Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\nvngxupdatecheckdaily_{c83f61d3-61d3-61d3-61d3-c83f61d361d3}
- %APPDATA%\microsoft\windows\start menu\programs\startup\svchostsw.exe
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\werfault.exe
the following user processes:
- firefox.exe
Terminates or attempts to terminate
the following user processes:
- iexplore.exe
- firefox.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Wow6432Node\Martin Prikryl]
Reads files which store third party applications passwords
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\thunderbird\profiles.ini
- <LS_APPDATA>\google\chrome\user data\default\web data
Modifies file system
Creates the following files
- %TEMP%\9e5e.tmp
- %TEMP%\cfd1.tmp
- %TEMP%\cfb1.tmp
- %TEMP%\cfb0.tmp
- %TEMP%\cf9f.tmp
- %TEMP%\cf21.tmp
- %TEMP%\cf20.tmp
- %TEMP%\cef0.tmp
- %TEMP%\ced0.tmp
- %TEMP%\ce43.tmp
- %TEMP%\ce32.tmp
- %TEMP%\ce21.tmp
- %TEMP%\cfd1.tmp-shm
- %TEMP%\cbbf.tmp
- %TEMP%\cb9f.tmp
- <LS_APPDATA>\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %TEMP%\s.bat
- %TEMP%\932b.tmp.exe
- %TEMP%\65c1.tmp.exe
- %APPDATA%\vcijviu
- %APPDATA%\ucgwvfj
- %APPDATA%\baswjat
- %TEMP%\cb9f.tmp-shm
- %TEMP%\932b.tmp.exe.pid
Sets the 'hidden' attribute to the following files
- %APPDATA%\baswjat
- %APPDATA%\ucgwvfj
- %APPDATA%\vcijviu
Deletes the following files
- %TEMP%\cb9f.tmp-shm
- %TEMP%\cb9f.tmp
- %TEMP%\cbbf.tmp
- %TEMP%\ce21.tmp
- %TEMP%\ce32.tmp
- %TEMP%\ce43.tmp
- %TEMP%\ced0.tmp
- %TEMP%\cef0.tmp
- %TEMP%\cf20.tmp
- %TEMP%\cf21.tmp
- %TEMP%\cf9f.tmp
- %TEMP%\cfb0.tmp
- %TEMP%\cfb1.tmp
- %TEMP%\cfd1.tmp-shm
- %TEMP%\cfd1.tmp
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://wh#####icbodyworks.org/images/about.exe
- http://li###eone.com/phpmyadmin2/
- http://fu###lgoods.com/phpmyadmin2/
- http://gr######design-academy.com/phpmyadmin2/
- http://jo#####.#outhspecialties.com/phpmyadmin2/
- http://ma##ala.com/phpmyadmin2/
- http://la###zocco.com/phpmyadmin2/
- http://lo#####ewpodcast.com/phpmyadmin2/
- http://lu####lesalomon.com/phpmyadmin2/
- http://ec###bfacts.com/phpmyadmin2/
- http://lp#.com/phpmyadmin2/
- http://ja###etite.com/phpmyadmin2/
- http://ma####mazione.com/phpmyadmin2/
- http://in##go.com/phpmyadmin2/
- http://lu##pro.com/phpmyadmin2/
- http://la####angletee.com/phpmyadmin2/
- http://ie####thanhloan.com/phpmyadmin2/
- http://lw###yin.com/phpmyadmin2/
- http://ko####agossip.com/phpmyadmin2/
- http://17#.##1.14.125:8888/gw?wo#####################
- http://17#.##1.14.125:8888/gw?wo############
- http://17#.##1.14.125:8888/bots/knock?wo######################################
- http://17#.##1.14.125:8888/project/active
- http://17#.##1.14.125:8888/bots/chkVersion?cu####################
- http://wi#####neaussies.com/wp-content/themes/genesis/adobbes.exe
- http://ko###one.com/phpmyadmin2/
- http://lu#######ke.myorganogold.com/phpmyadmin2/
HTTP POST requests
- http://st####tseobd.xyz/seo/
UDP
- DNS ASK st####tseobd.xyz
- DNS ASK li###onik.com
- DNS ASK ma####mtours.com
- DNS ASK fh##.com
- DNS ASK jk###rts.com
- DNS ASK it###ail.com
- DNS ASK ma###shik.com
- DNS ASK la####keyboard.com
- DNS ASK ma####ingchoice.com
- DNS ASK ma#####obenevides.com
- DNS ASK ma####mtravel.com
- DNS ASK in##t.com
- DNS ASK ma########lcafe.myorganogold.com
- DNS ASK ma##a.com
- DNS ASK ma###ison.com
- DNS ASK ma###nthony.com
- DNS ASK ma##lyn.ca
- DNS ASK fr##at.com
- DNS ASK ec###lish.com
- DNS ASK kl###eme.com
- DNS ASK ma##pub.com
- DNS ASK la######in.myorganogold.com
- DNS ASK ja###cadoo.com
- DNS ASK im####ttress.com
- DNS ASK ma###walker.com
- DNS ASK ma##slo.com
- DNS ASK la###inem.com
- DNS ASK ma######inthemountains.com
- DNS ASK ma##oub.com
- DNS ASK ip####turkey.com
- DNS ASK li###bee.com
- DNS ASK ma#####ecruitment.com
- DNS ASK li###gain.com
- DNS ASK ja####harris.com
- DNS ASK ma######genredesociales.com
- DNS ASK in####temoon.com
- DNS ASK ma###ter.com
- DNS ASK ma###lww.com
- DNS ASK kr####nmcgee.com
- DNS ASK ma####wedding.com
- DNS ASK ma####onklinik.com
- DNS ASK fo###t-gis.com
- DNS ASK ma##ahr.com
- DNS ASK ma#####rrorcentral.com
- DNS ASK lo###social.com
- DNS ASK jc#####alcollege.com
- DNS ASK ma####askitchen.com
- DNS ASK ma####omic-con.com
- DNS ASK ma###rstogo.com
- DNS ASK ma####-owner.com
- DNS ASK ki##l.com
- DNS ASK je####aucanada.com
- DNS ASK ma####ekipmani.com
- DNS ASK in###remag.com
- DNS ASK ma####.bourseiness.com
- DNS ASK in####-mexico.com
- DNS ASK jc##gi.com
- DNS ASK gy##ox.com
- DNS ASK ma##iro.com
- DNS ASK le###arket.com
- DNS ASK ho####fjethro.com
- DNS ASK ma#####ngsparkler.com
- DNS ASK jo####harbinger.com
- DNS ASK im####deviaje.com
- DNS ASK lo###rshop.com
- DNS ASK li####likeleila.com
- DNS ASK le###ovellc.com
- DNS ASK ma######rsionapproach.com
- DNS ASK hi###.###iereviewpreview.com
- DNS ASK fi###ist.com
- DNS ASK lo####etzone.com
- DNS ASK fl###wallet.com
- DNS ASK ma####urmeals.com
- DNS ASK ka###rnay.com
- DNS ASK ma#####ngfancier.com
- DNS ASK ma####ingrebel.com
- DNS ASK ma##ala.com
- DNS ASK ki##ar.com
- DNS ASK ma####deviaje.com
- DNS ASK ka####-clinic.com
- DNS ASK li##o.com
- DNS ASK lu###eryday.com
- DNS ASK la###world.com
- DNS ASK ca###aalyoum.ca
- DNS ASK ma###mex.com
- DNS ASK ma###anos.com
- DNS ASK ma###msupps.com
- DNS ASK jo####lrecord.com
- DNS ASK ef###lud.com
- DNS ASK ma###ptrend.com
- DNS ASK ma######gwebanalytics.com
- DNS ASK je##iz.com
- DNS ASK gr#######hop.000webhostapp.com
- DNS ASK ma###agency.com
- DNS ASK is#####fertility.com
- DNS ASK lo####rldtv.co.uk
- DNS ASK ma###teers.com
- DNS ASK is###opfest.com
- DNS ASK ho####daytalks.com
- DNS ASK la###awser.com
- DNS ASK ma####ultoria.com
- DNS ASK it###sytech.com
- DNS ASK ma###tic-sa.com
- DNS ASK ka####-magazine.com
- DNS ASK m3##ar.com
- DNS ASK lo####llpapers.com
- DNS ASK jo###ries.com
- DNS ASK li###eone.com
- DNS ASK lu###net.com
- DNS ASK ki###nline.com
- DNS ASK ly##bee.com
- DNS ASK in###iorgod.com
- DNS ASK lo##.login.com
- DNS ASK ma####mazione.com
- DNS ASK jo###awinn.com
- DNS ASK lu#######ke.myorganogold.com
- DNS ASK is###iokul.com
- DNS ASK ie####toefl-yds.com
- DNS ASK ho##.#niserve.com
- DNS ASK je#####rskitchen.com
- DNS ASK ma####estalk.com
- DNS ASK ly###net.com
- DNS ASK la###zocco.com
- DNS ASK jo#####.#outhspecialties.com
- DNS ASK lo######agesfromheart.com
- DNS ASK ko###one.com
- DNS ASK gh###aan.com
- DNS ASK wh#####icbodyworks.org
- DNS ASK so####remiks.com
- DNS ASK ic###ame.com
- DNS ASK ko####agossip.com
- DNS ASK ib###ing.com
- DNS ASK la####angletee.com
- DNS ASK lu####lesalomon.com
- DNS ASK ec###bfacts.com
- DNS ASK lp#.com
- DNS ASK ma###neart.com
- DNS ASK ie####thanhloan.com
- DNS ASK ie###weekly.com
- DNS ASK lu######e.myorganogold.com
- DNS ASK ja###etite.com
- DNS ASK lo#####ewpodcast.com
- DNS ASK lu##pro.com
- DNS ASK fu###lgoods.com
- DNS ASK lu###sport.com
- DNS ASK in##go.com
- DNS ASK ma###cajal.com
- DNS ASK it#####marketing.com
- DNS ASK km####.#00webhostapp.com
- DNS ASK wi#####neaussies.com
- DNS ASK lw###yin.com
- DNS ASK gr######design-academy.com
- DNS ASK li###fdad.com
- DNS ASK ma##.com
- DNS ASK ma##og.com
- DNS ASK ma####ofchamps.com
- DNS ASK ip####sbackup.com
- DNS ASK ma###aneab.com
- DNS ASK gi#.com
- DNS ASK ma##.#ine100.com
- DNS ASK ma#####lectronics.com
- DNS ASK ja####gosende.com
- DNS ASK ma####empire.com
- DNS ASK ma####thatwist.com
- DNS ASK le######n.myorganogold.com
- DNS ASK iw#.us
- DNS ASK ma###eidol.com
- DNS ASK ki#####psychology.com
- DNS ASK ma###ine.com
- DNS ASK la####gedrops.com
- DNS ASK ma###to-tr.com
- DNS ASK ma###vabags.com
- DNS ASK ji##eng.com
- DNS ASK ma####onsale.com
- DNS ASK ma######up.myorganogold.com
- DNS ASK iv####design.com
- DNS ASK la####makemoney.com
- DNS ASK la####gvisual.com
- DNS ASK fl###tock.com
- DNS ASK lu###atimes.com
- DNS ASK ma###eta.com
- DNS ASK lu##lon.com
- DNS ASK gi#####ewedycables.com
- DNS ASK lu###dvitae.com
- DNS ASK ke#.com
- DNS ASK in##car.com
- DNS ASK hu####ndemirtas.com
- DNS ASK ha#######.dominiotemporario.com
- DNS ASK is##lat.com
- DNS ASK ma##rs.com
- DNS ASK fr##tzi.com
- DNS ASK lu###ayyan.com
- DNS ASK ka###rsho.com
- DNS ASK ip###emp.com
- DNS ASK ep###agar.com
- DNS ASK ma#######fee.myorganogold.com
- DNS ASK it###tory.com
- DNS ASK lu####rsetry.com
- DNS ASK ge###ailand.com
- DNS ASK ku###cbd.com
- DNS ASK li##-li.com
- DNS ASK li####-design.com
- DNS ASK ly####counting.com
- DNS ASK ma####edicinals.com
Miscellaneous
Creates and executes the following
- '%TEMP%\65c1.tmp.exe'
- '%TEMP%\932b.tmp.exe'
- '%WINDIR%\syswow64\cmd.exe' /Q /C <LS_APPDATA>\Temp/s.bat' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\explorer.exe'
- '%WINDIR%\explorer.exe'
- '%WINDIR%\syswow64\cmd.exe' /Q /C <LS_APPDATA>\Temp/s.bat
