Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\firefox default browser agent f9fcfea136f93254
- %APPDATA%\microsoft\windows\start menu\programs\startup\svchostsw.exe
Malicious functions
Downloads and executes
- (http://19#.#6.146.55/ru+nti+m+ebr+oke+r.exe
Searches for windows to
detect analytical utilities:
- ClassName: 'RegmonClass', WindowName: ''
- ClassName: 'FilemonClass', WindowName: ''
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
Modifies file system
Creates the following files
- %APPDATA%\diuffhr
- %APPDATA%\wjwtwvr
- %TEMP%\93d5.exe
- %TEMP%\9ae8.exe
- %ALLUSERSPROFILE%\runtimebroker.exe
- %TEMP%\a95a.exe
- %TEMP%\s.bat
- %TEMP%\e39d.exe
- %TEMP%\fa2a.exe
- %TEMP%\a95a.exe.pid
Sets the 'hidden' attribute to the following files
- %APPDATA%\diuffhr
- %APPDATA%\wjwtwvr
Deletes itself.
Network activity
Connects to
- '91.##1.19.52':80
- 'im###nivii.ro':443
- 'av##io.com':443
- 'ja#####cruitment.com':443
- '12###min.com':443
- 'po####cgroup.com':80
- 'yo####ngapore.net':443
- 'sa######io-taxattorney.com':80
- 'it####port.design':443
- 'th###nemill.com':443
- 'mj####isfineart.com':443
- 'do####tton.co.uk':443
- 'cu###mrs.com':443
- 'mz#.ro':443
- 'in#####shealthgroup.com':443
- 'vi#####lanetaazul.com':443
- 'dr#####atthepark.com':443
- 'ko##u.com':443
- 'ru##35.com':443
- 'sa######ille-de-pierre.com':80
- 'ba#####scannertest.com':443
- 'wi###ayings.com':443
- 'sp####nspeaks.com':443
- 're######ogsbestfriend.com':80
- 'pr######edicalbaldwin.com':443
- 'we###mesday.com':443
- 'al######munesciences.com':443
- 'im######nesmillenium.com':443
- 'yo####ingparents.ca':443
- 'ti####staphorst.nl':443
- 'bu###china.ru':80
- 'sa###jja.com':80
- 'un####salfilm.no':443
- 'au####tisch-ms.com':80
- 'mo####hat.network':80
- 'te###cube.com':443
- 'ar####dlauveng.no':443
- 'vi###rium.com':443
- 'th####llective.com':80
- 'si####dochina.com':443
- 'pa#####llistanbul.org':443
- 'ag###lcr.com':80
- 'az###anit.ro':443
- 'eg####etworks.ch':443
- 'te##.####lpensiongribnitz.de':443
- 'ri####ront.com.sg':443
- 'vi###screen.com':443
- 'bl###r-net.com':80
- 'ea#####chofchrist.org':443
- 'st######ressurewashers.com':80
- 'me######ntiagingcenter.gr':443
- 'pb###ogue.com':443
- 'fl###nchiuta.ro':80
- 'te###edwolf.it':443
- 'ke####evexias.gr':80
- 'ca#####nreplicah.com':443
- 'lu####ygyorgy.hu':443
- 'sm####eads.com.au':443
- 'se#####antrappa.com.ar':80
- 'me####aycati.com':80
- 'fe###ghters.com':443
- 'ta###ile.org':443
- 'pe###design.com':443
- 'pi########iri.istanbulpimapen.com':80
- 'je####ylpools.com':80
- 'do###rdz.com':443
- 'ko####-lovers.nl':443
- 'pr####products.com':80
- 'jo####irsoft.com':443
- '2s##dp.com':80
- 'ca####roducts.com':80
- 'tr###hdoc.com':80
- 'as######namericagroup.com':80
- 'ic####idirene.it':80
- 'gr###axi24.ru':443
- 'vn#.gr':443
- 'tu##n.co.uk':443
- 'ol###athey.com':80
- 'ga###edia.pt':443
- 'hb##ub.org':443
- 'pr###b365.com':443
- 'ne##1.it':443
- 'st###tyoga.dk':443
- 'bu####oylemez.com':443
- 'de####osting.com':443
- 'ka##########ndholidayaccommodation.com.au':443
- 'mu####xdecosse.com':443
- 'au##.org.au':443
- 'un####nshirts.net':443
- 'au####audience.com':443
- 'te#####gwithfaith.com':443
- 'mi###fin.com':443
- 'fi#####einnportland.com':80
- 'pe###ntal.com':443
- 'oa##sng.com':443
- 'mo####auquebec.org':443
- 'mo####abitudes.com':443
- 'su#####mountainecho.com':443
- 'ha#####lo-lamberia.hu':443
- 'mo###file.com':80
- 'ja####demaria.es':443
- 'kc##.com.tr':443
- 'du########ngmelbournewide.com.au':443
- 'cc###ste.com':443
- 'mo####inistries.com':443
- 'kr####distro.com':443
- 'mi####ills.training':443
- '19#.#6.146.55':80
- '18#.#91.34.170':8888
- 'so##or.nu':443
- 'ek###mifokus.se':443
- 'zo####hotels.com':80
- 'ho####danhcongi.com':443
- '1-####njurylaw.com':443
- 'ph####lopers.com':443
- 'hi###peak.com':443
- 'he#####bilyazilim.com':443
- 'is####erakkurt.com':80
- 'in#####umnaswami.com':443
- 'ro##ar.nl':443
- 'he###maid.ca':443
- 'ek##ezi.rs':443
- '1k#k.ru':80
- 'ha##acun.at':443
- 'bv####efabeton.com':80
- 'dr###web15.com':443
- 'ma###bet.org':443
- 'an###amez.com':443
- 'un#######o-entrepreneurs.com':80
- 'be###barhue.com':80
- 'ja#####eartcentre.com':80
- 'no####igreja.com':443
- 'yo####oksoutlet.com':443
- 'hi####adacademy.com':443
- 'ho##lab.com':443
- 'un###ybike.com':80
- '23###esfarm.com':443
- 'ad###parke.com':443
- 'se###ency.com':443
- 'ce######aoutdoorshow.com':80
- 'ka####lorizo.com':443
- 'la##hoo.com':80
- 'pa###oyal.com':80
- '39###.eu.org':80
- 'as###log.com':443
- 'an####.pa.gov.br':443
- 'ag###iena.lt':443
- 'to####display.co.uk':80
- 'sw##n.ca':443
- 'ta######placement.com.br':443
- 'an####renor2020.ro':443
- 'ft####tallab.com':80
- 're#####ionmanagers.com':80
- 'zo###edesign.gr':80
- 'ci##ig.com':443
- 'sc####egamelab.org':80
- 'fo######houghtcaterers.com':80
- 'ro###dintate.ro':80
- 'pa######atingandcooling.com':443
- 'ft##cd.com':80
- 'sp####mowerusa.com':443
- 'mr###rew1.com':443
- 'un####ulkinta.store':443
- 'tr##ogia.mx':80
- 'de##l.ie':443
- 'te##.####lpensiongribnitz.de':80
- 'ma###tnazeny.sk':443
- 'am####doshomens.com':443
- 'c2###mputer.com':443
TCP
HTTP GET requests
- http://re#####listforjuly2.xyz/reestr.exe
- http://18#.##1.34.170:8888/bots/chkVersion?cu#################### via 18#.#91.34.170
- http://18#.##1.34.170:8888/project/active via 18#.#91.34.170
- http://18#.##1.34.170:8888/gw?wo########## via 18#.#91.34.170
- http://18#.##1.34.170:8888/gw?wo##### via 18#.#91.34.170
HTTP POST requests
- http://re#####listforjuly2.xyz/
Other
- 'in#####umnaswami.com':443
- 'th###nemill.com':443
- 'mj####isfineart.com':443
- 'it####port.design':443
- 'im###nivii.ro':443
- 'te###cube.com':443
- 'ba#####scannertest.com':443
- 'ru##35.com':443
- 'av##io.com':443
- 'ja#####cruitment.com':443
- 'wi###ayings.com':443
- 'tu##n.co.uk':443
- 'ko####-lovers.nl':443
- 'st###tyoga.dk':443
- 'do###rdz.com':443
- '12###min.com':443
- 'pa#####llistanbul.org':443
- 'in#####shealthgroup.com':443
- 'mz#.ro':443
- 'ko##u.com':443
- 'vi#####lanetaazul.com':443
- 'im######nesmillenium.com':443
- 'si####dochina.com':443
- 'do####tton.co.uk':443
- 'ti####staphorst.nl':443
- 'vn#.gr':443
- '23###esfarm.com':443
- 'no####igreja.com':443
- 'pe###ntal.com':443
- 'un####nshirts.net':443
- 'ek##ezi.rs':443
- 'ho####danhcongi.com':443
- 'ek###mifokus.se':443
- 'hb##ub.org':443
- 'ta###ile.org':443
- 'pe###design.com':443
- 'bu####oylemez.com':443
- 'te###edwolf.it':443
- 'ri####ront.com.sg':443
- 'ea#####chofchrist.org':443
- 'fe###ghters.com':443
- 'pr###b365.com':443
- 'eg####etworks.ch':443
- '1-####njurylaw.com':443
- 'ga###edia.pt':443
- 'gr###axi24.ru':443
- 'jo####irsoft.com':443
- 'yo####ingparents.ca':443
- 'cu###mrs.com':443
- 'un####salfilm.no':443
- 'ma###tnazeny.sk':443
- 'dr###web15.com':443
- 'an###amez.com':443
- 'ja####demaria.es':443
- 'du########ngmelbournewide.com.au':443
- 'mo####abitudes.com':443
- 'ha#####lo-lamberia.hu':443
- 'su#####mountainecho.com':443
- 'he###maid.ca':443
- 'mi###fin.com':443
- 'oa##sng.com':443
- 'mo####auquebec.org':443
- 'au##.org.au':443
- 'au####audience.com':443
- 'kr####distro.com':443
- 'cc###ste.com':443
- 'ph####lopers.com':443
- 'ha##acun.at':443
- 'mi####ills.training':443
- 'ro##ar.nl':443
- 'hi###peak.com':443
- 'he#####bilyazilim.com':443
- 'ma###bet.org':443
- 'mo####inistries.com':443
- 'pr######edicalbaldwin.com':443
- 'ta######placement.com.br':443
- 'ho##lab.com':443
- 'vi###rium.com':443
- 'sp####nspeaks.com':443
- 'se###ency.com':443
- 'we###mesday.com':443
- 'al######munesciences.com':443
- 'ka##########ndholidayaccommodation.com.au':443
- 'de####osting.com':443
- 'an####.pa.gov.br':443
- 'ad###parke.com':443
- 'ka####lorizo.com':443
- 'hi####adacademy.com':443
- 'sw##n.ca':443
- 'as###log.com':443
- 'ag###iena.lt':443
- 'am####doshomens.com':443
- 'mr###rew1.com':443
- 'un####ulkinta.store':443
- 'de##l.ie':443
- 'pa######atingandcooling.com':443
- 'ci##ig.com':443
- 'ar####dlauveng.no':443
- 'st###mxxx.tv':443
UDP
- DNS ASK re#####listforjuly1.xyz
- DNS ASK th####llective.com
- DNS ASK fl###ers.com
- DNS ASK wi###ayings.com
- DNS ASK pr###b365.com
- DNS ASK ok####vh-dizain.by
- DNS ASK si####dochina.com
- DNS ASK ta###ile.org
- DNS ASK eg####etworks.ch
- DNS ASK pb###ogue.com
- DNS ASK pi########iri.istanbulpimapen.com
- DNS ASK vi###rium.com
- DNS ASK ba#####scannertest.com
- DNS ASK st######ressurewashers.com
- DNS ASK av##io.com
- DNS ASK fe###ghters.com
- DNS ASK dr#####atthepark.com
- DNS ASK 12###min.com
- DNS ASK te###edwolf.it
- DNS ASK it####port.design
- DNS ASK du##a.pl
- DNS ASK mo###koddee.com
- DNS ASK la##hoo.com
- DNS ASK ea#####chofchrist.org
- DNS ASK 2s##dp.com
- DNS ASK pa###oyal.com
- DNS ASK 39###.eu.org
- DNS ASK un###ybike.com
- DNS ASK yo####ingparents.ca
- DNS ASK tr###hdoc.com
- DNS ASK sp####nspeaks.com
- DNS ASK we###mesday.com
- DNS ASK al######munesciences.com
- DNS ASK te###cube.com
- DNS ASK gr###axi24.ru
- DNS ASK ar####dlauveng.no
- DNS ASK bu###china.ru
- DNS ASK as######namericagroup.com
- DNS ASK ti####staphorst.nl
- DNS ASK sa###jja.com
- DNS ASK ga###edia.pt
- DNS ASK au####tisch-ms.com
- DNS ASK un####salfilm.no
- DNS ASK hb##ub.org
- DNS ASK pr######edicalbaldwin.com
- DNS ASK mo####hat.network
- DNS ASK im######nesmillenium.com
- DNS ASK th###nemill.com
- DNS ASK ca####roducts.com
- DNS ASK ar####working.com
- DNS ASK ch######nisme-interieur.org
- DNS ASK re######erg-ballistics.com
- DNS ASK bl###r-net.com
- DNS ASK ci####nvesaire.com
- DNS ASK be##du.com
- DNS ASK bu####oylemez.com
- DNS ASK st###mxxx.tv
- DNS ASK ca#####nreplicah.com
- DNS ASK ke##cat.com
- DNS ASK la###iosa.es
- DNS ASK me######ntiagingcenter.gr
- DNS ASK lu####ygyorgy.hu
- DNS ASK se######esapamente-cluj.ro
- DNS ASK ll#####okemotors.com
- DNS ASK da###purves.com
- DNS ASK tw##to.com
- DNS ASK wi####hinking.com
- DNS ASK pr#####healthclub.com
- DNS ASK se#####antrappa.com.ar
- DNS ASK c2###mputer.com
- DNS ASK do####tton.co.uk
- DNS ASK 3s###cing.com
- DNS ASK fa###ufoods.com
- DNS ASK jo####irsoft.com
- DNS ASK in#####shealthgroup.com
- DNS ASK li####tickers.com
- DNS ASK sa######ille-de-pierre.com
- DNS ASK ko####-lovers.nl
- DNS ASK do###rdz.com
- DNS ASK pr####products.com
- DNS ASK pe###design.com
- DNS ASK mz#.ro
- DNS ASK tm####sioclinic.com
- DNS ASK ic####idirene.it
- DNS ASK vn#.gr
- DNS ASK ge###isink.com
- DNS ASK ol###athey.com
- DNS ASK fl###nchiuta.ro
- DNS ASK sm####eads.com.au
- DNS ASK vi###screen.com
- DNS ASK me####aycati.com
- DNS ASK tu##n.co.uk
- DNS ASK st###tyoga.dk
- DNS ASK ri####ront.com.sg
- DNS ASK ka####lorizo.com
- DNS ASK se###ency.com
- DNS ASK 23###esfarm.com
- DNS ASK ft##cd.com
- DNS ASK cc###ste.com
- DNS ASK mi###fin.com
- DNS ASK po####cgroup.com
- DNS ASK au##.org.au
- DNS ASK sa######io-taxattorney.com
- DNS ASK te#####gwithfaith.com
- DNS ASK au####audience.com
- DNS ASK kc##.com.tr
- DNS ASK re#####ionmanagers.com
- DNS ASK ha##acun.at
- DNS ASK oa##sng.com
- DNS ASK pe###ntal.com
- DNS ASK mo####auquebec.org
- DNS ASK ja####demaria.es
- DNS ASK mo####abitudes.com
- DNS ASK ha#####lo-lamberia.hu
- DNS ASK su#####mountainecho.com
- DNS ASK mo###file.com
- DNS ASK an####.pa.gov.br
- DNS ASK un####nshirts.net
- DNS ASK fi#####einnportland.com
- DNS ASK ek##ezi.rs
- DNS ASK zo####hotels.com
- DNS ASK ph####lopers.com
- DNS ASK yo####ngapore.net
- DNS ASK im###nivii.ro
- DNS ASK is####erakkurt.com
- DNS ASK ek###mifokus.se
- DNS ASK ru##35.com
- DNS ASK so##or.nu
- DNS ASK mi####ills.training
- DNS ASK mu####xdecosse.com
- DNS ASK dr###web15.com
- DNS ASK re#####listforjuly2.xyz
- DNS ASK ja#####cruitment.com
- DNS ASK ho####danhcongi.com
- DNS ASK in#####umnaswami.com
- DNS ASK hi###peak.com
- DNS ASK he#####bilyazilim.com
- DNS ASK ro##ar.nl
- DNS ASK 1k#k.ru
- DNS ASK he###maid.ca
- DNS ASK kr####distro.com
- DNS ASK 1-####njurylaw.com
- DNS ASK bv####efabeton.com
- DNS ASK du########ngmelbournewide.com.au
- DNS ASK de##l.ie
- DNS ASK tr##ogia.mx
- DNS ASK te##.####lpensiongribnitz.de
- DNS ASK to####display.co.uk
- DNS ASK de####osting.com
- DNS ASK je####ylpools.com
- DNS ASK un#######o-entrepreneurs.com
- DNS ASK as###log.com
- DNS ASK mr###rew1.com
- DNS ASK sp####mowerusa.com
- DNS ASK un####ulkinta.store
- DNS ASK ag###iena.lt
- DNS ASK ce######aoutdoorshow.com
- DNS ASK hi####adacademy.com
- DNS ASK ad###parke.com
- DNS ASK fo######houghtcaterers.com
- DNS ASK ho##lab.com
- DNS ASK ka##########ndholidayaccommodation.com.au
- DNS ASK re######ogsbestfriend.com
- DNS ASK be###barhue.com
- DNS ASK ja#####eartcentre.com
- DNS ASK no####igreja.com
- DNS ASK ke####evexias.gr
- DNS ASK am####doshomens.com
- DNS ASK ma###tnazeny.sk
- DNS ASK mj####isfineart.com
- DNS ASK an###amez.com
- DNS ASK ma###bet.org
- DNS ASK vi#####lanetaazul.com
- DNS ASK sw##n.ca
- DNS ASK ta######placement.com.br
- DNS ASK zo###edesign.gr
- DNS ASK cu###mrs.com
- DNS ASK pa######atingandcooling.com
- DNS ASK mo####inistries.com
- DNS ASK an####renor2020.ro
- DNS ASK ne##1.it
- DNS ASK yo####oksoutlet.com
- DNS ASK pa#####llistanbul.org
- DNS ASK ft####tallab.com
- DNS ASK ko##u.com
- DNS ASK az###anit.ro
- DNS ASK ro###dintate.ro
- DNS ASK sc####egamelab.org
- DNS ASK ag###lcr.com
- DNS ASK ci##ig.com
- DNS ASK so####uplifted.com
- DNS ASK hm##.####melhorqueontem.com.br
Miscellaneous
Searches for the following windows
- ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: '18467-41' WindowName: ''
- ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
- ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
Creates and executes the following
- '%TEMP%\93d5.exe'
- '%TEMP%\9ae8.exe'
- '%ALLUSERSPROFILE%\runtimebroker.exe'
- '%TEMP%\a95a.exe'
- '%TEMP%\e39d.exe'
- '%TEMP%\fa2a.exe'
- '%ALLUSERSPROFILE%\runtimebroker.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /Q /C %LOCALAPPDATA%\Temp/s.bat
