Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = '<LS_APPDATA>\f5a698ed\X'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\.mrxsmb] 'ImagePath' = '\?'
Malicious functions:
Creates and executes the following:
- <LS_APPDATA>\f5a698ed\X
Injects code into
the following system processes:
- <SYSTEM32>\winlogon.exe
- %WINDIR%\Explorer.EXE
Modifies file system :
Creates the following files:
- <LS_APPDATA>\f5a698ed\@
- <LS_APPDATA>\f5a698ed\X
- %WINDIR%\$NtUninstallKB37556$\4121336045\L\alehhooo
- %WINDIR%\$NtUninstallKB37556$\4121336045\@
Network activity:
Connects to:
- '18#.#34.26.3':21810
- '11#.#7.71.222':21810
- '88.##2.28.117':21810
- '46.##.136.241':21810
- '18#.#4.220.100':21810
- '94.##6.216.58':21810
- '83.##1.175.100':21810
- '95.##.104.186':21810
- '15#.#81.152.212':21810
- '95.##.250.190':21810
- '95.#7.64.33':21810
- '59.#5.165.9':21810
- '20#.#31.189.123':21810
- '95.##.224.254':21810
- '68.##0.154.146':21810
- '18#.#7.106.236':21810
- '95.##.156.164':21810
- '17#.#3.183.102':21810
- '84.##0.211.140':21810
- '19#.#4.176.32':21810
- '17#.#3.134.123':21810
- '27.##6.80.124':21810
- '85.##.62.208':21810
- '18#.#93.82.225':21810
- '12#.#26.126.171':21810
- '11#.0.73.18':21810
- '85.##.173.28':21810
- '85.##5.82.232':21810
- '11#.#5.241.191':21810
- '18#.#23.43.132':21810
- '93.##7.120.65':21810
- '72.##0.169.62':21810
- '78.##.14.151':21810
- '18#.#.37.114':21810
- '10#.#65.26.120':21810
- '92.#6.11.42':21810
- '10#.#2.213.217':21810
- '99.##5.245.27':21810
- '18#.#4.81.117':21810
- '41.##3.214.80':21810
- '21#.#19.205.124':21810
- '89.##6.238.39':21810
- '46.##7.90.115':21810
- '11#.#2.71.125':21810
- '2.##3.70.43':21810
- '20#.#41.224.253':21810
- '95.##.139.159':21810
- '72.##4.14.145':21810
- '85.##.173.162':21810
- '17#.#9.90.216':21810
- '92.#7.0.77':21810
- '39.##3.191.142':21810
- '2.###.47.192':21810
- '95.##.145.205':21810
- '11#.#5.108.38':21810
- '12#.#01.140.227':21810
- '17#.#0.90.83':21810
- '10#.#4.209.221':21810
- '46.##8.216.87':21810
- '2.###.157.102':21810
- '92.##.233.69':21810
- '31.#.100.45':21810
- '11#.#41.24.9':21810
- '10#.#11.2.64':21810
- '31.##3.65.92':21810
- '2.###.30.119':21810
- '95.##.217.116':21810
- '77.##.247.43':21810
- '2.###.149.225':21810
- '21#.#6.20.140':21810
- '20#.#94.116.237':21810
- '62.##9.109.225':21810
- '10#.#39.38.96':21810
- '21#.#6.24.215':21810
- '46.##1.150.190':21810
- '41.##1.103.114':21810
- '19#.#42.171.216':21810
- '19#.#01.105.31':21810
- '85.##.189.155':21810
- '18#.#61.98.248':21810
- '89.##.119.146':21810
- '19#.#2.229.60':21810
- '17#.#0.109.234':21810
- '11#.#12.68.145':21810
- '11#.#.176.190':21810
- '19#.#6.11.206':21810
- '20#.#34.113.61':21810
- '95.##.235.62':21810
- '46.#9.8.151':21810
- '49.##0.96.30':21810
- '93.##5.246.57':21810
- '84.##4.15.217':21810
- '41.##0.33.60':21810
- '21#.#6.22.173':21810
- '95.##.240.17':21810
- '2.###.46.104':21810
- '41.##1.98.150':21810
- '19#.#27.133.5':21810
- '27.##7.161.151':21810
- '19#.#83.91.109':21810
- '24.##.120.124':21810
- '18#.#.86.200':21810
- '17#.#0.54.207':21810
- '95.##.152.40':21810
- '19#.#6.123.61':21810
- '11#.#97.8.110':21810
- '31.##9.9.121':21810
- '20#.#73.92.117':21810
- '46.##8.183.9':21810
- '95.##.49.159':21810
- '62.#4.60.54':21810
- '18#.#84.70.228':21810
- '49.##2.119.222':21810
- '20#.#40.176.173':21810
- '92.##.248.117':21810
- '59.##.129.78':21810
- '12#.#76.49.99':21810
- '19#.#8.167.233':21810
- '15#.#81.140.223':21810
- '83.##9.174.88':21810
- '18#.#15.87.158':21810
- '92.##5.103.57':21810
- '20#.#79.6.162':21810
- '18#.#09.33.249':21810
- '89.##7.152.229':21810
- '95.##.38.185':21810
- '18#.#6.13.165':21810
- '17#.#0.187.95':21810
- '31.##4.245.59':21810
- '59.##.75.232':21810
- '41.##.215.201':21810
- '17#.#0.20.140':21810
- '11#.#2.148.58':21810
- '79.##7.76.158':21810
- '31.##9.5.216':21810
- '19#.#2.248.66':21810
- '2.###.209.149':21810
- '17#.#0.18.30':21810
- '17#.#5.221.226':21810
- '10#.#82.57.232':21810
- '87.#7.69.17':21810
- '11#.#5.103.226':21810
- '95.##.165.176':21810
- '1.###.83.237':21810
- '12#.#10.28.197':21810
- '11#.#7.30.37':21810
- '41.##7.129.251':21810
- '17#.91.97.6':21810
- '2.###.51.241':21810
- '20#.#11.134.150':21810
- '95.##.107.251':21810
- '21#.#30.111.13':21810
- '11#.#5.225.19':21810
- '87.##0.143.34':21810
- '11#.#8.116.217':21810
- '17#.#10.62.23':21810
- '95.##.104.22':21810
- '11#.#46.179.200':21810
- '11#.#13.2.191':21810
- '17#.#0.53.79':21810
- '17#.#0.187.77':21810
- '2.###.92.240':21810
- '17#.#8.12.134':21810
- '87.##7.55.94':21810
- '13#.#69.129.185':21810
- '31.##.182.91':21810
- '94.##.13.249':21810
- '95.##.45.182':21810
- '18#.#1.12.103':21810
- '20#.#27.252.30':21810
- '17#.#3.17.23':80
- '2.###.198.23':21810
- '41.##1.169.113':21810
- '89.##.27.129':21810
- '95.##.48.182':21810
- '31.##2.11.225':21810
- '31.##3.28.248':21810
- '2.###.183.96':21810
- '31.##9.1.220':21810
- '17#.#7.178.214':21810
- '11#.#8.4.200':21810
- '68.##5.230.183':21810
- '81.##6.88.188':21810
- '17#.#69.144.33':21810
- '95.##.111.59':21810
- '10#.#06.148.215':21810
- '95.##.178.219':21810
- '11#.#99.130.85':21810
- '2.###.153.135':21810
- '17#.#75.17.105':21810
- '79.##7.73.45':21810
- '1.##.9.81':21810
- '95.##.130.35':21810
- '84.##0.209.251':21810
- '11#.#5.130.154':21810
- '94.##.80.233':21810
- '87.##7.10.142':21810
- '11#.#93.203.211':21810
- '95.#8.43.60':21810
- '92.##.128.138':21810
- '17#.#0.215.234':21810
- '31.##2.162.14':21810
- '18#.#3.80.133':21810
- '89.##4.73.20':21810
- '10#.#18.33.54':21810
- '85.##.189.75':21810
- '79.##7.108.89':21810
- '21#.#55.60.250':21810
- '20#.#92.228.144':21810
- '88.##.249.39':21810
- '79.##9.185.108':21810
- '17#.#0.60.59':21810
- '46.##.14.128':21810
- '19#.#05.135.93':21810
- '46.##0.122.129':21810
- '10#.#91.30.57':21810
- '11#.#24.131.223':21810
- '21#.#7.16.26':21810
- '62.##3.12.31':21810
- '83.#1.96.49':21810
- '93.##9.20.223':21810
- '20#.#72.82.78':21810
- '46.##5.96.250':21810
- '16#.#94.29.110':21810
- '11#.#12.186.141':21810
- '59.##.138.75':21810
- '14.#8.2.198':21810
- '2.###.201.131':21810
- '82.##5.29.84':21810
- '18#.2.24.94':21810
- '59.##1.185.254':21810
- '13#.#69.137.141':21810
- '89.##1.88.171':21810
- '12#.#08.17.176':21810
- '95.##.106.56':21810
- '21#.#19.213.233':21810
- '46.##1.235.169':21810
- '11#.#2.81.135':21810
- '75.##9.213.0':21810
- '79.##2.39.242':21810
- '17#.#1.60.127':21810
- '24.#.204.107':21810
- '95.##.219.255':21810
- '21#.76.2.37':21810
- '95.##.196.58':21810
- '85.#.116.103':21810
- '17#.#68.22.160':21810
- '92.##4.183.253':21810
- '11#.#93.102.117':21810
- '20#.#77.254.96':21810
- '2.##2.63.3':21810
- '11#.#48.162.133':21810
- '19#.#77.205.27':21810
- '12#.#0.2.151':21810
- '17#.#4.193.94':21810
TCP:
HTTP GET requests:
- 17#.#3.17.23/bad.php?w=######################
- 17#.#3.17.23/stat2.php?w=##########################################
- 17#.#3.17.23/stat2.php?w=#########################################
