Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\cbarmrcu] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\cbarmrcu] 'ImagePath' = '%WINDIR%\SysWOW64\cbarmrcu\wmxbnvbk.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\cbarmrcu] 'ImagePath' = '%WINDIR%\SysWOW64\cbarmrcu\wmxbnvbk.exe'
Creates the following services
- 'cbarmrcu' %WINDIR%\SysWOW64\cbarmrcu\wmxbnvbk.exe /d"<Full path to file>"
- 'cbarmrcu' %WINDIR%\SysWOW64\cbarmrcu\wmxbnvbk.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\cbarmrcu' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\wmxbnvbk.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\wmxbnvbk.exe to %WINDIR%\syswow64\cbarmrcu\wmxbnvbk.exe
Deletes itself.
Network activity
Connects to
- 'mi##########m.mail.protection.outlook.com':25
- 'mx.#len.pl':25
- 'mx##.#-online.de':25
- 'cm##.##oragepipe.com':25
- 'mx.#p.pl':25
- 'mx.###zta.onet.pl':25
- 'mx##.mail.com':25
- 'mx.##bleone.net':25
- 'ex####l.bigpond.com':25
- 'mx.##a.untd.com':25
- 'mx####.chinaemail.cn':25
- 'mx#.qq.com':25
- 'mx##.##ndenserver.de':25
- 'in###gram.com':443
- 'cl######.us.messagelabs.com':25
- 'mx#######401.gslb.pphosted.com':25
- 'eb##.com':443
- 'mx#######901.gslb.pphosted.com':25
- 'mx.####.locaweb.com.br':25
- 'mx#.####o.locaweb.com.br':25
- 'an###mmed.com':25
- 'mx#######601.gslb.pphosted.com':25
- 'mx####.#egamailservers.eu':25
- 'mx#######502.gslb.pphosted.com':25
- 'mx#######a02.gslb.gpphosted.com':25
- 'po#.##tscope.net':25
- 'mx#.#xstorm.com':25
- 'ma###esia.com':25
- 'mx#######201.gslb.pphosted.com':25
- 'mx######53501.pphosted.com':25
- 'ma#########.mail.protection.outlook.com':25
- 'ei####.#x.a.cloudfilter.net':25
- 'al######x-vip2.prodigy.net':25
- 'ma###.h3c.com':25
- 'ma##.b-io.co':25
- 'es#.#entene.com':25
- 'smtp.google.com':25
- 'mx######71101.pphosted.com':25
- 'ma##.##errillamail.com':25
- 'eb#y.it':443
- 'mx#######e02.gslb.pphosted.com':25
- 'mx.##wered.name':25
- 'mx#.###nturserver.de':25
- 'lo########eers.ogame.gameforge.com':443
- 'ye######.mxmail.netease.com':25
- 'mx##########tral-1.prod.hydra.sophos.com':25
- 'mx#######c01.gslb.pphosted.com':25
- 'mx#######102.gslb.pphosted.com':25
- 'sm##.indra.com':25
- 'mx##.###us-vadesecure.net':25
- 'mx#.##origo-upos.pl':25
- 'mx#######a02.gslb.pphosted.com':25
- 'mx.###etowax.com':25
- 'mx##.#bs.open.ch':25
- 'mx##.###g.kundenserver.de':25
- 'mx#######f01.gslb.pphosted.com':25
- '17#.#13.115.157':423
- '17#.#13.115.155':423
- '17#.#13.115.154':423
- '17#.#13.115.153':423
- 'mx#######001.gslb.pphosted.com':25
- 'ho#########.olc.protection.outlook.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'mx#######701.gslb.pphosted.com':25
- 'mx######91d01.pphosted.com':25
- 'aspmx.l.google.com':25
- 'al######x-vip1.prodigy.net':25
- 'mx.###mediacom.com':25
- '80.#6.75.4':423
- 'mx#.#mpal.com':25
- 'mx#.#anmail.net':25
- 'mx#.#ate.com':25
- 'mx.####otelsrimini.com':25
- 'mx.######mail.rediff.akadns.net':25
- 'mx###.##il.am0.yahoodns.net':25
- 'ma##.##olantdebru.com':25
- 'ma####.stephens.com':25
- 'mx#######a01.gslb.pphosted.com':25
- 'fa###ool.xyz':10060
- '17#.#13.115.158':487
- 'sv####lfheim.top':443
- 'mx.###management.it':25
- 'mx######1cb01.pphosted.com':25
- 'if##.ific.uv.es':25
- 'sp##.#nterdns.co.uk':25
- 'mx.##.#tinternet.com':25
- 'mx#######d04.gslb.pphosted.com':25
- 'mx######9f702.pphosted.com':25
- 'mt##.##0.yahoodns.net':25
- 'mx######bde01.pphosted.com':25
- 'mx#.##starica.net':25
- 'mx######49f01.pphosted.com':25
- 'pr####oint4.sfu.ca':25
- '10#.#7.13.33':25
- 'mx#######301.gslb.pphosted.com':25
- 'pa####x.above.com':25
- 'mx#######702.gslb.pphosted.com':25
- 'google.com':443
- 'mx#######501.gslb.pphosted.com':25
- 'cl######j.mailcontrol.com':25
- 'mx#######e01.gslb.pphosted.com':25
- 'ma##.####printingandsystems.com':25
- 'mx#######b02.gslb.pphosted.com':25
- 'mx#######b01.gslb.pphosted.com':25
- 'ex#####e.lastmail.co':25
- 'ma##.econt.com':25
- 'mx#######003.gslb.pphosted.com':25
- 'ma##.#-email.net':25
- 'google.com':80
- '17#.#13.115.156':423
- 'cx#.##.#.cloudfilter.net':25
TCP
HTTP GET requests
- http://www.google.com/
- http://www.google.com/ncr
Other
- 'sv####lfheim.top':443
- 'if##.ific.uv.es':25
- 'mx####.#egamailservers.eu':25
- 'eb##.com':443
- 'in###gram.com':443
- 'mx#.qq.com':25
- 'mx.###zta.onet.pl':25
- 'mx####.chinaemail.cn':25
- 'cm##.##oragepipe.com':25
- 'mx##.#bs.open.ch':25
- 'mx#.##origo-upos.pl':25
- 'an###mmed.com':25
- 'ye######.mxmail.netease.com':25
- 'ma#########.mail.protection.outlook.com':25
- 'lo########eers.ogame.gameforge.com':443
- 'sm##.indra.com':25
- 'mx#.#xstorm.com':25
- 'mx.##wered.name':25
- 'ma##.##errillamail.com':25
- 'mx#.###nturserver.de':25
- 'smtp.google.com':25
- 'ma###.h3c.com':25
- 'al######x-vip2.prodigy.net':25
- 'mx#######201.gslb.pphosted.com':25
- 'mx######53501.pphosted.com':25
- 'mx.##.#tinternet.com':25
- 'mx##########tral-1.prod.hydra.sophos.com':25
- 'mt##.##0.yahoodns.net':25
- '17#.#13.115.154':423
- '17#.#13.115.158':487
- 'fa###ool.xyz':10060
- 'mx###.##il.am0.yahoodns.net':25
- 'mx.######mail.rediff.akadns.net':25
- 'ma##.##olantdebru.com':25
- 'mx#.#anmail.net':25
- 'al######x-vip1.prodigy.net':25
- 'aspmx.l.google.com':25
- 'mx####.##il.gm0.yahoodns.net':25
- 'ho#########.olc.protection.outlook.com':25
- '80.#6.75.4':423
- '17#.#13.115.155':423
- 'mx#.##starica.net':25
- '17#.#13.115.153':423
- 'sp##.#nterdns.co.uk':25
- 'ma##.#-email.net':25
- 'ma##.econt.com':25
- 'ex#####e.lastmail.co':25
- '17#.#13.115.156':423
- '17#.#13.115.157':423
- 'google.com':443
- 'pa####x.above.com':25
- '10#.#7.13.33':25
- 'cl######j.mailcontrol.com':25
- 'mx######bde01.pphosted.com':25
- 'ma###esia.com':25
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK bu###czek.pl
- DNS ASK mx.###zta.onet.pl
- DNS ASK wp.pl
- DNS ASK mx.#p.pl
- DNS ASK vi#.qq.com
- DNS ASK oz##es.com
- DNS ASK cm##.##oragepipe.com
- DNS ASK t-##line.de
- DNS ASK mx##.#-online.de
- DNS ASK o2.pl
- DNS ASK mx.#len.pl
- DNS ASK si#.net
- DNS ASK mx##.##ndenserver.de
- DNS ASK ju##.com
- DNS ASK ub#.com
- DNS ASK mx##.#bs.open.ch
- DNS ASK on##ne.de
- DNS ASK mx##.###g.kundenserver.de
- DNS ASK sp####um-health.org
- DNS ASK mx#######201.gslb.pphosted.com
- DNS ASK lo###owax.com
- DNS ASK mx.###etowax.com
- DNS ASK on#t.pl
- DNS ASK as##03.org
- DNS ASK ne####marcus.com
- DNS ASK mx##.mail.com
- DNS ASK ma##h.com
- DNS ASK ma##.com
- DNS ASK mx.##bleone.net
- DNS ASK mx#.####o.locaweb.com.br
- DNS ASK en###umi.com
- DNS ASK mx.####.locaweb.com.br
- DNS ASK de##.com
- DNS ASK mx#######901.gslb.pphosted.com
- DNS ASK un###bank.com
- DNS ASK dh#.#ic.gov.au
- DNS ASK eb##.com
- DNS ASK mx#######401.gslb.pphosted.com
- DNS ASK se##ech.com
- DNS ASK cl######.us.messagelabs.com
- DNS ASK ne###ope.net
- DNS ASK po#.##tscope.net
- DNS ASK at#.com
- DNS ASK fe##un.net
- DNS ASK in###gram.com
- DNS ASK mx####.chinaemail.cn
- DNS ASK fo##ail.com
- DNS ASK mx#.qq.com
- DNS ASK ne##ero.net
- DNS ASK mx.##a.untd.com
- DNS ASK bi##ond.com
- DNS ASK ex####l.bigpond.com
- DNS ASK fr###ier.com
- DNS ASK ca###one.net
- DNS ASK he######dpaymentsystems.com
- DNS ASK ho###oods.com
- DNS ASK mx#######a02.gslb.pphosted.com
- DNS ASK ag##.com
- DNS ASK yo##ube.com
- DNS ASK smtp.google.com
- DNS ASK qq.com
- DNS ASK he##th.net
- DNS ASK es#.#entene.com
- DNS ASK if#.com
- DNS ASK fs##.com
- DNS ASK ma##.b-io.co
- DNS ASK h3#.com
- DNS ASK ma###.h3c.com
- DNS ASK pe###epc.com
- DNS ASK cx#.##.#.cloudfilter.net
- DNS ASK ei##om.net
- DNS ASK be###outh.net
- DNS ASK al######x-vip2.prodigy.net
- DNS ASK co##ast.com
- DNS ASK ha##er.com
- DNS ASK ma##kay.com
- DNS ASK pa###tir.com
- DNS ASK ma#########.mail.protection.outlook.com
- DNS ASK mx######53501.pphosted.com
- DNS ASK eu##pe.com
- DNS ASK ma###esia.com
- DNS ASK co#.net
- DNS ASK fa#.#arvard.edu
- DNS ASK mx######71101.pphosted.com
- DNS ASK ma##.##errillamail.com
- DNS ASK sh###lasers.com
- DNS ASK fl##red.com
- DNS ASK ex##igo.pl
- DNS ASK mx#.##origo-upos.pl
- DNS ASK ea###link.net
- DNS ASK mx##.###us-vadesecure.net
- DNS ASK in##a.net
- DNS ASK sm##.indra.com
- DNS ASK af###etrix.com
- DNS ASK mx#######102.gslb.pphosted.com
- DNS ASK am##.com
- DNS ASK mx#######c01.gslb.pphosted.com
- DNS ASK em###glio.com
- DNS ASK gl##o.com
- DNS ASK ye##.net
- DNS ASK mx##########tral-1.prod.hydra.sophos.com
- DNS ASK am##ki.pl
- DNS ASK lo########eers.ogame.gameforge.com
- DNS ASK pl###auf.com
- DNS ASK mx#.###nturserver.de
- DNS ASK ho###aba.com
- DNS ASK mx#.#xstorm.com
- DNS ASK ma###.###ntonemailhearing.com
- DNS ASK in####-mail.info
- DNS ASK mx.##wered.name
- DNS ASK eb#y.it
- DNS ASK ju###fou.com
- DNS ASK ai####irement.com
- DNS ASK ye######.mxmail.netease.com
- DNS ASK ei####.#x.a.cloudfilter.net
- DNS ASK mx#######601.gslb.pphosted.com
- DNS ASK zy##a.com
- DNS ASK mx#.#mpal.com
- DNS ASK sb###obal.net
- DNS ASK al######x-vip1.prodigy.net
- DNS ASK sd##e.org
- DNS ASK aspmx.l.google.com
- DNS ASK be###outh.com
- DNS ASK mx######91d01.pphosted.com
- DNS ASK us##pe.com
- DNS ASK mx#######701.gslb.pphosted.com
- DNS ASK ve##zon.net
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK ho##ail.com
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK so#.org
- DNS ASK mx#######001.gslb.pphosted.com
- DNS ASK ke##ost.net
- DNS ASK sp##.#nterdns.co.uk
- DNS ASK te##s.net
- DNS ASK google.com
- DNS ASK ti##jo.com
- DNS ASK ma##.#-email.net
- DNS ASK we###fargo.com
- DNS ASK mx#######003.gslb.pphosted.com
- DNS ASK ec##t.com
- DNS ASK ma##.econt.com
- DNS ASK em##l.com
- DNS ASK la##mail.co
- DNS ASK mx.###mediacom.com
- DNS ASK mx.###management.it
- DNS ASK sv####lfheim.top
- DNS ASK 23#.###.#12.82.dnsbl.sorbs.net
- DNS ASK 23#.###.#12.82.bl.spamcop.net
- DNS ASK 23#.###.#12.82.zen.spamhaus.org
- DNS ASK 23#.###.##2.82.sbl-xbl.spamhaus.org
- DNS ASK 23#.###.#12.82.cbl.abuseat.org
- DNS ASK fa###ool.xyz
- DNS ASK ai##.net
- DNS ASK mx#######a01.gslb.pphosted.com
- DNS ASK st###ens.com
- DNS ASK ma####.stephens.com
- DNS ASK vi####tdebru.com
- DNS ASK ma##.##olantdebru.com
- DNS ASK sk#.com
- DNS ASK mx###.##il.am0.yahoodns.net
- DNS ASK vi####elsrimini.com
- DNS ASK re###fmail.com
- DNS ASK mx.######mail.rediff.akadns.net
- DNS ASK na##.com
- DNS ASK mx.####otelsrimini.com
- DNS ASK mx#.#ate.com
- DNS ASK 23#.###.112.82.in-addr.arpa
- DNS ASK ha##ail.net
- DNS ASK mx#.#anmail.net
- DNS ASK vi####agement.it
- DNS ASK vi###diacom.com
- DNS ASK ex#####e.lastmail.co
- DNS ASK fi#.edu
- DNS ASK mx#######b01.gslb.pphosted.com
- DNS ASK ya##o.com
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK ai##g.com
- DNS ASK ft#.com
- DNS ASK mx#######d04.gslb.pphosted.com
- DNS ASK mx######9f702.pphosted.com
- DNS ASK bt###ernet.com
- DNS ASK mx.##.#tinternet.com
- DNS ASK if##.uv.es
- DNS ASK if##.ific.uv.es
- DNS ASK fi###hline.com
- DNS ASK an###mmed.com
- DNS ASK mx#######f01.gslb.pphosted.com
- DNS ASK mx#######702.gslb.pphosted.com
- DNS ASK wa###rbros.com
- DNS ASK mx#######e02.gslb.pphosted.com
- DNS ASK ba###lle.org
- DNS ASK mx#######a02.gslb.gpphosted.com
- DNS ASK ap####entguide.com
- DNS ASK wr###isors.com
- DNS ASK mx#######502.gslb.pphosted.com
- DNS ASK br###and.net
- DNS ASK mx####.#egamailservers.eu
- DNS ASK an####medical.net
- DNS ASK mx######bde01.pphosted.com
- DNS ASK va##ro.com
- DNS ASK th###rtford.com
- DNS ASK bb##dt.com
- DNS ASK mx######49f01.pphosted.com
- DNS ASK ab##tt.com
- DNS ASK mx#######b02.gslb.pphosted.com
- DNS ASK da####cowboys.net
- DNS ASK lo######tingandsystems.com
- DNS ASK ma##.####printingandsystems.com
- DNS ASK fo###online.com
- DNS ASK mx#######e01.gslb.pphosted.com
- DNS ASK fo#.com
- DNS ASK mx#######501.gslb.pphosted.com
- DNS ASK hl##.com
- DNS ASK cl######j.mailcontrol.com
- DNS ASK em####nprocess.com
- DNS ASK mx######1cb01.pphosted.com
- DNS ASK in###mmicro.com
- DNS ASK xt###e-plus.com
- DNS ASK ad##sa.com
- DNS ASK pa####x.above.com
- DNS ASK ot##.com
- DNS ASK mx#######301.gslb.pphosted.com
- DNS ASK sf#.ca
- DNS ASK pr####oint4.sfu.ca
- DNS ASK be##buy.com
- DNS ASK in#####t-krstarica.com
- DNS ASK mx#.##starica.net
- DNS ASK co##inc.com
- DNS ASK im###works.com
- DNS ASK am###trade.com
- DNS ASK so##e.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cbarmrcu\wmxbnvbk.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\cbarmrcu\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\wmxbnvbk.exe" %WINDIR%\SysWOW64\cbarmrcu\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create cbarmrcu binPath= "%WINDIR%\SysWOW64\cbarmrcu\wmxbnvbk.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description cbarmrcu "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start cbarmrcu' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\cbarmrcu\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\wmxbnvbk.exe" %WINDIR%\SysWOW64\cbarmrcu\
- '%WINDIR%\syswow64\sc.exe' create cbarmrcu binPath= "%WINDIR%\SysWOW64\cbarmrcu\wmxbnvbk.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description cbarmrcu "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start cbarmrcu
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
