Win32.HLLW.Phorpiex.1367

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 'Microsoft Windows Driver' = '%WINDIR%\172486572\sysqwgf.exe'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\] 'Microsoft Windows Driver' = '%WINDIR%\172486572\sysqwgf.exe'

Infects the following executable files

<Drive name for removable media>:\__\skypesetup.exe
<Drive name for removable media>:\__\calc.exe
<Drive name for removable media>:\__\tcm851ax32.exe
<Drive name for removable media>:\__\wrar520.exe
<Drive name for removable media>:\__\notepad.exe
<Drive name for removable media>:\__\chromesetup.exe

Creates the following files on removable media

<Drive name for removable media>:\__\drivemgr.exe
<Drive name for removable media>:\samieee_obiee_presentation.pptx
<Drive name for removable media>:\roozenedowebinar.pptx
<Drive name for removable media>:\hypothyroidism_slides.pptx
<Drive name for removable media>:\gruenspecht_02172016.pptx
<Drive name for removable media>:\asaprojectcompetition.pptx
<Drive name for removable media>:\middaugh_keynote.pptx
<Drive name for removable media>:\metac.ppt
<Drive name for removable media>:\mappingconcepthubberlin.ppt
<Drive name for removable media>:\sacs_presentation_sacs_qep_improving_rt_education_final.ppt
<Drive name for removable media>:\background.png
<Drive name for removable media>:\cbz.png
<Drive name for removable media>:\calibre.png
<Drive name for removable media>:\asm.png
<Drive name for removable media>:\dissolveanother.png
<Drive name for removable media>:\block.png
<Drive name for removable media>:\irgeek.pem
<Drive name for removable media>:\cert.pem
<Drive name for removable media>:\investmentbankca_ca8.pem
<Drive name for removable media>:\ck_ugo.pem
<Drive name for removable media>:\2015-02-patients-topic-work-related-asthma-jobs.pdf
<Drive name for removable media>:\dualectls.pdf
<Drive name for removable media>:\digest.rdf
<Drive name for removable media>:\sioc.rdf
<Drive name for removable media>:\swc_2009-03-02.rdf
<Drive name for removable media>:\contenttypes.rdf
<Drive name for removable media>:\contractualdeadlines.zip
<Drive name for removable media>:\price030215.zip
<Drive name for removable media>:\highly_cited_2001.xlsx
<Drive name for removable media>:\national_autism_preparation_programs.xlsx
<Drive name for removable media>:\suspendedcompanies.xlsx
<Drive name for removable media>:\2013_finalsummaryforweb.xlsx
<Drive name for removable media>:\applicant.xlsx
<Drive name for removable media>:\fiche_inscription_2015.xls
<Drive name for removable media>:\productos.xls
<Drive name for removable media>:\guide_reorganization_mapping.xls
<Drive name for removable media>:\1sm_price.xls
<Drive name for removable media>:\removedtitles_records.xls
<Drive name for removable media>:\excel_example.xls
<Drive name for removable media>:\price030215.xls
<Drive name for removable media>:\testwmv.wmv
<Drive name for removable media>:\passport_pal.wmv
<Drive name for removable media>:\babyboymaintoscenesbackground_pal.wmv
<Drive name for removable media>:\krsweden.rtf
<Drive name for removable media>:\waterlandhealthkano.rtf
<Drive name for removable media>:\elvisimp.rdf
<Drive name for removable media>:\20140114.rdf
<Drive name for removable media>:\schema.rdf
<Drive name for removable media>:\subjectclassification.zip
<Drive name for removable media>:\fil_20060629111052.pdf
<Drive name for removable media>:\lom602.pdf
<Drive name for removable media>:\ff_ot_user_guide.pdf
<Drive name for removable media>:\wrar520.exe
<Drive name for removable media>:\tcm851ax32.exe
<Drive name for removable media>:\calc.exe
<Drive name for removable media>:\skypesetup.exe
<Drive name for removable media>:\nwfieldnotes1966.docx
<Drive name for removable media>:\aoc_saq_d_v3_merchant.docx
<Drive name for removable media>:\issi2013_template_for_posters.docx
<Drive name for removable media>:\thlps_keeper_mayer_1965.docx
<Drive name for removable media>:\cveuropeo.doc
<Drive name for removable media>:\hanni_umami_chapter.doc
<Drive name for removable media>:\ovp25012015.doc
<Drive name for removable media>:\pmd.cer
<Drive name for removable media>:\testcertificate.cer
<Drive name for removable media>:\contosoroot.cer
<Drive name for removable media>:\contoso.cer
<Drive name for removable media>:\dashborder_120.bmp
<Drive name for removable media>:\dial.bmp
<Drive name for removable media>:\toolbar.bmp
<Drive name for removable media>:\join.avi
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\.lnk
<Drive name for removable media>:\notepad.exe
<Drive name for removable media>:\chromesetup.exe
<Drive name for removable media>:\64bit_notes.htm
<Drive name for removable media>:\advice_process.htm
<Drive name for removable media>:\spib_pima.pdf
<Drive name for removable media>:\d0068197bb5a41fea16a220c45390606.mp4
<Drive name for removable media>:\clip_480_5sec_6mbps_h264.mp4
<Drive name for removable media>:\clip_1080_5sec_10mbps_h264.mp4
<Drive name for removable media>:\video_1.mp4
<Drive name for removable media>:\etc6_m_1.mov
<Drive name for removable media>:\spanner.mov
<Drive name for removable media>:\scan.mov
<Drive name for removable media>:\pushkin.jpg
<Drive name for removable media>:\168.jpg
<Drive name for removable media>:\2.jpg
<Drive name for removable media>:\210252809.jpg
<Drive name for removable media>:\4f0bf7ff71f28.jpg
<Drive name for removable media>:\210252809.jpeg
<Drive name for removable media>:\1189.jpeg
<Drive name for removable media>:\ituneshelpunavailable.html
<Drive name for removable media>:\adadsi.html
<Drive name for removable media>:\alert.html
<Drive name for removable media>:\about.html
<Drive name for removable media>:\tree_view.html
<Drive name for removable media>:\trivial-merge.htm
<Drive name for removable media>:\tree_view.htm
<Drive name for removable media>:\10thingscondoms.pdf
<Drive name for removable media>:\excel_example.zip

Malicious functions

To bypass firewall, removes or modifies the following registry keys

[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\172486572\sysqwgf.exe' = '%WINDIR%\172486572\sysqwgf.exe:...
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\11507.exe' = '%TEMP%\11507.exe:*:Enabled:4753735'

To complicate detection of its presence in the operating system,

blocks the following features:

System Restore (SR)
Windows Security Center

Creates and executes the following

'' (downloaded from the Internet)

Modifies file system

Creates the following files

%TEMP%\1.exe
%TEMP%\rbx-78d01adc.log
%TEMP%\crashpad_roblox\settings.dat
%TEMP%\2.exe
%TEMP%\rbx-2f95c140.log
%HOMEPATH%\cookies\user@roblox[1].txt
%WINDIR%\172486572\sysqwgf.exe
%TEMP%\39564.exe
%TEMP%\18898.exe
%TEMP%\11507.exe
%HOMEPATH%\cookies\user@icanhazip[1].txt
%TEMP%\4195235218086892.jpg

Sets the 'hidden' attribute to the following files

%WINDIR%\172486572\sysqwgf.exe
<Drive name for removable media>:\.lnk

Network activity

Connects to

'mt##.##0.yahoodns.net':25
'mx#.#omcast.net':25
'mx###.##il.gm0.yahoodns.net':25
'ff######x-vip2.prodigy.net':25
'mx####.##il.gm0.yahoodns.net':25
'cx#.##.#.cloudfilter.net':25
'mx##.mail.com':25
'ff######x-vip1.prodigy.net':25
'mx.####ght.synacor.com':25
'mx.###turylink.net':25
'sm######.mc.a.cloudfilter.net':25
'mx.##timum.net':25

TCP

HTTP GET requests

http://18#.#76.27.132/a.exe
http://ic###azip.com/
http://18#.#76.27.132/8
http://18#.#76.27.132/7
http://18#.#76.27.132/6
http://18#.#76.27.132/5
http://18#.#76.27.132/4
http://18#.#76.27.132/3
http://18#.#76.27.132/2
http://18#.#76.27.132/1
http://19#.#2.161.73/t.php?ne###
http://ur#####fhsorhfuuhl.cc/t.php?ne###
http://18#.#76.27.132/t.php?ne###
http://s3.###zonaws.com/setup.roblox.com/version-883bd6d1106143ea-rbxPkgManifest.txt
http://se###.rbxcdn.com/
http://www.ro##ox.com/install/GetInstallerCdns.ashx
http://cl#######tingscdn.roblox.com/v1/client-version/WindowsPlayer
http://cl#######tingscdn.roblox.com/v1/settings/application?ap##################################
http://19#.#2.161.73/_5/n.txt
http://19#.#2.161.73/_5/115.txt

HTTP POST requests

http://ep########ounters.api.roblox.com/v1.0/MultiIncrement/?ap#########################################

UDP

DNS ASK cl#######tingscdn.roblox.com
DNS ASK ff######x-vip2.prodigy.net
DNS ASK ao#.com
DNS ASK mx####.##il.gm0.yahoodns.net
DNS ASK co#.net
DNS ASK ma##.com
DNS ASK cx#.##.#.cloudfilter.net
DNS ASK mx##.mail.com
DNS ASK 91##.com
DNS ASK sb###obal.net
DNS ASK mx###.##il.gm0.yahoodns.net
DNS ASK 59##.com
DNS ASK 30##.com
DNS ASK 36##.com
DNS ASK be###outh.net
DNS ASK 87##.com
DNS ASK ff######x-vip1.prodigy.net
DNS ASK 17##.com
DNS ASK ne###ape.net
DNS ASK 07##.com
DNS ASK ea#####uaegfugeude.top
DNS ASK 43##.com
DNS ASK ga#####ehfoaeajrse.top
DNS ASK da#####eauehfuuhfe.top
DNS ASK ae#####oheguaoehde.top
DNS ASK eg#####ghouughahse.top
DNS ASK hu#####efoaeguaehe.top
DNS ASK af#####ifgsgrhhafe.top
DNS ASK af#####igieufuifie.top
DNS ASK ge#####efheuutiiie.top
DNS ASK co##ast.net
DNS ASK mx#.#omcast.net
DNS ASK ya###.com.tw
DNS ASK ga#####eiafhjefije.top
DNS ASK ga#####aoefhuhfuge.top
DNS ASK ae#####huoruitiiee.top
DNS ASK be#####iudeuhughge.top
DNS ASK ya##o.com
DNS ASK mt##.##0.yahoodns.net
DNS ASK ic###azip.com
DNS ASK ga#####ofhefefhute.top
DNS ASK ga#####rhuhruhfsde.top
DNS ASK ae#####hfiuehfuhfe.top
DNS ASK 54##.com
DNS ASK 33##.com
DNS ASK 01##.com
DNS ASK 45##.com
DNS ASK 25##.com
DNS ASK 80##.com
DNS ASK 60##.com
DNS ASK 41##.com
DNS ASK 37##.com
DNS ASK 28##.com
DNS ASK 51##.com
DNS ASK 49##.com
DNS ASK 10##.com
DNS ASK 96##.com
DNS ASK mc##i.com
DNS ASK sm######.mc.a.cloudfilter.net
DNS ASK 19##.com
DNS ASK 40##.com
DNS ASK op###line.net
DNS ASK 61##.com
DNS ASK 88##.com
DNS ASK 22##.com
DNS ASK 72##.com
DNS ASK mx.####ght.synacor.com
DNS ASK 77##.com
DNS ASK 02##.com
DNS ASK 82##.com
DNS ASK 34##.com
DNS ASK 16##.com
DNS ASK 46##.com
DNS ASK em###qmail.com
DNS ASK 21##.com
DNS ASK mx.###turylink.net
DNS ASK 98##.com
DNS ASK 18##.com
DNS ASK pa##ell.net
DNS ASK ai#.com
DNS ASK at#.net
DNS ASK 67##.com
DNS ASK in###htbb.com
DNS ASK 00##.com
DNS ASK 52##.com
DNS ASK 06##.com
DNS ASK bf#####zgaegzgfaie.top
DNS ASK rz#####ugugfugugse.top
DNS ASK ae#####fhutuhuhuse.top
DNS ASK be#####iudeuhughgk.su
DNS ASK ur#####fhsorhfuuho.io
DNS ASK ae#####fhutuhuhuso.io
DNS ASK rz#####ugugfugugso.io
DNS ASK bf#####zgaegzgfaio.io
DNS ASK ea#####uaegfugeudo.io
DNS ASK ae#####hfiuehfuhfo.io
DNS ASK ga#####aoefhuhfugk.su
DNS ASK ga#####eiafhjefijo.io
DNS ASK ga#####eiafhjefijk.su
DNS ASK hu#####efoaeguaeho.io
DNS ASK af#####ifgsgrhhafo.io
DNS ASK af#####igieufuifio.io
DNS ASK ge#####efheuutiiio.io
DNS ASK ga#####ofhefefhuto.io
DNS ASK ga#####ehfoaeajrso.io
DNS ASK ga#####rhuhruhfsdo.io
DNS ASK ae#####oheguaoehdo.io
DNS ASK da#####eauehfuuhfo.io
DNS ASK eg#####ghouughahso.io
DNS ASK ga#####ehfoaeajrsk.su
DNS ASK da#####eauehfuuhfk.su
DNS ASK ro##ox.com
DNS ASK se###.rbxcdn.com
DNS ASK s3.###zonaws.com
DNS ASK ur#####fhsorhfuuhk.su
DNS ASK ae#####fhutuhuhusk.su
DNS ASK rz#####ugugfugugsk.su
DNS ASK bf#####zgaegzgfaik.su
DNS ASK ga#####rhuhruhfsdk.su
DNS ASK ga#####aoefhuhfugo.io
DNS ASK ep########ounters.api.roblox.com
DNS ASK ae#####oheguaoehdk.su
DNS ASK eg#####ghouughahsk.su
DNS ASK hu#####efoaeguaehk.su
DNS ASK af#####ifgsgrhhafk.su
DNS ASK af#####igieufuifik.su
DNS ASK ge#####efheuutiiik.su
DNS ASK ga#####ofhefefhutk.su
DNS ASK ae#####hfiuehfuhfk.su
DNS ASK ea#####uaegfugeudk.su
DNS ASK ae#####huoruitiiek.su
DNS ASK ae#####huoruitiieo.io
DNS ASK bf#####zgaegzgfaip.co
DNS ASK ae#####hfiuehfuhfp.co
DNS ASK da#####eauehfuuhfp.co
DNS ASK ae#####oheguaoehdp.co
DNS ASK eg#####ghouughahsp.co
DNS ASK hu#####efoaeguaehp.co
DNS ASK af#####ifgsgrhhafp.co
DNS ASK rz#####ugugfugugsp.co
DNS ASK ur#####fhsorhfuuhp.co
DNS ASK ea#####uaegfugeudp.co
DNS ASK af#####igieufuifip.co
DNS ASK ga#####rhuhruhfsdp.co
DNS ASK ga#####eiafhjefijp.co
DNS ASK ga#####aoefhuhfugp.co
DNS ASK ae#####huoruitiiep.co
DNS ASK be#####iudeuhughgp.co
DNS ASK th##s.top
DNS ASK ge#####efheuutiiip.co
DNS ASK ga#####ofhefefhutp.co
DNS ASK ga#####ehfoaeajrsp.co
DNS ASK ae#####fhutuhuhusp.co
DNS ASK be#####iudeuhughgl.cc
DNS ASK be#####iudeuhughgo.io
DNS ASK ae#####fhutuhuhusl.cc
DNS ASK rz#####ugugfugugsl.cc
DNS ASK bf#####zgaegzgfail.cc
DNS ASK ea#####uaegfugeudl.cc
DNS ASK ae#####hfiuehfuhfl.cc
DNS ASK da#####eauehfuuhfl.cc
DNS ASK ae#####oheguaoehdl.cc
DNS ASK eg#####ghouughahsl.cc
DNS ASK ur#####fhsorhfuuhl.cc
DNS ASK hu#####efoaeguaehl.cc
DNS ASK af#####igieufuifil.cc
DNS ASK ge#####efheuutiiil.cc
DNS ASK ga#####ofhefefhutl.cc
DNS ASK ga#####ehfoaeajrsl.cc
DNS ASK ga#####rhuhruhfsdl.cc
DNS ASK ga#####eiafhjefijl.cc
DNS ASK ga#####aoefhuhfugl.cc
DNS ASK ae#####huoruitiiel.cc
DNS ASK af#####ifgsgrhhafl.cc
DNS ASK 04##.com
DNS ASK mx.##timum.net

Miscellaneous

Creates and executes the following

'%TEMP%\1.exe'
'%TEMP%\2.exe'
'%WINDIR%\172486572\sysqwgf.exe'
'%TEMP%\39564.exe'
'%TEMP%\18898.exe'
'%TEMP%\11507.exe'

Technologies

Terminology

Training and education

Myths

Technical Information