Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\WsysSvc] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- '%ALLUSERSPROFILE%\Application Data\eSafe\eGdpSvc.exe'
- '%ALLUSERSPROFILE%\Application Data\eSafe\eGdpSvc.exe' -run
Modifies file system :
Creates the following files:
- %ALLUSERSPROFILE%\Application Data\eSafe\log\eGdpSvc.LOG
- %ALLUSERSPROFILE%\Application Data\eSafe\eGdpSvc.exe
Deletes the following files:
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
Network activity:
Connects to:
- 'xa.###gcloud.com':80
TCP:
HTTP GET requests:
- xa.###gcloud.com/v4/sof-newgdp/<Auxiliary name>X<Auxiliary name>XIDEXHardXDrive_11000000000000000001?ac#################################################################################################
- xa.###gcloud.com/v4/sof-newgdp/<Auxiliary name>X<Auxiliary name>XIDEXHardXDrive_11000000000000000001?ac##############################################################################################
UDP:
- DNS ASK xa.###gcloud.com
