\pht1puy
Network activity:
Connects to:
- 'me#####hermirabelle.net':80
- 'st#####iaderrickson.net':80
- 'si#####tederrickson.net':80
- 'ca#####nemirabelle.net':80
- 'me#####heresmaralda.net':80
- 'ca#####nemadelina.net':80
- 'me#####hermadelina.net':80
- 'st#####iawilliamson.net':80
- 'si#####tewilliamson.net':80
- 'gr#####lederrickson.net':80
- 'si#####teherbertson.net':80
- 'st#####iawhittemore.net':80
- 'si#####tewhittemore.net':80
- 'st#####iaherbertson.net':80
- 'ca#####neesmaralda.net':80
- 'jo#####neamethyst.net':80
- 'ma#####ineamethyst.net':80
- 'jo#####neesmaralda.net':80
- 'wi#####edmirabelle.net':80
- 'sy#####ermadelina.net':80
- 'wi#####edmadelina.net':80
- 'sy#####ermirabelle.net':80
- 'ma#####inemirabelle.net':80
- 'ca#####neamethyst.net':80
- 'me#####heramethyst.net':80
- 'jo#####nemirabelle.net':80
- 'ma#####ineesmaralda.net':80
- 'jo#####nemadelina.net':80
- 'ma#####inemadelina.net':80
- 'gw#####ynherbertson.net':80
- 'ha#####teherbertson.net':80
- 'gw#####ynwilliamson.net':80
- 'ha#####tewhittemore.net':80
- 'gw#####ynderrickson.net':80
- 'ha#####tederrickson.net':80
- 'gw#####ynwhittemore.net':80
- 'ka#####nawhittemore.net':80
- 'br#####nnherbertson.net':80
- 'ka#####naherbertson.net':80
- 'br#####nnwhittemore.net':80
- 'ha#####tewilliamson.net':80
- 'br#####nnderrickson.net':80
- 'ka#####naderrickson.net':80
- 'je#####tewilliamson.net':80
- 'ma#####neherbertson.net':80
- 'gr#####lewilliamson.net':80
- 'ma#####newilliamson.net':80
- 'gr#####leherbertson.net':80
- 'ma#####nederrickson.net':80
- 'gr#####lewhittemore.net':80
- 'ma#####newhittemore.net':80
- 'ki#####eyherbertson.net':80
- 'je#####teherbertson.net':80
- 'ki#####eywilliamson.net':80
- 'je#####tewhittemore.net':80
- 'ki#####eyderrickson.net':80
- 'je#####tederrickson.net':80
- 'ki#####eywhittemore.net':80
TCP:
HTTP GET requests:
- http://me#####hermirabelle.net/index.php
- http://st#####iaderrickson.net/index.php
- http://si#####tederrickson.net/index.php
- http://ca#####nemirabelle.net/index.php
- http://me#####heresmaralda.net/index.php
- http://ca#####nemadelina.net/index.php
- http://me#####hermadelina.net/index.php
- http://st#####iawilliamson.net/index.php
- http://si#####tewilliamson.net/index.php
- http://gr#####lederrickson.net/index.php
- http://si#####teherbertson.net/index.php
- http://st#####iawhittemore.net/index.php
- http://si#####tewhittemore.net/index.php
- http://st#####iaherbertson.net/index.php
- http://ca#####neesmaralda.net/index.php
- http://jo#####neamethyst.net/index.php
- http://ma#####ineamethyst.net/index.php
- http://jo#####neesmaralda.net/index.php
- http://wi#####edmirabelle.net/index.php
- http://sy#####ermadelina.net/index.php
- http://wi#####edmadelina.net/index.php
- http://sy#####ermirabelle.net/index.php
- http://ma#####inemirabelle.net/index.php
- http://ca#####neamethyst.net/index.php
- http://me#####heramethyst.net/index.php
- http://jo#####nemirabelle.net/index.php
- http://ma#####ineesmaralda.net/index.php
- http://jo#####nemadelina.net/index.php
- http://ma#####inemadelina.net/index.php
- http://gw#####ynherbertson.net/index.php
- http://ha#####teherbertson.net/index.php
- http://gw#####ynwilliamson.net/index.php
- http://ha#####tewhittemore.net/index.php
- http://gw#####ynderrickson.net/index.php
- http://ha#####tederrickson.net/index.php
- http://gw#####ynwhittemore.net/index.php
- http://ka#####nawhittemore.net/index.php
- http://br#####nnherbertson.net/index.php
- http://ka#####naherbertson.net/index.php
- http://br#####nnwhittemore.net/index.php
- http://ha#####tewilliamson.net/index.php
- http://br#####nnderrickson.net/index.php
- http://ka#####naderrickson.net/index.php
- http://je#####tewilliamson.net/index.php
- http://ma#####neherbertson.net/index.php
- http://gr#####lewilliamson.net/index.php
- http://ma#####newilliamson.net/index.php
- http://gr#####leherbertson.net/index.php
- http://ma#####nederrickson.net/index.php
- http://gr#####lewhittemore.net/index.php
- http://ma#####newhittemore.net/index.php
- http://ki#####eyherbertson.net/index.php
- http://je#####teherbertson.net/index.php
- http://ki#####eywilliamson.net/index.php
- http://je#####tewhittemore.net/index.php
- http://ki#####eyderrickson.net/index.php
- http://je#####tederrickson.net/index.php
- http://ki#####eywhittemore.net/index.php
UDP:
- DNS ASK ca#####nemirabelle.net
- DNS ASK me#####hermirabelle.net
- DNS ASK st#####iaderrickson.net
- DNS ASK me#####hermadelina.net
- DNS ASK ca#####neesmaralda.net
- DNS ASK me#####heresmaralda.net
- DNS ASK ca#####nemadelina.net
- DNS ASK si#####teherbertson.net
- DNS ASK st#####iawilliamson.net
- DNS ASK si#####tewilliamson.net
- DNS ASK st#####iaherbertson.net
- DNS ASK si#####tederrickson.net
- DNS ASK st#####iawhittemore.net
- DNS ASK si#####tewhittemore.net
- DNS ASK me#####heramethyst.net
- DNS ASK wi#####edmirabelle.net
- DNS ASK jo#####neamethyst.net
- DNS ASK ma#####ineamethyst.net
- DNS ASK sy#####ermirabelle.net
- DNS ASK wi#####edesmaralda.net
- DNS ASK sy#####ermadelina.net
- DNS ASK wi#####edmadelina.net
- DNS ASK jo#####nemirabelle.net
- DNS ASK ma#####inemirabelle.net
- DNS ASK ca#####neamethyst.net
- DNS ASK ma#####inemadelina.net
- DNS ASK jo#####neesmaralda.net
- DNS ASK ma#####ineesmaralda.net
- DNS ASK jo#####nemadelina.net
- DNS ASK gr#####lederrickson.net
- DNS ASK gw#####ynherbertson.net
- DNS ASK ha#####teherbertson.net
- DNS ASK gw#####ynwilliamson.net
- DNS ASK ha#####tewhittemore.net
- DNS ASK gw#####ynderrickson.net
- DNS ASK ha#####tederrickson.net
- DNS ASK gw#####ynwhittemore.net
- DNS ASK ka#####nawhittemore.net
- DNS ASK br#####nnherbertson.net
- DNS ASK ka#####naherbertson.net
- DNS ASK br#####nnwhittemore.net
- DNS ASK ha#####tewilliamson.net
- DNS ASK br#####nnderrickson.net
- DNS ASK ka#####naderrickson.net
- DNS ASK je#####tewilliamson.net
- DNS ASK ma#####neherbertson.net
- DNS ASK gr#####lewilliamson.net
- DNS ASK ma#####newilliamson.net
- DNS ASK gr#####leherbertson.net
- DNS ASK ma#####nederrickson.net
- DNS ASK gr#####lewhittemore.net
- DNS ASK ma#####newhittemore.net
- DNS ASK ki#####eyherbertson.net
- DNS ASK je#####teherbertson.net
- DNS ASK ki#####eywilliamson.net
- DNS ASK je#####tewhittemore.net
- DNS ASK ki#####eyderrickson.net
- DNS ASK je#####tederrickson.net
- DNS ASK ki#####eywhittemore.net
