Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\cgtonpaz] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\cgtonpaz] 'ImagePath' = '%WINDIR%\SysWOW64\cgtonpaz\pwiversm.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\cgtonpaz] 'ImagePath' = '%WINDIR%\SysWOW64\cgtonpaz\pwiversm.exe'
Creates the following services
- 'cgtonpaz' %WINDIR%\SysWOW64\cgtonpaz\pwiversm.exe /d"<Full path to file>"
- 'cgtonpaz' %WINDIR%\SysWOW64\cgtonpaz\pwiversm.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\cgtonpaz' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\pwiversm.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\pwiversm.exe to %WINDIR%\syswow64\cgtonpaz\pwiversm.exe
Deletes itself.
Network activity
Connects to
- 'mi##########m.mail.protection.outlook.com':25
- 'mx##.aon.at':25
- 'mx##.ionos.com':25
- 'google.com':443
- 'dh###1.web.de':25
- 'mx#.#eznam.cz':25
- 'mx##.ionos.de':25
- 'mx.########ity.com.cust.hostedemail.com':25
- 'mx#.##etel.net.uk':25
- 'ex####l.bigpond.com':25
- 'm.###tube.com':443
- 'ma##.giogio.it':25
- 'mx###.##il.am0.yahoodns.net':25
- 'go##le.de':443
- 'ye#####.##il.protection.outlook.com':25
- 'mx.####ndecorreo.com':25
- 'mx##.mail.com':25
- 'gi##io.com':25
- 'ma###.##mebrightmail.com':25
- 'ma####.goosebox.net':25
- 'mx##.###g.kundenserver.de':25
- 'mx##.schlund.de':25
- 'ci####.macbay.de':25
- 'dh####.emig.gmx.net':25
- 'bing.com':443
- 'mx#######a02.gslb.pphosted.com':25
- 'ma##.iwt.ch':25
- 'sm###.wuerth.com':25
- 'ma##.####sallureclothing.com':25
- 'ch#####.kazancity.net':25
- 'mx.##finito.it':25
- 'mx#.#omcast.net':25
- 'na#.###.#rotection.outlook.com':25
- 'mx.#####.#e.cust.b.hostedemail.com':25
- 'mx##.#mig.gmx.net':25
- 'mx.##a.untd.com':25
- 'ff######x-vip2.prodigy.net':25
- 'cm######1.mail.tiscali.it':25
- 'mx###.upcmail.net':25
- 'mx########in-ch.hdb-cs04.ellb.ch':25
- 'mx##.##ndenserver.de':25
- 'co######.rz.unibw-muenchen.de':25
- 'go##le.ca':443
- 'au##.###.np.ac.playstation.net':443
- 'ya##ex.com':443
- 'bi###y.edu.my':443
- 'mx.#########y.com.cust.a.hostedemail.com':25
- 'ef#######.registrar-servers.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mx.#p.pl':25
- 'sm#####.hosting.orange.pl':25
- 'as####.googlemail.com':25
- 'mt##.##0.yahoodns.net':25
- 'mx#.###322-70.iphmx.com':25
- 'ma##.#mailertr.com':25
- 'mx.#len.pl':25
- 'em##.freenet.de':25
- 'aspmx.l.google.com':25
- 'ag######.onlineagency.com':25
- 'mx##.#-online.de':25
- 'mx.##teria.pl':25
- 'fa###ool.xyz':10060
- 'br######.##il.protection.outlook.com':25
- 'mx.###zta.onet.pl':25
- 'mx#.##avis99.com':25
- 'de###twax.ru':487
- 'de###twax.ru':443
- 'sm##.##cureserver.net':25
- 'af######.##il.protection.outlook.com':25
- 'mx.##lktalk.net':25
- 'fm#.#reemail.hu':25
- 'mx.##.##mail.iss.as9143.net':25
- 'mx.##.#tinternet.com':25
- 'pk#####.#sg.pkvw.co.charter.net':25
- 'mx##.##.bkk1.cloud.z.com':25
- 'ca############hio-us.mail.protection.outlook.com':25
- 'ma##.gio.it':25
- 'google.com':80
- '5.##.37.41':431
- '21#.#27.140.23':431
- '19#.#6.146.41':431
- '95.##6.195.92':431
- '19#.#6.146.43':431
- '19#.#6.146.42':431
- '_d####.####1696e029.manekinekoclub.com':25
- 'cx#.##.#.cloudfilter.net':25
- 'sh########l.mx.a.cloudfilter.net':25
- 'ma##.#rermail.com':25
- 'ALT2.ASPMX.L.GOOGLE.COM':25
- 'tw#####rsbrewery.co.uk':25
- 'ma##.#upereva.it':25
- 'vi#######mx-gateway.terra.com':25
- 'go###e.co.in':443
TCP
HTTP GET requests
- http://www.google.com/
Other
- 'de###twax.ru':443
- 'ma###.##mebrightmail.com':25
- 'mx.####ndecorreo.com':25
- 'ye#####.##il.protection.outlook.com':25
- 'go##le.de':443
- '_d####.####1696e029.manekinekoclub.com':25
- 'mx###.##il.am0.yahoodns.net':25
- 'co####t.google.de':443
- 'm.###tube.com':443
- 'ma##.giogio.it':25
- 'google.com':443
- 'mx##.##.bkk1.cloud.z.com':25
- 'mx#.#eznam.cz':25
- 'consent.google.com':443
- 'ci####.macbay.de':25
- 'au##.###.np.ac.playstation.net':443
- 'go##le.ca':443
- 'co####t.google.ca':443
- 'co######.rz.unibw-muenchen.de':25
- 'ff######x-vip2.prodigy.net':25
- 'na#.###.#rotection.outlook.com':25
- 'sm###.wuerth.com':25
- 'ma##.iwt.ch':25
- 'bing.com':443
- 'ef#######.registrar-servers.com':25
- 'ya##ex.com':443
- 'ma####.goosebox.net':25
- 'mx.##.#tinternet.com':25
- 'de###twax.ru':487
- 'mx.##teria.pl':25
- 'br######.##il.protection.outlook.com':25
- 'mx.###zta.onet.pl':25
- 'mx#.##avis99.com':25
- 'aspmx.l.google.com':25
- 'ag######.onlineagency.com':25
- 'ma##.#mailertr.com':25
- 'mx#.###322-70.iphmx.com':25
- 'mt##.##0.yahoodns.net':25
- 'as####.googlemail.com':25
- 'alt1.aspmx.l.google.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'af######.##il.protection.outlook.com':25
- 'ALT2.ASPMX.L.GOOGLE.COM':25
- '21#.#27.140.23':431
- '19#.#6.146.42':431
- '19#.#6.146.43':431
- '19#.#6.146.41':431
- '5.##.37.41':431
- '95.##6.195.92':431
- 'tw#####rsbrewery.co.uk':25
- 'ca############hio-us.mail.protection.outlook.com':25
- 'bi###y.edu.my':443
- 'go###e.co.in':443
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK mx##.ionos.com
- DNS ASK wt##y.com
- DNS ASK te###planet.net
- DNS ASK consent.google.com
- DNS ASK ah#o.de
- DNS ASK ao#.at
- DNS ASK mx##.aon.at
- DNS ASK on##ne.de
- DNS ASK mx##.###g.kundenserver.de
- DNS ASK wu##bern.de
- DNS ASK mx##.schlund.de
- DNS ASK ci####.macbay.de
- DNS ASK mx########in-ch.hdb-cs04.ellb.ch
- DNS ASK wu###ele.info
- DNS ASK dh####.emig.gmx.net
- DNS ASK st#####rt-scorpions.de
- DNS ASK au##.###.np.ac.playstation.net
- DNS ASK go##le.ca
- DNS ASK un####muenchen.de
- DNS ASK co######.rz.unibw-muenchen.de
- DNS ASK co####t.google.ca
- DNS ASK wu####ndoerfer.de
- DNS ASK mx##.##ndenserver.de
- DNS ASK bl##mail.ch
- DNS ASK ws###ers.com
- DNS ASK wu##ker.org
- DNS ASK dh###1.web.de
- DNS ASK
- DNS ASK mx.####ndecorreo.com
- DNS ASK ye#.com
- DNS ASK ye#####.##il.protection.outlook.com
- DNS ASK go##le.de
- DNS ASK ty######.orangehome.co.uk
- DNS ASK sk#.com
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK co####t.google.de
- DNS ASK gi##io.it
- DNS ASK ma##.giogio.it
- DNS ASK ya##.com
- DNS ASK m.###tube.com
- DNS ASK mx#.#eznam.cz
- DNS ASK bi##ond.com
- DNS ASK ex####l.bigpond.com
- DNS ASK ty###biz.com
- DNS ASK ty###inc.com
- DNS ASK on##el.net
- DNS ASK mx#.##etel.net.uk
- DNS ASK wr###sen.com
- DNS ASK mx.########ity.com.cust.hostedemail.com
- DNS ASK wr###kong.com
- DNS ASK mx##.ionos.de
- DNS ASK se##am.cz
- DNS ASK sc###ht19.de
- DNS ASK sw###online.ch
- DNS ASK mx###.upcmail.net
- DNS ASK ka###ail.com
- DNS ASK iw#.ch
- DNS ASK ma##.iwt.ch
- DNS ASK ly##s.it
- DNS ASK ma##.com
- DNS ASK gs#.com
- DNS ASK mx#######a02.gslb.pphosted.com
- DNS ASK ne##ero.net
- DNS ASK ho##ai.com
- DNS ASK rv###hools.net
- DNS ASK cb###ools.net
- DNS ASK wy###-wnendt.de
- DNS ASK in###ronik.org
- DNS ASK bing.com
- DNS ASK ya##ex.com
- DNS ASK sh####rdschools.net
- DNS ASK lo####oodsny.org
- DNS ASK ha####kschools.net
- DNS ASK on#.com
- DNS ASK xb##g.org
- DNS ASK go###e.co.in
- DNS ASK me#.de
- DNS ASK tr###email.de
- DNS ASK xe##tiv.com
- DNS ASK nb###ools.net
- DNS ASK ho#####ublicschools.net
- DNS ASK sm###.wuerth.com
- DNS ASK wu##th.com
- DNS ASK ma##.####sallureclothing.com
- DNS ASK at#.net
- DNS ASK ff######x-vip2.prodigy.net
- DNS ASK ol##o.net
- DNS ASK ne##ero.com
- DNS ASK mx.##a.untd.com
- DNS ASK ep##t.de
- DNS ASK ly##s.de
- DNS ASK mx.#####.#e.cust.b.hostedemail.com
- DNS ASK my##er.at
- DNS ASK vo####ht-bissig.de
- DNS ASK mx##.#mig.gmx.net
- DNS ASK cm######1.mail.tiscali.it
- DNS ASK wi###wslive.com
- DNS ASK co##ast.net
- DNS ASK mx#.#omcast.net
- DNS ASK in##nito.it
- DNS ASK mx.##finito.it
- DNS ASK in##ria.eu
- DNS ASK wy#s.de
- DNS ASK wy###itness.com
- DNS ASK ju##y.it
- DNS ASK ka###city.net
- DNS ASK ch#####.kazancity.net
- DNS ASK fa#####lureclothing.com
- DNS ASK na#.###.#rotection.outlook.com
- DNS ASK sp###vert.com
- DNS ASK du####schools.net
- DNS ASK mx##.mail.com
- DNS ASK gi##io.com
- DNS ASK on#t.eu
- DNS ASK on#t.pl
- DNS ASK op.pl
- DNS ASK em###ertr.com
- DNS ASK ma##.#mailertr.com
- DNS ASK he####partners.com
- DNS ASK mx#.###322-70.iphmx.com
- DNS ASK tw###oes.org.uk
- DNS ASK ro###tmail.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK tw####rtplanks.com
- DNS ASK or##ge.pl
- DNS ASK af######.##il.protection.outlook.com
- DNS ASK sm#####.hosting.orange.pl
- DNS ASK ma###group.com
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK wp.pl
- DNS ASK mx.#p.pl
- DNS ASK ne###ape.net
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK tw####othdesign.com
- DNS ASK fo##a.com
- DNS ASK sm##.##cureserver.net
- DNS ASK af##.com
- DNS ASK mx.#len.pl
- DNS ASK as####.googlemail.com
- DNS ASK o2.pl
- DNS ASK br##.org
- DNS ASK de###twax.ru
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK po###aust.com
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK mx#.##avis99.com
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK tw####dsofmark.com
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK po###a.onet.pl
- DNS ASK mx.###zta.onet.pl
- DNS ASK br######.##il.protection.outlook.com
- DNS ASK fr##net.de
- DNS ASK fa###ool.xyz
- DNS ASK in##ria.pl
- DNS ASK mx.##teria.pl
- DNS ASK ie.###xtronics.com
- DNS ASK t-##line.de
- DNS ASK mx##.#-online.de
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK tw####erstravel.com
- DNS ASK ag######.onlineagency.com
- DNS ASK bs###tholic.org
- DNS ASK aspmx.l.google.com
- DNS ASK em##.freenet.de
- DNS ASK ta###alk.net
- DNS ASK mx.##lktalk.net
- DNS ASK fr##mail.hu
- DNS ASK pk#####.#sg.pkvw.co.charter.net
- DNS ASK bt###ernet.com
- DNS ASK mx.##.#tinternet.com
- DNS ASK su####resins.co.uk
- DNS ASK vi##in.net
- DNS ASK mx.##.##mail.iss.as9143.net
- DNS ASK tw######y4.wanadoo.co.uk
- DNS ASK tx###ehound.com
- DNS ASK tx###levate.com
- DNS ASK te##a.com
- DNS ASK mx##.##.bkk1.cloud.z.com
- DNS ASK kc.#r.com
- DNS ASK vi#######mx-gateway.terra.com
- DNS ASK tx.#r.com
- DNS ASK tx###upply.com
- DNS ASK mx.#########y.com.cust.a.hostedemail.com
- DNS ASK tx###labs.com
- DNS ASK bi###y.edu.my
- DNS ASK tx###dedays.com
- DNS ASK go###box.net
- DNS ASK ma####.goosebox.net
- DNS ASK ty##nit.com
- DNS ASK ma###.##mebrightmail.com
- DNS ASK tx###chkins.com
- DNS ASK ef#######.registrar-servers.com
- DNS ASK mu###mthai.com
- DNS ASK ca############hio-us.mail.protection.outlook.com
- DNS ASK ca#####countyohio.us
- DNS ASK fr##mail.it
- DNS ASK ma##.#upereva.it
- DNS ASK tw#####rsbrewery.co.uk
- DNS ASK le###rs6-12.org
- DNS ASK ALT2.ASPMX.L.GOOGLE.COM
- DNS ASK be#####rkconnector.com
- DNS ASK er###ail.com
- DNS ASK ma##.#rermail.com
- DNS ASK tw###rns.net
- DNS ASK sh#w.ca
- DNS ASK sh########l.mx.a.cloudfilter.net
- DNS ASK fm#.#reemail.hu
- DNS ASK ww#.com
- DNS ASK co#.net
- DNS ASK cx#.##.#.cloudfilter.net
- DNS ASK ma####nekoclub.com
- DNS ASK _d####.####1696e029.manekinekoclub.com
- DNS ASK fs##il.net
- DNS ASK g.##il.it
- DNS ASK g.##ilit
- DNS ASK google.com
- DNS ASK gi#.it
- DNS ASK ma##.gio.it
- DNS ASK al#####omebuyers.com
- DNS ASK ir##and.com
- DNS ASK em##l.com
- DNS ASK pi##m.net
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cgtonpaz\pwiversm.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\cgtonpaz\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\pwiversm.exe" %WINDIR%\SysWOW64\cgtonpaz\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create cgtonpaz binPath= "%WINDIR%\SysWOW64\cgtonpaz\pwiversm.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description cgtonpaz "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start cgtonpaz' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\cgtonpaz\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\pwiversm.exe" %WINDIR%\SysWOW64\cgtonpaz\
- '%WINDIR%\syswow64\sc.exe' create cgtonpaz binPath= "%WINDIR%\SysWOW64\cgtonpaz\pwiversm.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description cgtonpaz "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start cgtonpaz
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
