Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Auto Secondary Copy PC Player Sharing Secure' = 'C:\ytopkifusmtcrev\hzkeksmpk.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Cache Backup Level Fax Engine Bluetooth System] 'ImagePath' = 'C:\ytopkifusmtcrev\hzkeksmpk.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Cache Backup Level Fax Engine Bluetooth System] 'Start' = '00000002'
Malicious functions:
Executes the following:
- 'C:\ytopkifusmtcrev\qdnafcurooa.exe' "c:\ytopkifusmtcrev\hzkeksmpk.exe"
- 'C:\ytopkifusmtcrev\hzkeksmpk.exe'
- 'C:\ytopkifusmtcrev\jq2excnidtvehr.exe'
Modifies file system:
Creates the following files:
- C:\ytopkifusmtcrev\hzkeksmpk.exe
- C:\ytopkifusmtcrev\qdnafcurooa.exe
- C:\ytopkifusmtcrev\plmhvzm
- %WINDIR%\ytopkifusmtcrev\uedw9x
- C:\ytopkifusmtcrev\uedw9x
- C:\ytopkifusmtcrev\jq2excnidtvehr.exe
Sets the 'hidden' attribute to the following files:
- C:\ytopkifusmtcrev\qdnafcurooa.exe
- C:\ytopkifusmtcrev\hzkeksmpk.exe
Deletes the following files:
- C:\ytopkifusmtcrev\jq2excnidtvehr.exe
- %WINDIR%\ytopkifusmtcrev\uedw9x
Network activity:
Connects to:
- 'br###father.net':80
- 'fl###apple.net':80
- 'ga###rcarry.net':80
- 'fl###father.net':80
- 'br###built.net':80
- 'fl###carry.net':80
- 'br###apple.net':80
- 'fl###built.net':80
- 'be###rcarry.net':80
- 'be####father.net':80
- 'ga####father.net':80
- 'st###tcarry.net':80
- 'tr###carry.net':80
- 'be###rbuilt.net':80
- 'ga###rbuilt.net':80
- 'be###rapple.net':80
- 'ga###rapple.net':80
- 'br###carry.net':80
- 'do###dinner.net':80
- 'ag####tafraid.net':80
- 'do####easure.net':80
- 'ag####tdinner.net':80
- 'do###circle.net':80
- 'ni####easure.net':80
- 'do###afraid.net':80
- 'ag####tcircle.net':80
- 'ag####tmeasure.net':80
- 'qu###apple.net':80
- 'se###napple.net':80
- 'qu###father.net':80
- 'se####father.net':80
- 'qu###carry.net':80
- 'se###ncarry.net':80
- 'qu###built.net':80
- 'se###nbuilt.net':80
- 'tr###built.net':80
- 'de###ebuilt.net':80
- 'ni###carry.net':80
- 'de###eapple.net':80
- 'ni###built.net':80
- 'ca####nfather.net':80
- 'la###apple.net':80
- 'de###ecarry.net':80
- 'la###father.net':80
- 'ni###apple.net':80
- 'ag####tbuilt.net':80
- 'do###built.net':80
- 'ag####tapple.net':80
- 'do###apple.net':80
- 'ni###father.net':80
- 'de####father.net':80
- 'ag####tcarry.net':80
- 'do###carry.net':80
- 'ca####napple.net':80
- 'el####iccarry.net':80
- 'st####father.net':80
- 'el####icbuilt.net':80
- 're###dcarry.net':80
- 'tr###apple.net':80
- 'st###tbuilt.net':80
- 'tr###father.net':80
- 'st###tapple.net':80
- 're###dbuilt.net':80
- 'la###carry.net':80
- 'ca####ncarry.net':80
- 'la###built.net':80
- 'ca####nbuilt.net':80
- 're###dapple.net':80
- 'el####icapple.net':80
- 're####father.net':80
- 'el####icfather.net':80
TCP:
HTTP GET requests:
- http://br###father.net/index.php
- http://fl###apple.net/index.php
- http://ga###rcarry.net/index.php
- http://fl###father.net/index.php
- http://br###built.net/index.php
- http://fl###carry.net/index.php
- http://br###apple.net/index.php
- http://fl###built.net/index.php
- http://be###rcarry.net/index.php
- http://be####father.net/index.php
- http://ga####father.net/index.php
- http://st###tcarry.net/index.php
- http://tr###carry.net/index.php
- http://be###rbuilt.net/index.php
- http://ga###rbuilt.net/index.php
- http://be###rapple.net/index.php
- http://ga###rapple.net/index.php
- http://br###carry.net/index.php
- http://do###dinner.net/index.php
- http://ag####tafraid.net/index.php
- http://do####easure.net/index.php
- http://ag####tdinner.net/index.php
- http://do###circle.net/index.php
- http://ni####easure.net/index.php
- http://do###afraid.net/index.php
- http://ag####tcircle.net/index.php
- http://ag####tmeasure.net/index.php
- http://qu###apple.net/index.php
- http://se###napple.net/index.php
- http://qu###father.net/index.php
- http://se####father.net/index.php
- http://qu###carry.net/index.php
- http://se###ncarry.net/index.php
- http://qu###built.net/index.php
- http://se###nbuilt.net/index.php
- http://tr###built.net/index.php
- http://de###ebuilt.net/index.php
- http://ni###carry.net/index.php
- http://de###eapple.net/index.php
- http://ni###built.net/index.php
- http://ca####nfather.net/index.php
- http://la###apple.net/index.php
- http://de###ecarry.net/index.php
- http://la###father.net/index.php
- http://ni###apple.net/index.php
- http://ag####tbuilt.net/index.php
- http://do###built.net/index.php
- http://ag####tapple.net/index.php
- http://do###apple.net/index.php
- http://ni###father.net/index.php
- http://de####father.net/index.php
- http://ag####tcarry.net/index.php
- http://do###carry.net/index.php
- http://ca####napple.net/index.php
- http://el####iccarry.net/index.php
- http://st####father.net/index.php
- http://el####icbuilt.net/index.php
- http://re###dcarry.net/index.php
- http://tr###apple.net/index.php
- http://st###tbuilt.net/index.php
- http://tr###father.net/index.php
- http://st###tapple.net/index.php
- http://re###dbuilt.net/index.php
- http://la###carry.net/index.php
- http://ca####ncarry.net/index.php
- http://la###built.net/index.php
- http://ca####nbuilt.net/index.php
- http://re###dapple.net/index.php
- http://el####icapple.net/index.php
- http://re####father.net/index.php
- http://el####icfather.net/index.php
UDP:
- DNS ASK br###father.net
- DNS ASK fl###apple.net
- DNS ASK ga###rcarry.net
- DNS ASK fl###father.net
- DNS ASK br###apple.net
- DNS ASK fl###carry.net
- DNS ASK br###carry.net
- DNS ASK fl###built.net
- DNS ASK br###built.net
- DNS ASK be####father.net
- DNS ASK ga####father.net
- DNS ASK st###tcarry.net
- DNS ASK tr###carry.net
- DNS ASK be###rapple.net
- DNS ASK ga###rbuilt.net
- DNS ASK be###rcarry.net
- DNS ASK ga###rapple.net
- DNS ASK be###rbuilt.net
- DNS ASK do###dinner.net
- DNS ASK ag####tafraid.net
- DNS ASK do####easure.net
- DNS ASK ag####tdinner.net
- DNS ASK do###afraid.net
- DNS ASK ni####easure.net
- DNS ASK de####measure.net
- DNS ASK ag####tcircle.net
- DNS ASK do###circle.net
- DNS ASK qu###apple.net
- DNS ASK se###napple.net
- DNS ASK qu###father.net
- DNS ASK se####father.net
- DNS ASK qu###built.net
- DNS ASK se###ncarry.net
- DNS ASK ag####tmeasure.net
- DNS ASK se###nbuilt.net
- DNS ASK qu###carry.net
- DNS ASK de###ebuilt.net
- DNS ASK ni###carry.net
- DNS ASK de###eapple.net
- DNS ASK ni###built.net
- DNS ASK de###ecarry.net
- DNS ASK la###apple.net
- DNS ASK ca####napple.net
- DNS ASK la###father.net
- DNS ASK ca####nfather.net
- DNS ASK ag####tbuilt.net
- DNS ASK do###built.net
- DNS ASK ag####tapple.net
- DNS ASK do###apple.net
- DNS ASK ag####tcarry.net
- DNS ASK de####father.net
- DNS ASK ni###apple.net
- DNS ASK do###carry.net
- DNS ASK ni###father.net
- DNS ASK el####iccarry.net
- DNS ASK st####father.net
- DNS ASK el####icbuilt.net
- DNS ASK re###dcarry.net
- DNS ASK tr###father.net
- DNS ASK st###tbuilt.net
- DNS ASK tr###built.net
- DNS ASK st###tapple.net
- DNS ASK tr###apple.net
- DNS ASK la###carry.net
- DNS ASK ca####ncarry.net
- DNS ASK la###built.net
- DNS ASK ca####nbuilt.net
- DNS ASK re####father.net
- DNS ASK el####icapple.net
- DNS ASK re###dbuilt.net
- DNS ASK el####icfather.net
- DNS ASK re###dapple.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
