Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,<LS_APPDATA>\jwaroevi\rarexsdb.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'RarExsdb' = '<LS_APPDATA>\jwaroevi\rarexsdb.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\rarexsdb.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks execution of the following system utilities:
- Windows Update
- Windows Security Center
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
the following user processes:
- byjjjqlf.exe
Modifies file system:
Creates the following files:
- %ALLUSERSPROFILE%\Application Data\ybfcuwpc.log
- <LS_APPDATA>\lawhwilb.log
- <LS_APPDATA>\jwaroevi\rarexsdb.exe
- %TEMP%\byjjjqlf.exe
- %TEMP%\ifqydaby.exe
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\rarexsdb.exe
Network activity:
Connects to:
- 'cx#####xmbltfsjgmup.com':443
- 'bu####dxegbr.com':443
- 'go###uuvmp.com':443
- 'ed###jmr.com':443
- 'sh####fmnxvr.com':443
- 'fe####csuruiow.com':443
- 'fa#####vkcqtxbgarj.com':443
- 'uj####7382uryhf.com':443
- '74.##5.232.51':80
- 'la####lcidqxk.com':443
- 'kx####kigebkuq.com':443
- 'bm#####yxdvtnnjnf.com':443
UDP:
- DNS ASK xt###vkjpwo.com
- DNS ASK xx####kwmaiigrv.com
- DNS ASK xf###ujixl.com
- DNS ASK ci###aystp.com
- DNS ASK vg###cxujbk.com
- DNS ASK qs####rouvbsnii.com
- DNS ASK al#####pebklgwcx.com
- DNS ASK po#####womxmoqya.com
- DNS ASK od####hxjquysr.com
- DNS ASK ri####eabkgax.com
- DNS ASK dr#####svyxytlfhp.com
- DNS ASK ku###dqrw.com
- DNS ASK wt####hgialo.com
- DNS ASK ll#####hmiotdkksaka.com
- DNS ASK od###tusobp.com
- DNS ASK pa#####bqxrlbytuse.com
- DNS ASK bing.com
- DNS ASK rv#####xiutmgwgt.com
- DNS ASK hs#####xgqjkeplpd.com
- DNS ASK se####lrceeg.com
- DNS ASK mc###lhrjc.com
- DNS ASK ex####qstvlx.com
- DNS ASK jj####embtqk.com
- DNS ASK mw#####exbkeseuw.com
- DNS ASK jr####jjvfgcl.com
- DNS ASK qv#####affvlahgnsxo.com
- DNS ASK dg#####gslypoiok.com
- DNS ASK fe####csuruiow.com
- DNS ASK cx#####xmbltfsjgmup.com
- DNS ASK bu####dxegbr.com
- DNS ASK si###bpudb.com
- DNS ASK ed###jmr.com
- DNS ASK sh####fmnxvr.com
- DNS ASK go###uuvmp.com
- DNS ASK fa#####vkcqtxbgarj.com
- DNS ASK uj####7382uryhf.com
- DNS ASK google.com
- DNS ASK la####lcidqxk.com
- DNS ASK kx####kigebkuq.com
- DNS ASK bm#####yxdvtnnjnf.com
- DNS ASK ip#####viaulestxtua.com
- DNS ASK bm###kvm.com
- DNS ASK qw####dupiupr.com
- DNS ASK tp####yghilmm.com
- DNS ASK hp###iqqymr.com
- DNS ASK sr#####xamnjpmqdat.com
- DNS ASK an#####aeifcprlcrof.com
- DNS ASK gt###vud.com
- DNS ASK up#####rmjydqcys.com
- DNS ASK hx###wpkrgv.com
- DNS ASK bc#####hllkjfynl.com
- DNS ASK pv#####vvemvfiaqbny.com
- DNS ASK ov###jipg.com
Miscellaneous:
Creates and executes the following:
- '%TEMP%\byjjjqlf.exe'
- '<Full path to file>'
Executes the following:
- '<SYSTEM32>\svchost.exe'
