Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Controls Cryptographic SPP Peer UPnP' = 'C:\whttiwbdcdoes\bfocjdksdku.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Receiver Program Level Thread Location Workstation] 'ImagePath' = 'C:\whttiwbdcdoes\bfocjdksdku.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Receiver Program Level Thread Location Workstation] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- 'C:\whttiwbdcdoes\nkwkedqdo.exe' "c:\whttiwbdcdoes\bfocjdksdku.exe"
- 'C:\whttiwbdcdoes\bfocjdksdku.exe'
- 'C:\whttiwbdcdoes\bedhu2wndli1ikzqqkbu.exe'
Modifies file system :
Creates the following files:
- C:\whttiwbdcdoes\bfocjdksdku.exe
- C:\whttiwbdcdoes\nkwkedqdo.exe
- C:\whttiwbdcdoes\bedhu2wndli1ikzqqkbu.exe
- %WINDIR%\whttiwbdcdoes\ngblzqp5hfx
- C:\whttiwbdcdoes\ngblzqp5hfx
Sets the 'hidden' attribute to the following files:
- C:\whttiwbdcdoes\nkwkedqdo.exe
- C:\whttiwbdcdoes\bfocjdksdku.exe
Deletes the following files:
- C:\whttiwbdcdoes\bedhu2wndli1ikzqqkbu.exe
- %WINDIR%\whttiwbdcdoes\ngblzqp5hfx
Network activity:
Connects to:
- 'le###demand.net':80
- 'fi###hshout.net':80
- 'le###listen.net':80
- 'fi####demand.net':80
- 'pr####lybring.net':80
- 'sw###listen.net':80
- 'le###shout.net':80
- 'sw###bring.net':80
- 'fi####listen.net':80
- 'su####tlisten.net':80
- 'su####tdemand.net':80
- 'wi###rbring.net':80
- 'su####tbring.net':80
- 'fi###hbring.net':80
- 'le###bring.net':80
- 'wi###rshout.net':80
- 'su####tshout.net':80
- 'pr####lylisten.net':80
- 'ma####alshout.net':80
- 'se####station.net':80
- 'ma####aldemand.net':80
- 'se####lshout.net':80
- 'la###third.net':80
- 'se####object.net':80
- 'la####tation.net':80
- 'se###athird.net':80
- 'se####ldemand.net':80
- 'sw###shout.net':80
- 'pr####lyshout.net':80
- 'sw###demand.net':80
- 'pr####lydemand.net':80
- 'se####llisten.net':80
- 'ma####allisten.net':80
- 'se####lbring.net':80
- 'ma####albring.net':80
- 'wi###wshout.net':80
- 'la###shout.net':80
- 'si###ebring.net':80
- 'la###demand.net':80
- 'se###ashout.net':80
- 'mo####listen.net':80
- 'si####demand.net':80
- 'mo###rbring.net':80
- 'si####listen.net':80
- 'se####demand.net':80
- 'se####llabor.net':80
- 'ma####allabor.net':80
- 'se####lvalley.net':80
- 'ma####alvalley.net':80
- 'se####listen.net':80
- 'la###listen.net':80
- 'se###abring.net':80
- 'la###bring.net':80
- 'mo####demand.net':80
- 'wi###wbring.net':80
- 'pe####slisten.net':80
- 'po####leshout.net':80
- 'pe####sbring.net':80
- 'wi####demand.net':80
- 'pe####sshout.net':80
- 'wi####listen.net':80
- 'pe####sdemand.net':80
- 'mo####inshout.net':80
- 'mo####inbring.net':80
- 'po####lebring.net':80
- 'si###eshout.net':80
- 'mo###rshout.net':80
- 'mo####indemand.net':80
- 'po####ledemand.net':80
- 'mo####inlisten.net':80
- 'po####lelisten.net':80
TCP:
HTTP GET requests:
- http://le###demand.net/index.php
- http://fi###hshout.net/index.php
- http://le###listen.net/index.php
- http://fi####demand.net/index.php
- http://pr####lybring.net/index.php
- http://sw###listen.net/index.php
- http://le###shout.net/index.php
- http://sw###bring.net/index.php
- http://fi####listen.net/index.php
- http://su####tlisten.net/index.php
- http://su####tdemand.net/index.php
- http://wi###rbring.net/index.php
- http://su####tbring.net/index.php
- http://fi###hbring.net/index.php
- http://le###bring.net/index.php
- http://wi###rshout.net/index.php
- http://su####tshout.net/index.php
- http://pr####lylisten.net/index.php
- http://ma####alshout.net/index.php
- http://se####station.net/index.php
- http://ma####aldemand.net/index.php
- http://se####lshout.net/index.php
- http://la###third.net/index.php
- http://se####object.net/index.php
- http://la####tation.net/index.php
- http://se###athird.net/index.php
- http://se####ldemand.net/index.php
- http://sw###shout.net/index.php
- http://pr####lyshout.net/index.php
- http://sw###demand.net/index.php
- http://pr####lydemand.net/index.php
- http://se####llisten.net/index.php
- http://ma####allisten.net/index.php
- http://se####lbring.net/index.php
- http://ma####albring.net/index.php
- http://wi###wshout.net/index.php
- http://la###shout.net/index.php
- http://si###ebring.net/index.php
- http://la###demand.net/index.php
- http://se###ashout.net/index.php
- http://mo####listen.net/index.php
- http://si####demand.net/index.php
- http://mo###rbring.net/index.php
- http://si####listen.net/index.php
- http://se####demand.net/index.php
- http://se####llabor.net/index.php
- http://ma####allabor.net/index.php
- http://se####lvalley.net/index.php
- http://ma####alvalley.net/index.php
- http://se####listen.net/index.php
- http://la###listen.net/index.php
- http://se###abring.net/index.php
- http://la###bring.net/index.php
- http://mo####demand.net/index.php
- http://wi###wbring.net/index.php
- http://pe####slisten.net/index.php
- http://po####leshout.net/index.php
- http://pe####sbring.net/index.php
- http://wi####demand.net/index.php
- http://pe####sshout.net/index.php
- http://wi####listen.net/index.php
- http://pe####sdemand.net/index.php
- http://mo####inshout.net/index.php
- http://mo####inbring.net/index.php
- http://po####lebring.net/index.php
- http://si###eshout.net/index.php
- http://mo###rshout.net/index.php
- http://mo####indemand.net/index.php
- http://po####ledemand.net/index.php
- http://mo####inlisten.net/index.php
- http://po####lelisten.net/index.php
UDP:
- DNS ASK le###demand.net
- DNS ASK fi###hshout.net
- DNS ASK le###listen.net
- DNS ASK fi####demand.net
- DNS ASK pr####lybring.net
- DNS ASK sw###listen.net
- DNS ASK le###shout.net
- DNS ASK sw###bring.net
- DNS ASK fi####listen.net
- DNS ASK su####tlisten.net
- DNS ASK su####tdemand.net
- DNS ASK wi###rbring.net
- DNS ASK su####tbring.net
- DNS ASK fi###hbring.net
- DNS ASK le###bring.net
- DNS ASK wi###rshout.net
- DNS ASK su####tshout.net
- DNS ASK pr####lylisten.net
- DNS ASK ma####alshout.net
- DNS ASK se####station.net
- DNS ASK ma####aldemand.net
- DNS ASK se####lshout.net
- DNS ASK la###third.net
- DNS ASK se####object.net
- DNS ASK la####tation.net
- DNS ASK se###athird.net
- DNS ASK se####ldemand.net
- DNS ASK sw###shout.net
- DNS ASK pr####lyshout.net
- DNS ASK sw###demand.net
- DNS ASK pr####lydemand.net
- DNS ASK se####llisten.net
- DNS ASK ma####allisten.net
- DNS ASK se####lbring.net
- DNS ASK ma####albring.net
- DNS ASK wi###wshout.net
- DNS ASK la###shout.net
- DNS ASK si###ebring.net
- DNS ASK la###demand.net
- DNS ASK se###ashout.net
- DNS ASK mo####listen.net
- DNS ASK si####demand.net
- DNS ASK mo###rbring.net
- DNS ASK si####listen.net
- DNS ASK se####demand.net
- DNS ASK se####llabor.net
- DNS ASK ma####allabor.net
- DNS ASK se####lvalley.net
- DNS ASK ma####alvalley.net
- DNS ASK se####listen.net
- DNS ASK la###listen.net
- DNS ASK se###abring.net
- DNS ASK la###bring.net
- DNS ASK mo####demand.net
- DNS ASK wi###wbring.net
- DNS ASK pe####slisten.net
- DNS ASK po####leshout.net
- DNS ASK pe####sbring.net
- DNS ASK wi####demand.net
- DNS ASK pe####sshout.net
- DNS ASK wi####listen.net
- DNS ASK pe####sdemand.net
- DNS ASK mo####inshout.net
- DNS ASK mo####inbring.net
- DNS ASK po####lebring.net
- DNS ASK si###eshout.net
- DNS ASK mo###rshout.net
- DNS ASK mo####indemand.net
- DNS ASK po####ledemand.net
- DNS ASK mo####inlisten.net
- DNS ASK po####lelisten.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
