Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Connectivity WinHTTP Drive Resolution' = 'C:\qbjfpqqu\qhbonyivv.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\IKE IP Internet Logs AutoConfig Virtual WebClient] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
- 'C:\qbjfpqqu\lwpzptbh.exe' "c:\qbjfpqqu\qhbonyivv.exe"
- 'C:\qbjfpqqu\qhbonyivv.exe'
- 'C:\qbjfpqqu\vcsf2vpiplwabhjzyy.exe'
Modifies file system :
Creates the following files:
- C:\qbjfpqqu\qhbonyivv.exe
- C:\qbjfpqqu\lwpzptbh.exe
- C:\qbjfpqqu\vcsf2vpiplwabhjzyy.exe
- %WINDIR%\qbjfpqqu\jnc7i5y
- C:\qbjfpqqu\jnc7i5y
Sets the 'hidden' attribute to the following files:
- C:\qbjfpqqu\lwpzptbh.exe
- C:\qbjfpqqu\qhbonyivv.exe
Deletes the following files:
- C:\qbjfpqqu\vcsf2vpiplwabhjzyy.exe
- %WINDIR%\qbjfpqqu\jnc7i5y
Network activity:
Connects to:
- 'do####except.net':80
- 'mi###whose.net':80
- 'do####bridge.net':80
- 'pr####except.net':80
- 'st####icycle.net':80
- 'mi###bridge.net':80
- 'st###whose.net':80
- 'mi####icycle.net':80
- 'fe####except.net':80
- 'pr###ywhose.net':80
- 'fe####bicycle.net':80
- 'fe####bridge.net':80
- 'do####bicycle.net':80
- 'pr####bridge.net':80
- 'do###rwhose.net':80
- 'pr####bicycle.net':80
- 'st###bridge.net':80
- 'ou####ewhose.net':80
- 'mo####ntwhose.net':80
- 'ev####gexcept.net':80
- 'bu####ngexcept.net':80
- 'ou####ebridge.net':80
- 'mo####ntbridge.net':80
- 'ou####ebicycle.net':80
- 'mo####ntbicycle.net':80
- 'ev####gwhose.net':80
- 'bu####ngwhose.net':80
- 'mi###except.net':80
- 'st###except.net':80
- 'ev####gbridge.net':80
- 'bu####ngbridge.net':80
- 'ev####gbicycle.net':80
- 'bu####ngbicycle.net':80
TCP:
HTTP GET requests:
- http://do####except.net/index.php
- http://mi###whose.net/index.php
- http://do####bridge.net/index.php
- http://pr####except.net/index.php
- http://st####icycle.net/index.php
- http://mi###bridge.net/index.php
- http://st###whose.net/index.php
- http://mi####icycle.net/index.php
- http://fe####except.net/index.php
- http://pr###ywhose.net/index.php
- http://fe####bicycle.net/index.php
- http://fe####bridge.net/index.php
- http://do####bicycle.net/index.php
- http://pr####bridge.net/index.php
- http://do###rwhose.net/index.php
- http://pr####bicycle.net/index.php
- http://st###bridge.net/index.php
- http://ou####ewhose.net/index.php
- http://mo####ntwhose.net/index.php
- http://ev####gexcept.net/index.php
- http://bu####ngexcept.net/index.php
- http://ou####ebridge.net/index.php
- http://mo####ntbridge.net/index.php
- http://ou####ebicycle.net/index.php
- http://mo####ntbicycle.net/index.php
- http://ev####gwhose.net/index.php
- http://bu####ngwhose.net/index.php
- http://mi###except.net/index.php
- http://st###except.net/index.php
- http://ev####gbridge.net/index.php
- http://bu####ngbridge.net/index.php
- http://ev####gbicycle.net/index.php
- http://bu####ngbicycle.net/index.php
UDP:
- DNS ASK do####except.net
- DNS ASK mi###whose.net
- DNS ASK do####bridge.net
- DNS ASK pr####except.net
- DNS ASK st####icycle.net
- DNS ASK mi###bridge.net
- DNS ASK st###whose.net
- DNS ASK mi####icycle.net
- DNS ASK pr####bridge.net
- DNS ASK fe####bridge.net
- DNS ASK fe####except.net
- DNS ASK fe###wwhose.net
- DNS ASK fe####bicycle.net
- DNS ASK pr####bicycle.net
- DNS ASK do####bicycle.net
- DNS ASK pr###ywhose.net
- DNS ASK do###rwhose.net
- DNS ASK ou####ewhose.net
- DNS ASK mo####ntwhose.net
- DNS ASK ev####gexcept.net
- DNS ASK bu####ngexcept.net
- DNS ASK ou####ebridge.net
- DNS ASK mo####ntbridge.net
- DNS ASK ou####ebicycle.net
- DNS ASK mo####ntbicycle.net
- DNS ASK bu####ngbridge.net
- DNS ASK st###except.net
- DNS ASK ev####gwhose.net
- DNS ASK st###bridge.net
- DNS ASK mi###except.net
- DNS ASK bu####ngbicycle.net
- DNS ASK ev####gbridge.net
- DNS ASK bu####ngwhose.net
- DNS ASK ev####gbicycle.net
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
