Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MciGkrwk' = '<LS_APPDATA>\eyqtaont\mcigkrwk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,<LS_APPDATA>\eyqtaont\mcigkrwk.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\mcigkrwk.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- %TEMP%\ekdbmtyq.exe admin
- %TEMP%\ekdbmtyq.exe elevate
Executes the following:
- <SYSTEM32>\svchost.exe
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtOpenKey, handler: tqgnnosw.sys
- NtCreateKey, handler: tqgnnosw.sys
Modifies file system :
Creates the following files:
- %TEMP%\tqgnnosw.sys
- %WINDIR%\Temp\6decd52f
- %WINDIR%\Temp\7fffffb1
- <LS_APPDATA>\eyqtaont\mcigkrwk.exe
- %TEMP%\ekdbmtyq.exe
- %ALLUSERSPROFILE%\Application Data\bjdwbfvf.log
- <LS_APPDATA>\niuydqre.log
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\mcigkrwk.exe
Deletes the following files:
- %TEMP%\tqgnnosw.sys
Network activity:
Connects to:
- 'tf###oingy.com':443
- 'ji####yxjibyd.com':443
- 'ht#####rhtchwlhwklf.com':443
- '74.##5.232.51':80
- 'ou###vkvn.com':443
- 'sn#####gcwgaafbtqkt.com':443
- 'ti####axvmhsxtk.com':443
- 'uk####gdbdkd.com':443
- 'sw###olov.com':443
- 'cx#####efolgkokdqy.com':443
- 'kh#####kbwhfdiufhaj.com':443
UDP:
- DNS ASK ya###fejdxs.com
- DNS ASK pg###yurf.com
- DNS ASK ye#####bbprvybwqn.com
- DNS ASK pu#####fuxgquhguye.com
- DNS ASK oc###ffwnj.com
- DNS ASK tf####kcgigiey.com
- DNS ASK ld####dyyxacm.com
- DNS ASK xw####iqjdsxk.com
- DNS ASK ku###xnntsk.com
- DNS ASK pp####dwufrb.com
- DNS ASK ls#####qxvmogvxifm.com
- DNS ASK sp####davslss.com
- DNS ASK sj###aml.com
- DNS ASK hc###nlr.com
- DNS ASK hn#####vhxvuoeuap.com
- DNS ASK de###mdyvt.com
- DNS ASK mf###hnjp.com
- DNS ASK bx###oxw.com
- DNS ASK cp#####hyrueqcyxnvo.com
- DNS ASK gv###sip.com
- DNS ASK jp####bipilmwsc.com
- DNS ASK ga###slj.com
- DNS ASK nc#####piawmchfylsy.com
- DNS ASK tf###oingy.com
- DNS ASK ji####yxjibyd.com
- DNS ASK ht#####rhtchwlhwklf.com
- DNS ASK google.com
- DNS ASK ou###vkvn.com
- DNS ASK sn#####gcwgaafbtqkt.com
- DNS ASK ti####axvmhsxtk.com
- DNS ASK uk####gdbdkd.com
- DNS ASK sw###olov.com
- DNS ASK cx#####efolgkokdqy.com
- DNS ASK kh#####kbwhfdiufhaj.com
- DNS ASK mu####pvxvrq.com
- DNS ASK go#####vwvgqlretxd.com
- DNS ASK em#####wjuvvsvrwj.com
- DNS ASK vo###yqdinl.com
- DNS ASK du#####abkuappgqxhp.com
- DNS ASK vw####yyutodtr.com
- DNS ASK ca###lnlrou.com
- DNS ASK ub####qslhqyy.com
- DNS ASK qb###pyyooh.com
- DNS ASK nv###npx.com
- DNS ASK vr####jxorlyen.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
