Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Human Net.Tcp Auto IP Shell' = '<SYSTEM32>\wnskssjtk.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\DNS AuthIP ActiveX BitLocker Shadow] 'ImagePath' = '<SYSTEM32>\wnskssjtk.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\DNS AuthIP ActiveX BitLocker Shadow] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '<SYSTEM32>\pszmnptxjdi.exe' "<SYSTEM32>\wnskssjtk.exe"
- '%WINDIR%\Temp\wpcgkg2nscdxw2w.exe' -r 39147 tcp
- '%TEMP%\wpcgkg2jesdxw2wcm7vandb.exe'
- '<SYSTEM32>\wnskssjtk.exe'
Modifies file system:
Creates the following files:
- <SYSTEM32>\bdzfiuwgp\run
- <SYSTEM32>\bdzfiuwgp\rng
- %WINDIR%\Temp\wpcgkg2nscdxw2w.exe
- <SYSTEM32>\bdzfiuwgp\cfg
- <SYSTEM32>\pszmnptxjdi.exe
- %TEMP%\wpcgkg2jesdxw2wcm7vandb.exe
- <SYSTEM32>\bdzfiuwgp\tst
- <SYSTEM32>\wnskssjtk.exe
- <SYSTEM32>\bdzfiuwgp\etc
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\pszmnptxjdi.exe
- <SYSTEM32>\wnskssjtk.exe
Deletes the following files:
- %WINDIR%\Temp\wpcgkg2nscdxw2w.exe
- <DRIVERS>\etc\hosts
- %TEMP%\wpcgkg2jesdxw2wcm7vandb.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'sp###unt.net':80
- 'sa###unt.net':80
- 'sa###how.net':80
- 'wh###hear.net':80
- 'sp###how.net':80
- 'sa###ear.net':80
- 'gl###how.net':80
- 'sp###ear.net':80
- 'sp###ule.net':80
- 'sa###ule.net':80
- 'up###how.net':80
- 'wh###show.net':80
- 'so###hear.net':80
- 'so###rule.net':80
- 'ar###hear.net':80
- 'wh###rule.net':80
- 'up###ear.net':80
- 'up###ule.net':80
- 'up###unt.net':80
- 'wh###hunt.net':80
- 'eq###hear.net':80
- 'gr###hear.net':80
- 'gr###rule.net':80
- 'gr###hunt.net':80
- 'eq###rule.net':80
- 'vi###hunt.net':80
- 'sp###rule.net':80
- 'sp###hunt.net':80
- 'sp###show.net':80
- 'vi###show.net':80
- 'gl###ule.net':80
- 'ta###rule.net':80
- 'ta###hunt.net':80
- 'ta###show.net':80
- 'gl###unt.net':80
- 'gr###show.net':80
- 'eq###hunt.net':80
- 'eq###show.net':80
- 'gl###ear.net':80
- 'ta###hear.net':80
- 'sp####ctober.net':80
- 'vi####ctober.net':80
- 'vi###shoe.net':80
- 'be##lxc.com':80
- 'sp###shoe.net':80
- 'vi###outer.net':80
- 'wa###shoe.net':80
- 'sp###outer.net':80
- 'sp###moon.net':80
- 'vi###moon.net':80
- 'mi###hown.net':80
- 'ab###ell.net':80
- 'mo###ugust.net':80
- 'cr#####onaraminta.net':80
- 'le###form.net':80
- 'al###being.net':80
- 'ri###nstorm.net':80
- 'ca####nbring.net':80
- 'mo###olor.net':80
- 'pr####tbottom.net':80
- 'dr###outer.net':80
- 'th###uter.net':80
- 'th###oon.net':80
- 'th###ctober.net':80
- 'dr###moon.net':80
- 'so###hunt.net':80
- 'ar###rule.net':80
- 'ar###hunt.net':80
- 'ar###show.net':80
- 'so###show.net':80
- 'wa###moon.net':80
- 'fa###oon.net':80
- 'fa###ctober.net':80
- 'fa###hoe.net':80
- 'wa####ctober.net':80
- 'th###hoe.net':80
- 'dr####ctober.net':80
- 'dr###shoe.net':80
- 'wa###outer.net':80
- 'fa###uter.net':80
TCP:
HTTP GET requests:
- http://sp###unt.net/index.php
- http://sa###unt.net/index.php
- http://sa###how.net/index.php
- http://wh###hear.net/index.php
- http://sp###how.net/index.php
- http://sa###ear.net/index.php
- http://gl###how.net/index.php
- http://sp###ear.net/index.php
- http://sp###ule.net/index.php
- http://sa###ule.net/index.php
- http://up###how.net/index.php
- http://wh###show.net/index.php
- http://so###hear.net/index.php
- http://so###rule.net/index.php
- http://ar###hear.net/index.php
- http://wh###rule.net/index.php
- http://up###ear.net/index.php
- http://up###ule.net/index.php
- http://up###unt.net/index.php
- http://wh###hunt.net/index.php
- http://eq###hear.net/index.php
- http://gr###hear.net/index.php
- http://gr###rule.net/index.php
- http://gr###hunt.net/index.php
- http://eq###rule.net/index.php
- http://vi###hunt.net/index.php
- http://sp###rule.net/index.php
- http://sp###hunt.net/index.php
- http://sp###show.net/index.php
- http://vi###show.net/index.php
- http://gl###ule.net/index.php
- http://ta###rule.net/index.php
- http://ta###hunt.net/index.php
- http://ta###show.net/index.php
- http://gl###unt.net/index.php
- http://gr###show.net/index.php
- http://eq###hunt.net/index.php
- http://eq###show.net/index.php
- http://gl###ear.net/index.php
- http://ta###hear.net/index.php
- http://sp####ctober.net/index.php
- http://vi####ctober.net/index.php
- http://vi###shoe.net/index.php
- http://be##lxc.com/index.php
- http://sp###shoe.net/index.php
- http://vi###outer.net/index.php
- http://wa###shoe.net/index.php
- http://sp###outer.net/index.php
- http://sp###moon.net/index.php
- http://vi###moon.net/index.php
- http://mi###hown.net/index.php
- http://ab###ell.net/index.php
- http://mo###ugust.net/index.php
- http://cr#####onaraminta.net/index.php
- http://le###form.net/index.php
- http://al###being.net/index.php
- http://ri###nstorm.net/index.php
- http://ca####nbring.net/index.php
- http://mo###olor.net/index.php
- http://pr####tbottom.net/index.php
- http://dr###outer.net/index.php
- http://th###uter.net/index.php
- http://th###oon.net/index.php
- http://th###ctober.net/index.php
- http://dr###moon.net/index.php
- http://so###hunt.net/index.php
- http://ar###rule.net/index.php
- http://ar###hunt.net/index.php
- http://ar###show.net/index.php
- http://so###show.net/index.php
- http://wa###moon.net/index.php
- http://fa###oon.net/index.php
- http://fa###ctober.net/index.php
- http://fa###hoe.net/index.php
- http://wa####ctober.net/index.php
- http://th###hoe.net/index.php
- http://dr####ctober.net/index.php
- http://dr###shoe.net/index.php
- http://wa###outer.net/index.php
- http://fa###uter.net/index.php
UDP:
- DNS ASK sp###unt.net
- DNS ASK sa###unt.net
- DNS ASK sa###how.net
- DNS ASK wh###hear.net
- DNS ASK sp###how.net
- DNS ASK sa###ear.net
- DNS ASK gl###how.net
- DNS ASK sp###ear.net
- DNS ASK sp###ule.net
- DNS ASK sa###ule.net
- DNS ASK up###how.net
- DNS ASK wh###show.net
- DNS ASK so###hear.net
- DNS ASK so###rule.net
- DNS ASK ar###hear.net
- DNS ASK wh###rule.net
- DNS ASK up###ear.net
- DNS ASK up###ule.net
- DNS ASK up###unt.net
- DNS ASK wh###hunt.net
- DNS ASK ta###show.net
- DNS ASK gr###hear.net
- DNS ASK sp###show.net
- DNS ASK eq###hear.net
- DNS ASK eq###rule.net
- DNS ASK gr###rule.net
- DNS ASK sp###rule.net
- DNS ASK vi###rule.net
- DNS ASK vi###hunt.net
- DNS ASK vi###show.net
- DNS ASK sp###hunt.net
- DNS ASK ta###rule.net
- DNS ASK gl###ear.net
- DNS ASK gl###ule.net
- DNS ASK gl###unt.net
- DNS ASK ta###hunt.net
- DNS ASK eq###hunt.net
- DNS ASK gr###hunt.net
- DNS ASK gr###show.net
- DNS ASK ta###hear.net
- DNS ASK eq###show.net
- DNS ASK sp####ctober.net
- DNS ASK vi####ctober.net
- DNS ASK vi###shoe.net
- DNS ASK be##lxc.com
- DNS ASK sp###shoe.net
- DNS ASK vi###outer.net
- DNS ASK wa###shoe.net
- DNS ASK sp###outer.net
- DNS ASK sp###moon.net
- DNS ASK vi###moon.net
- DNS ASK mi###hown.net
- DNS ASK ab###ell.net
- DNS ASK mo###ugust.net
- DNS ASK cr#####onaraminta.net
- DNS ASK le###form.net
- DNS ASK al###being.net
- DNS ASK ri###nstorm.net
- DNS ASK ca####nbring.net
- DNS ASK mo###olor.net
- DNS ASK pr####tbottom.net
- DNS ASK dr###outer.net
- DNS ASK th###uter.net
- DNS ASK th###oon.net
- DNS ASK th###ctober.net
- DNS ASK dr###moon.net
- DNS ASK so###hunt.net
- DNS ASK ar###rule.net
- DNS ASK ar###hunt.net
- DNS ASK ar###show.net
- DNS ASK so###show.net
- DNS ASK wa###moon.net
- DNS ASK fa###oon.net
- DNS ASK fa###ctober.net
- DNS ASK fa###hoe.net
- DNS ASK wa####ctober.net
- DNS ASK th###hoe.net
- DNS ASK dr####ctober.net
- DNS ASK dr###shoe.net
- DNS ASK wa###outer.net
- DNS ASK fa###uter.net
- '23#.#55.255.250':1900
