Technical Information
To ensure autorun and distribution:
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\eb128ffb45735a52] 'ImagePath' = '<DRIVERS>\eb128ffb45735a52.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\eb128ffb45735a52] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\syshost32] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\18dd3] 'Start' = '00000001'
Malicious functions:
Creates and executes the following:
- %WINDIR%\Installer\{BD14EB7F-16CA-B2CE-0029-606BD6328F93}\syshost.exe /service
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtOpenThread, handler: unknown
- NtOpenProcess, handler: unknown
Modifies file system :
Creates the following files:
- <DRIVERS>\eb128ffb45735a52.sys
- <DRIVERS>\18dd3.sys
- %WINDIR%\Installer\{BD14EB7F-16CA-B2CE-0029-606BD6328F93}\syshost.exe
Deletes the following files:
- <DRIVERS>\18dd3.sys
Moves itself:
- from <Full path to virus> to %TEMP%\5fe42a78.tmp
Deletes itself.
Network activity:
Connects to:
- 'cb######wqhmavjxrpqhe.tw':80
- 'pk####uignuvgiqi.nf':80
- 'bq###mjalxpr.mn':80
- 'oo######jrcalkgixouube.mn':80
- 'xr####crdmbugdjd.ms':80
- 'js###diypdk.nu':80
- 'iy####ugdqnnpe.tj':80
- 'dh###bvdgh.im':80
- 'vt######phuwcuoxpgkrdtgs.im':80
- 'gn####dleuodri.tw':80
- 'pq###uwxtk.mn':80
- 'jt###nnnvuo.tw':80
- 'rn####nmyfyokdk.in':80
- 'ep####vqmuuslna.mn':80
- 'nr#####rqthbeblcvw.cm':80
- 'kq####vapwmixl.ki':80
- 'hb#####kbvqiuecjnf.jp':80
- 'bf######cktdegvyytreel.tj':80
- 'nl####olvnisl.mu':80
- 'mv####uukgkeamxa.nf':80
- 'dr######yhvalabhgwxlowy.so':80
- 'bp####owwjefqj.cx':80
- 'yu######yrwrgpnwhhlyyvb.cc':80
- 'gl#####ikvklbnktjnfp.so':80
- 'gx#######rpvhbscycfqhgldh.tw':80
- 'ks######otvmwlwhsxwydlom.sh':80
- 'xw######hvjhtguxqywqssen.im':80
- 'xp######akrunqbtegvqf.tj':80
- 'up####oxrnxypyb.mn':80
- 'ma######txmksauxsshnc.sc':80
- 'qg#####pmwqmnpqnusrc.so':80
- 'ce####eltjmwgel.sh':80
- 'op######amkbuxjxgpiwpr.cx':80
- 'og####oheqjpok.la':80
- 'ps###ubjka.cm':80
- 'vy###xhqvf.nu':80
- 'rw######vthgtbwwoviqe.tw':80
- 'vf####wfmtuqd.ac':80
- 'mw#####gijutcmcgwdsg.sh':80
- 'tq#####sbgjgdbesygh.la':80
- '62.##.229.126':80
- '62.##.229.131':80
- '20#.#6.232.182':80
- 'xu#######vdsncvdvbhnbaocd.cx':80
- 'fe#####cgkexhyxln.nu':80
- 'id######egtgnxaaycjputll.la':80
- 'ux#####odddajrgba.in':80
- 'ns#####uqeftyglsf.tj':80
- 'cl######xdhqbpekrubhvf.ki':80
- 'sm###jtovub.nf':80
- 'or####uslwtvj.mu':80
- 'al#######nxqjuwxnohxifsre.nu':80
- 'fk######vjudbmnvwbwltp.sc':80
- 'ne######iwquggkhwiihdoop.in':80
- 'ol######lencshapoeoovmc.mu':80
- 'wb######gwfkjblorpxqqe.sh':80
- 'yf######dfhrbakywohwu.sh':80
- 'kx####vusiueo.cx':80
- 'xo#####hsudnbgakdfd.jp':80
- 'rt####vycreymqx.so':80
- 'qb####eqencwq.mu':80
- 'gk#####futwkoiujspj.jp':80
- 'ha#####emteoskfsofp.sc':80
TCP:
HTTP POST requests:
- cb######wqhmavjxrpqhe.tw/database.cgi
- pk####uignuvgiqi.nf/database.cgi
- bq###mjalxpr.mn/database.cgi
- oo######jrcalkgixouube.mn/database.cgi
- xr####crdmbugdjd.ms/database.cgi
- js###diypdk.nu/database.cgi
- iy####ugdqnnpe.tj/database.cgi
- dh###bvdgh.im/database.cgi
- vt######phuwcuoxpgkrdtgs.im/database.cgi
- gn####dleuodri.tw/database.cgi
- pq###uwxtk.mn/database.cgi
- jt###nnnvuo.tw/database.cgi
- rn####nmyfyokdk.in/database.cgi
- ep####vqmuuslna.mn/database.cgi
- nr#####rqthbeblcvw.cm/database.cgi
- kq####vapwmixl.ki/database.cgi
- hb#####kbvqiuecjnf.jp/database.cgi
- bf######cktdegvyytreel.tj/database.cgi
- nl####olvnisl.mu/database.cgi
- mv####uukgkeamxa.nf/database.cgi
- dr######yhvalabhgwxlowy.so/database.cgi
- bp####owwjefqj.cx/database.cgi
- yu######yrwrgpnwhhlyyvb.cc/database.cgi
- gl#####ikvklbnktjnfp.so/database.cgi
- gx#######rpvhbscycfqhgldh.tw/database.cgi
- ks######otvmwlwhsxwydlom.sh/database.cgi
- xw######hvjhtguxqywqssen.im/database.cgi
- xp######akrunqbtegvqf.tj/database.cgi
- up####oxrnxypyb.mn/database.cgi
- ma######txmksauxsshnc.sc/database.cgi
- qg#####pmwqmnpqnusrc.so/database.cgi
- vy###xhqvf.nu/database.cgi
- op######amkbuxjxgpiwpr.cx/database.cgi
- og####oheqjpok.la/database.cgi
- mw#####gijutcmcgwdsg.sh/database.cgi
- ns#####uqeftyglsf.tj/database.cgi
- rw######vthgtbwwoviqe.tw/database.cgi
- vf####wfmtuqd.ac/database.cgi
- ps###ubjka.cm/database.cgi
- xu#######vdsncvdvbhnbaocd.cx/database.cgi
- 62.##.229.126/cgi-bin/auth.cgi
- 62.##.229.131/cgi-bin/auth.cgi
- ux#####odddajrgba.in/database.cgi
- tq#####sbgjgdbesygh.la/database.cgi
- fe#####cgkexhyxln.nu/database.cgi
- id######egtgnxaaycjputll.la/database.cgi
- xo#####hsudnbgakdfd.jp/database.cgi
- al#######nxqjuwxnohxifsre.nu/database.cgi
- cl######xdhqbpekrubhvf.ki/database.cgi
- sm###jtovub.nf/database.cgi
- ol######lencshapoeoovmc.mu/database.cgi
- ce####eltjmwgel.sh/database.cgi
- fk######vjudbmnvwbwltp.sc/database.cgi
- ne######iwquggkhwiihdoop.in/database.cgi
- or####uslwtvj.mu/database.cgi
- rt####vycreymqx.so/database.cgi
- yf######dfhrbakywohwu.sh/database.cgi
- kx####vusiueo.cx/database.cgi
- ha#####emteoskfsofp.sc/database.cgi
- wb######gwfkjblorpxqqe.sh/database.cgi
- qb####eqencwq.mu/database.cgi
- gk#####futwkoiujspj.jp/database.cgi
UDP:
- DNS ASK ln######ygxumrinjqmekrsh.cx
- DNS ASK mr####gxufjfja.ac
- DNS ASK hb#####kbvqiuecjnf.jp
- DNS ASK ta###iqxxhq.cm
- DNS ASK ht######dmstifwpeewbxgcr.im
- DNS ASK wq#####cgefgtrvdteg.la
- DNS ASK bf######cktdegvyytreel.tj
- DNS ASK yu######yrwrgpnwhhlyyvb.cc
- DNS ASK bp####owwjefqj.cx
- DNS ASK xy####volloxvnyp.im
- DNS ASK yu#####wwatcpwkne.in
- DNS ASK tq####yyincrvmyc.nf
- DNS ASK mv####uukgkeamxa.nf
- DNS ASK xd#####ypkmctninykjj.mu
- DNS ASK nb#####lutnugoesqk.mu
- DNS ASK qg#####pmwqmnpqnusrc.so
- DNS ASK ma######txmksauxsshnc.sc
- DNS ASK xp######akrunqbtegvqf.tj
- DNS ASK vw####yrwtlayuiv.im
- DNS ASK ks######otvmwlwhsxwydlom.sh
- DNS ASK gx#######rpvhbscycfqhgldh.tw
- DNS ASK xd###qcvcij.so
- DNS ASK ji####quiixunhh.cx
- DNS ASK py####wjupemfdx.so
- DNS ASK nl####olvnisl.mu
- DNS ASK up####oxrnxypyb.mn
- DNS ASK gl#####ikvklbnktjnfp.so
- DNS ASK ax#####ghalwitwfcxye.im
- DNS ASK eg###agkgnmk.cm
- DNS ASK hx####qrpdnfivs.so
- DNS ASK pq###jvfgwcv.sc
- DNS ASK tv####pgihfktq.im
- DNS ASK ex####lvdwlqysu.sh
- DNS ASK bp####fmiubpesw.tj
- DNS ASK dd###jidxme.im
- DNS ASK cj#######sqmplsjpiokgvfjs.ac
- DNS ASK dw#######xbdcftxtfuyfmeci.sh
- DNS ASK mi######tfrwdfdpssykaxjh.sh
- DNS ASK sg###rdunvri.la
- DNS ASK hu#####yhtqtwdrrkbo.ki
- DNS ASK us#####iylvqhlxqmu.ms
- DNS ASK wp###ixdvvqi.ki
- DNS ASK lc######ulkglrtprvlsmvk.ms
- DNS ASK lw######sqjmaomgbrkghnpb.ac
- DNS ASK kj#####dqntnupteiw.sc
- DNS ASK dr######yhvalabhgwxlowy.so
- DNS ASK no######xvugshnatjjwe.mu
- DNS ASK ew####mfqbiba.ac
- DNS ASK va###lahspv.im
- DNS ASK ea####xuemgdqpyp.tj
- DNS ASK lg####xmpccoli.la
- DNS ASK nc#####ueatsevsihw.ms
- DNS ASK ku######rsfefejtguhsqap.ki
- DNS ASK la####leugfpydt.nf
- DNS ASK dw###ahlkra.ms
- DNS ASK sn###uhflwj.mn
- DNS ASK mw#####gijutcmcgwdsg.sh
- DNS ASK vf####wfmtuqd.ac
- DNS ASK rw######vthgtbwwoviqe.tw
- DNS ASK vy###xhqvf.nu
- DNS ASK og####oheqjpok.la
- DNS ASK ps###ubjka.cm
- DNS ASK op######amkbuxjxgpiwpr.cx
- DNS ASK rt####vycreymqx.so
- DNS ASK ha#####emteoskfsofp.sc
- DNS ASK gk#####futwkoiujspj.jp
- DNS ASK yf######dfhrbakywohwu.sh
- DNS ASK ns#####uqeftyglsf.tj
- DNS ASK xo#####hsudnbgakdfd.jp
- DNS ASK kx####vusiueo.cx
- DNS ASK gx###rzpoly.com
- DNS ASK jq###kvsqsz.com
- DNS ASK ha####sgdkekms.com
- DNS ASK hj####cmxoozr.com
- DNS ASK microsoft.com
- DNS ASK tf####ccdzhvw.com
- DNS ASK se####frwenq.com
- DNS ASK id######egtgnxaaycjputll.la
- DNS ASK fe#####cgkexhyxln.nu
- DNS ASK tq#####sbgjgdbesygh.la
- DNS ASK ux#####odddajrgba.in
- DNS ASK wp####zdghxbyc.com
- DNS ASK rk###haipj.com
- DNS ASK xu#######vdsncvdvbhnbaocd.cx
- DNS ASK bq###mjalxpr.mn
- DNS ASK pk####uignuvgiqi.nf
- DNS ASK cb######wqhmavjxrpqhe.tw
- DNS ASK dh###bvdgh.im
- DNS ASK nr#####rqthbeblcvw.cm
- DNS ASK ep####vqmuuslna.mn
- DNS ASK rn####nmyfyokdk.in
- DNS ASK kq####vapwmixl.ki
- DNS ASK xw######hvjhtguxqywqssen.im
- DNS ASK mg####goolnprqj.nu
- DNS ASK xr####crdmbugdjd.ms
- DNS ASK oo######jrcalkgixouube.mn
- DNS ASK iy####ugdqnnpe.tj
- DNS ASK js###diypdk.nu
- DNS ASK cl######xdhqbpekrubhvf.ki
- DNS ASK al#######nxqjuwxnohxifsre.nu
- DNS ASK ol######lencshapoeoovmc.mu
- DNS ASK sm###jtovub.nf
- DNS ASK qb####eqencwq.mu
- DNS ASK wb######gwfkjblorpxqqe.sh
- DNS ASK or####uslwtvj.mu
- DNS ASK gn####dleuodri.tw
- DNS ASK vt######phuwcuoxpgkrdtgs.im
- DNS ASK jt###nnnvuo.tw
- DNS ASK pq###uwxtk.mn
- DNS ASK ne######iwquggkhwiihdoop.in
- DNS ASK fk######vjudbmnvwbwltp.sc
- DNS ASK ce####eltjmwgel.sh
