Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '31781' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '31062' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '1824' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '5353' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '2542' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '28251' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '19099' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '18380' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '21910' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '25440' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '24721' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '8165' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '27187' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '18097' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '16067' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '22056' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '26912' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '636' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '11694' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '8883' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '14506' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '22221' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '15224' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '15569' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '857' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '3058' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '20734' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '26379' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '13103' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '13353' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '10887' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '23112' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '31816' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '10949' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '3952' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '29190' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '138' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '23816' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '7135' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '12758' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '12039' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '10540' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '6230' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '1326' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '9041' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '7011' = '<Full path to virus>'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '20224' = '<Full path to virus>'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
Creates and executes the following:
- 'C:\lsass.exe' exe <Full path to virus>
Modifies file system :
Creates the following files:
- C:\lsass.exe
Network activity:
Connects to:
- '71.##.211.238':3128
- '98.##2.122.177':3128
- '85.##8.177.15':3128
- '88.#22.50.1':3128
- '89.##5.86.192':3128
- '12#.#13.210.154':3128
- '21#.#26.42.183':3128
- '24.##.119.149':3128
- '11#.#5.183.198':3128
- '19#.#5.102.101':3128
- '76.##.61.100':3128
- '24.##2.183.182':3128
- '89.#.64.243':3128
- '84.##0.190.69':3128
- '77.##0.104.44':3128
- '99.##7.166.103':3128
- '66.##1.255.160':3128
- '88.##4.221.147':3128
- '75.#3.59.78':3128
- '20#.#5.165.10':3128
- '11#.#0.128.197':3128
- '21#.#9.67.112':3128
- '69.##2.215.151':3128
- '79.##3.98.231':3128
- '71.##0.252.10':3128
- '21#.#38.248.19':3128
- '20#.#.127.186':3128
- '76.##6.121.187':3128
- '19#.#77.215.30':3128
- '24.##0.93.248':3128
- '75.##2.22.127':3128
- '71.##.163.154':3128
- '94.##.112.244':3128
- '11#.#9.9.115':3128
- '20#.#55.27.5':3128
- '68.##.155.247':3128
- '18#.#20.130.129':3128
- '78.##.46.180':3128
- '75.##1.253.142':3128
- '78.##.102.207':3128
- '78.##3.128.24':3128
- '89.#5.24.51':3128
- '58.##.244.203':3128
- '94.##4.113.90':3128
- '11#.#96.130.173':3128
- '21#.#0.160.188':3128
- '11#.#42.45.191':3128
- '41.##8.162.49':3128
- '98.##9.179.235':3128
- '21#.#62.81.124':3128
- '71.##7.233.133':3128
- '74.##5.193.251':3128
- '21#.#48.1.178':3128
- '24.##.84.205':3128
- '87.##6.191.217':3128
- '77.##.37.172':3128
- '76.##7.211.216':3128
- '88.##4.160.164':3128
- '24.##.248.239':3128
- '91.##2.88.124':3128
- '71.##7.239.168':3128
- '61.##8.20.211':3128
- '81.##.42.203':3128
- '84.#.14.253':3128
- '21#.#93.62.251':3128
- '71.#3.49.53':3128
- '21#.#6.58.85':3128
- '91.#22.0.17':3128
- '99.##.163.241':3128
- '76.##3.201.206':3128
- '20#.#3.150.145':3128
- '68.##.113.76':3128
- '67.##9.18.19':3128
- '76.##.62.194':3128
- '12.##8.234.58':3128
- '85.##2.7.114':3128
- '20#.8.3.123':3128
- '58.#.249.40':3128
- '21#.#32.201.194':3128
- '98.##0.204.155':3128
- '11#.#96.128.225':3128
- '18#.#7.136.178':3128
- '24.##7.190.229':3128
- '18#.#07.72.37':3128
- '71.##3.61.186':3128
- '12#.#20.4.101':3128
- '20#.#38.105.175':3128
- '41.##9.48.118':3128
- '84.##.47.176':3128
- '12#.#20.210.121':3128
- '85.##7.141.15':3128
- '75.##1.106.210':3128
- '83.##.218.56':3128
- '78.##.19.233':3128
- '75.##.217.226':3128
- '77.#0.4.207':3128
- '24.##7.50.130':3128
- '89.##.246.84':3128
- '67.##2.93.237':3128
- '14#.#38.107.75':3128
- '78.##.241.166':3128
- '20#.#1.96.130':3128
- '68.#.159.177':3128
- '24.##.176.213':3128
- '89.##5.38.55':3128
- '59.##.136.46':3128
- '92.##.18.118':3128
- '19#.#00.181.155':3128
- '88.##3.208.168':3128
- '12#.#06.6.238':3128
- '87.##.119.73':3128
- '11#.#41.2.179':3128
- '24.##.123.158':3128
- '12#.#31.192.30':3128
- '87.##.230.206':3128
- '89.##7.78.93':3128
- '19#.#2.163.85':3128
- '12#.#20.8.65':3128
- '78.##.228.168':3128
- '66.##.151.198':3128
- '11#.#2.24.14':3128
- '99.##5.193.175':3128
- '11#.#5.72.160':3128
- '19#.#34.148.212':3128
- '12#.4.4.229':3128
- '98.##6.229.238':3128
- '99.##6.244.33':3128
- '19#.#53.99.182':3128
- '65.#5.97.1':3128
- '76.##.221.214':3128
- '77.##8.192.114':3128
- '64.##3.135.90':3128
- '82.##1.231.24':3128
- '59.##.11.174':3128
- '79.##6.237.134':3128
- '19#.#4.187.110':3128
- '66.##3.158.213':3128
- '60.##.80.203':3128
- '19#.#06.153.68':3128
- '18#.#02.18.80':3128
- '88.##9.14.98':3128
- '76.##.189.173':3128
- '21#.#45.102.223':3128
- '72.##0.233.241':3128
- '96.##.250.213':3128
- 'localhost':4275
- '71.##.159.75':3128
- '79.##4.225.117':3128
- '85.##6.227.170':3128
- '84.##0.155.128':3128
- '18#.#4.93.253':3128
- '22#.#55.111.252':3128
- '79.##9.253.40':3128
- '83.#6.10.40':3128
- '19#.#41.101.200':3128
- '41.##9.68.68':3128
- '70.##.104.122':3128
- '24.#.223.85':3128
- '12#.#00.93.13':3128
- '24.#4.92.28':3128
- '89.##4.255.50':3128
- '83.##.177.80':3128
- '20#.#20.74.17':3128
- '20#.#23.114.69':3128
- '88.#16.3.10':3128
- '83.#.174.196':3128
- '22#.#37.99.43':3128
- '12#.#4.146.237':3128
- '24.##.26.245':3128
- '99.##1.140.134':3128
- '24.##4.30.144':3128
- '68.##9.215.142':3128
- '89.##3.82.157':3128
- '20#.#2.153.180':3128
- '67.##7.32.52':3128
- '70.##1.16.243':3128
- '12#.#3.123.82':3128
- '12#.#00.60.104':3128
- '21#.#26.97.186':3128
- '11#.#5.100.237':3128
- '71.##0.25.98':3128
- '74.##.196.193':3128
- '89.##2.177.188':3128
- '71.##5.141.199':3128
- '80.##7.211.202':3128
- '84.##3.179.73':3128
- '20#.#04.8.227':3128
- '61.##.218.138':3128
- '60.##5.223.57':3128
- '60.##9.92.205':3128
- '18#.#2.161.30':3128
- '24.##.205.225':3128
- '58.#.110.117':3128
- '11#.#32.27.106':3128
- '72.##5.226.96':3128
- '12#.#.213.56':3128
- '12#.#24.33.16':3128
- '80.##1.119.156':3128
- '66.##0.30.199':3128
- '12.##8.210.134':3128
- '84.#3.49.72':3128
- '20#.#6.186.152':3128
- '89.#6.81.70':3128
- '85.##7.210.144':3128
- '20#.#9.4.160':3128
- '98.##.203.78':3128
- '17#.#3.218.136':3128
- '71.#2.73.58':3128
- '18#.#2.158.213':3128
- '85.##4.152.173':3128
- '78.##.237.229':3128
- '99.##6.145.25':3128
- '85.##7.183.120':3128
- '18#.#3.143.87':3128
- '80.##.194.254':3128
- '76.##.68.151':3128
- '92.##.230.85':3128
- '85.##6.226.68':3128
- '79.##1.236.27':3128
- '72.##0.76.212':3128
- '24.##2.79.16':3128
- '91.##1.50.239':3128
- '21#.#29.220.147':3128
- '99.##0.180.68':3128
- '18#.#0.27.56':3128
- '93.#50.1.50':3128
- '67.##.107.163':3128
- '20#.#2.226.217':3128
- '99.##.111.103':3128
- '71.##.157.185':3128
- '74.##0.183.228':3128
- '20#.#1.222.12':3128
- '62.##9.169.241':3128
- '61.##.152.92':3128
- '24.##2.76.178':3128
- '78.##.152.53':3128
- '66.##1.122.4':3128
- '90.##.251.46':3128
- '78.##7.67.72':3128
- '19#.#77.219.158':3128
- '11#.#5.223.18':3128
- '68.##1.128.135':3128
- '12#.#62.1.34':3128
- '19#.#53.99.162':3128
- '11#.#2.28.68':3128
- '12#.#5.50.109':3128
- '11#.#.156.15':3128
- '24.##4.65.55':3128
- '20#.#33.246.158':3128
- '66.##4.234.49':3128
- '21#.#7.156.91':3128
- '64.##.186.180':3128
- '94.##7.181.102':3128
- '88.##9.131.188':3128
- '83.##6.140.94':3128
- '24.##.207.42':3128
- '20#.#9.134.184':3128
- '93.##2.208.25':3128
- '11#.#5.32.51':3128
- '89.##0.20.242':3128
- '70.##.16.123':3128
- '64.##0.204.41':3128
- '67.##.203.98':3128
- '18#.#22.81.157':3128
- '68.##7.172.251':3128
- '24.##.252.15':3128
- '78.#8.23.38':3128
- '19#.#30.6.55':3128
- '21#.#.154.109':3128
- '88.##6.116.26':3128
- '21#.#21.99.140':3128
- '19#.#02.228.230':3128
- '59.##6.92.218':3128
- '76.##5.136.208':3128
- '89.##3.142.181':3128
- '<Private IP address>':80
- '18#.#3.138.152':3128
- '11#.#32.25.198':3128
- '62.##3.92.102':3128
- '21#.#2.29.38':3128
- '87.##1.123.16':3128
- '78.##.28.234':3128
- '89.##.205.143':3128
- '99.#.107.49':3128
- '21#.#1.89.170':3128
- '24.##7.140.76':3128
- '14#.#9.212.104':3128
- '19#.#4.46.187':3128
- '67.#2.3.13':3128
- '67.##9.90.97':3128
- '19#.#17.152.27':3128
- '99.##4.148.209':3128
- '89.##.59.158':3128
- '98.##7.209.222':3128
- '67.##.106.185':3128
- '78.#4.106.8':3128
- '24.##8.53.190':3128
- '82.##7.154.87':3128
- '88.##5.11.121':3128
- '87.##8.0.214':3128
- '68.##0.126.186':3128
- '21#.#3.141.202':3128
UDP:
- DNS ASK 41.#49.48
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: '(null)'
