Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\software\microsoft\windows\currentversion\run] 'KWsIEYoM.exe' = '%HOMEPATH%\mgokcMcw\KWsIEYoM.exe'
- [<HKLM>\software\Wow6432Node\microsoft\windows\currentversion\run] 'KakYEYAs.exe' = '%ALLUSERSPROFILE%\zyEIsEII\KakYEYAs.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%ALLUSERSPROFILE%\zyEIsEII\KakYEYAs.exe,'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,%ALLUSERSPROFILE%\zyEIsEII\KakYEYAs.exe,'
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\dcUIoMwo] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\dcUIoMwo] 'ImagePath' = '%ALLUSERSPROFILE%\iqkMsYow\ycYEQEYo.exe'
Creates the following services
- 'dcUIoMwo' %ALLUSERSPROFILE%\iqkMsYow\ycYEQEYo.exe
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
- hidden files
- file extensions
blocks the following features:
- User Account Control (UAC)
Modifies file system
Creates the following files
- %HOMEPATH%\mgokcmcw\kwsieyom
- <Current directory>\wias.exe
- <Current directory>\osao.exe
- <Current directory>\rmcs.exe
- <Current directory>\eqms.exe
- <Current directory>\puis.exe
- <Current directory>\wwwu.exe
- <Current directory>\ccay.exe
- %TEMP%\tqyceswe.bat
- <Current directory>\zmge.ico
- %TEMP%\zmkgmuoy.bat
- %ALLUSERSPROFILE%\iwys.txt
- %TEMP%\biwiucec.bat
- <PATH_SAMPLE>
- %TEMP%\viucwuks.bat
- %WINDIR%\syswow64\config\systemprofile\mgokcmcw\kwsieyom
- %ALLUSERSPROFILE%\iqkmsyow\ycyeqeyo.exe
- %ALLUSERSPROFILE%\zyeiseii\kakyeyas.exe
- %HOMEPATH%\mgokcmcw\kwsieyom.exe
- %ALLUSERSPROFILE%\zyeiseii\kakyeyas
- <Current directory>\rmcq.exe
- <Current directory>\pcea.exe
Deletes the following files
- %TEMP%\viucwuks.bat
- %TEMP%\biwiucec.bat
- %TEMP%\zmkgmuoy.bat
- %TEMP%\tqyceswe.bat
- <Current directory>\ccay.exe
- <Current directory>\wwwu.exe
- <Current directory>\puis.exe
- <Current directory>\eqms.exe
- <Current directory>\rmcs.exe
- <Current directory>\osao.exe
- <Current directory>\wias.exe
- <Current directory>\rmcq.exe
Network activity
TCP
HTTP GET requests
- http://google.com/
UDP
- DNS ASK bl##k.io
- DNS ASK google.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'KWsIEYoM.exe'
- ClassName: '' WindowName: 'Microsoft Windows'
- ClassName: '' WindowName: 'KakYEYAs.exe'
Creates and executes the following
- '%HOMEPATH%\mgokcmcw\kwsieyom.exe'
- '%ALLUSERSPROFILE%\zyeiseii\kakyeyas.exe'
- '%ALLUSERSPROFILE%\iqkmsyow\ycyeqeyo.exe'
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c "<PATH_SAMPLE>"
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
- '%WINDIR%\syswow64\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
