Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Search Name Media Helper Resolution' = 'C:\dzyuo84bcd2\azoctdx.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Secure Virtual Offline Group Manager] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\Secure Virtual Offline Group Manager] 'ImagePath' = 'C:\dzyuo84bcd2\azoctdx.exe'
Modifies file system:
Creates the following files:
- %WINDIR%\dzyuo84bcd2\rhocg97heckg
- C:\dzyuo84bcd2\rhocg97heckg
- C:\dzyuo84bcd2\nntxqyi2g25dtamyula0b.exe
- C:\dzyuo84bcd2\azoctdx.exe
- C:\dzyuo84bcd2\ceelpkqzutetf.exe
- C:\dzyuo84bcd2\iqqxcysi4p9
Sets the 'hidden' attribute to the following files:
- C:\dzyuo84bcd2\azoctdx.exe
- C:\dzyuo84bcd2\ceelpkqzutetf.exe
Deletes the following files:
- %WINDIR%\dzyuo84bcd2\rhocg97heckg
- C:\dzyuo84bcd2\nntxqyi2g25dtamyula0b.exe
Substitutes the following files:
- %WINDIR%\dzyuo84bcd2\rhocg97heckg
Network activity:
Connects to:
- 'tr#####ancharissa.net':80
- 'ka#####nemaddison.net':80
- 'co#####nemaddison.net':80
- 'ka#####necharissa.net':80
- 'co#####necharissa.net':80
- 'ka#####nevirginia.net':80
- 'co#####nevirginia.net':80
- 'ro#####ltangelina.net':80
- 'ra#####feangelina.net':80
- 'ro#####ltmaddison.net':80
- 'ra#####femaddison.net':80
- 'ro#####ltcharissa.net':80
- 'ra#####fecharissa.net':80
- 'ro#####ltvirginia.net':80
- 'ra#####fevirginia.net':80
- 'qu#####laangelina.net':80
- 'qu#####lamaddison.net':80
- 'qu#####lacharissa.net':80
- 'qu#####lavirginia.net':80
- 'jo#####nechauncey.net':80
- 'se#####nachauncey.net':80
- 'jo#####negretchen.net':80
- 'se#####nagretchen.net':80
- 'jo#####necalanthe.net':80
- 'se#####nacalanthe.net':80
- 'jo#####neashleigh.net':80
- 'co#####neangelina.net':80
- 'se#####naashleigh.net':80
- 'ka#####neangelina.net':80
- 'ch#####asvirginia.net':80
- 'se#####ercharissa.net':80
- 'tr#####anvirginia.net':80
- 'se#####ervirginia.net':80
- 'co#####erangelina.net':80
- 'ra#####leangelina.net':80
- 'co#####ermaddison.net':80
- 'ra#####lemaddison.net':80
- 'co#####ercharissa.net':80
- 'ra#####lecharissa.net':80
- 'co#####ervirginia.net':80
- 'ra#####levirginia.net':80
- 'co#####usangelina.net':80
- 'ma#####neangelina.net':80
- 'co#####usmaddison.net':80
- 'ma#####nemaddison.net':80
- 'co#####uscharissa.net':80
- 'ma#####necharissa.net':80
- 'co#####usvirginia.net':80
- 'ma#####nevirginia.net':80
- 'ch#####asangelina.net':80
- 'sh#####neangelina.net':80
- 'ch#####asmaddison.net':80
- 'sh#####nemaddison.net':80
- 'ch#####ascharissa.net':80
- 'sh#####necharissa.net':80
- 'sh#####nevirginia.net':80
- 'tr#####anchauncey.net':80
TCP:
HTTP GET requests:
- http://tr#####ancharissa.net/index.php
- http://ka#####nemaddison.net/index.php
- http://co#####nemaddison.net/index.php
- http://ka#####necharissa.net/index.php
- http://co#####necharissa.net/index.php
- http://ka#####nevirginia.net/index.php
- http://co#####nevirginia.net/index.php
- http://ro#####ltangelina.net/index.php
- http://ra#####feangelina.net/index.php
- http://ro#####ltmaddison.net/index.php
- http://ra#####femaddison.net/index.php
- http://ro#####ltcharissa.net/index.php
- http://ra#####fecharissa.net/index.php
- http://ro#####ltvirginia.net/index.php
- http://ra#####fevirginia.net/index.php
- http://qu#####laangelina.net/index.php
- http://qu#####lamaddison.net/index.php
- http://qu#####lacharissa.net/index.php
- http://qu#####lavirginia.net/index.php
- http://jo#####nechauncey.net/index.php
- http://se#####nachauncey.net/index.php
- http://jo#####negretchen.net/index.php
- http://se#####nagretchen.net/index.php
- http://jo#####necalanthe.net/index.php
- http://se#####nacalanthe.net/index.php
- http://jo#####neashleigh.net/index.php
- http://co#####neangelina.net/index.php
- http://se#####naashleigh.net/index.php
- http://ka#####neangelina.net/index.php
- http://ch#####asvirginia.net/index.php
- http://se#####ercharissa.net/index.php
- http://tr#####anvirginia.net/index.php
- http://se#####ervirginia.net/index.php
- http://co#####erangelina.net/index.php
- http://ra#####leangelina.net/index.php
- http://co#####ermaddison.net/index.php
- http://ra#####lemaddison.net/index.php
- http://co#####ercharissa.net/index.php
- http://ra#####lecharissa.net/index.php
- http://co#####ervirginia.net/index.php
- http://ra#####levirginia.net/index.php
- http://co#####usangelina.net/index.php
- http://ma#####neangelina.net/index.php
- http://co#####usmaddison.net/index.php
- http://ma#####nemaddison.net/index.php
- http://co#####uscharissa.net/index.php
- http://ma#####necharissa.net/index.php
- http://co#####usvirginia.net/index.php
- http://ma#####nevirginia.net/index.php
- http://ch#####asangelina.net/index.php
- http://sh#####neangelina.net/index.php
- http://ch#####asmaddison.net/index.php
- http://sh#####nemaddison.net/index.php
- http://ch#####ascharissa.net/index.php
- http://sh#####necharissa.net/index.php
- http://sh#####nevirginia.net/index.php
- http://tr#####anchauncey.net/index.php
UDP:
- DNS ASK tr#####ancharissa.net
- DNS ASK ka#####necharissa.net
- DNS ASK co#####necharissa.net
- DNS ASK ka#####nevirginia.net
- DNS ASK co#####nevirginia.net
- DNS ASK ro#####ltangelina.net
- DNS ASK ra#####feangelina.net
- DNS ASK ro#####ltmaddison.net
- DNS ASK ra#####femaddison.net
- DNS ASK ro#####ltcharissa.net
- DNS ASK ra#####fecharissa.net
- DNS ASK ro#####ltvirginia.net
- DNS ASK co#####usmaddison.net
- DNS ASK ra#####fevirginia.net
- DNS ASK qu#####lamaddison.net
- DNS ASK qu#####lacharissa.net
- DNS ASK qu#####lavirginia.net
- DNS ASK jo#####nechauncey.net
- DNS ASK se#####nachauncey.net
- DNS ASK jo#####negretchen.net
- DNS ASK se#####nagretchen.net
- DNS ASK jo#####necalanthe.net
- DNS ASK se#####nacalanthe.net
- DNS ASK jo#####neashleigh.net
- DNS ASK se#####naashleigh.net
- DNS ASK ka#####nemaddison.net
- DNS ASK co#####nemaddison.net
- DNS ASK co#####neangelina.net
- DNS ASK ka#####neangelina.net
- DNS ASK sh#####nevirginia.net
- DNS ASK tr#####anvirginia.net
- DNS ASK se#####ervirginia.net
- DNS ASK co#####erangelina.net
- DNS ASK ra#####leangelina.net
- DNS ASK co#####ermaddison.net
- DNS ASK ra#####lemaddison.net
- DNS ASK co#####ercharissa.net
- DNS ASK ra#####lecharissa.net
- DNS ASK co#####ervirginia.net
- DNS ASK ra#####levirginia.net
- DNS ASK co#####usangelina.net
- DNS ASK tr#####anchauncey.net
- DNS ASK qu#####laangelina.net
- DNS ASK ma#####neangelina.net
- DNS ASK co#####uscharissa.net
- DNS ASK ma#####necharissa.net
- DNS ASK co#####usvirginia.net
- DNS ASK ma#####nevirginia.net
- DNS ASK ch#####asangelina.net
- DNS ASK sh#####neangelina.net
- DNS ASK ch#####asmaddison.net
- DNS ASK sh#####nemaddison.net
- DNS ASK ch#####ascharissa.net
- DNS ASK sh#####necharissa.net
- DNS ASK ch#####asvirginia.net
- DNS ASK se#####ercharissa.net
- DNS ASK ma#####nemaddison.net
- DNS ASK se#####erchauncey.net
Miscellaneous:
Creates and executes the following:
- 'C:\dzyuo84bcd2\nntxqyi2g25dtamyula0b.exe'
- 'C:\dzyuo84bcd2\azoctdx.exe'
- 'C:\dzyuo84bcd2\ceelpkqzutetf.exe' "c:\dzyuo84bcd2\azoctdx.exe"
