Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
modifies the following system settings:
- DNS server to '<DNS_SERVER>'
- DNS server to '114.114.114.114'
Injects code into
the following user processes:
- b5b1e5be05c.exe
Modifies file system
Creates the following files
- %HOMEPATH%\desktop\<File name>.lnk
- %TEMP%\etilqs_jpteur2gwfaiqux
- %TEMP%\etilqs_udwt960zcu3dk0f
- %TEMP%\etilqs_moogb1ubcgn8qaq
- %TEMP%\etilqs_s0dfp3xt8e0fnpo
- %TEMP%\etilqs_cth6rabn3s1mv7f
- %TEMP%\etilqs_dodskfuo5xwcddj
- %TEMP%\etilqs_gpzp2u6kupqcnsy
- %TEMP%\etilqs_liqnfceh88ds0as
- %TEMP%\etilqs_czgkl0vuggl0juy
- <Current directory>\aad371739\bb98e337\db930b19\ed2dxjezl.exe
- <Current directory>\aad371739\b6604d619705\5212cxsez.dll
- <Current directory>\aad371739\db80a9a\29e6bwidy.dll
- %TEMP%\etilqs_tzw9nchngmqlmbc
- <Current directory>\aad371739\d72be4\b357ytfav.dll
- <Current directory>\aad371739\d32ab4306\9100g1ni4.dll
- <Current directory>\aad371739\iab11d1\fa213pk5r.dll
- <Current directory>\aad371739\bb98e337\c69dc9ff0840\4d0kg1oj.dll
- <Current directory>\aad371739\bb98e337\bd7751\6dc6az4qm.dll
- <Current directory>\aad371739\bb98e337\aa54a6226f5\c85cxopbw.dll
- <Current directory>\aad371739\bb98e337\e7aa38\7633oj4ql.dll
- <Current directory>\aad371739\bb98e337\g8fcb7d\cba0f7toa.dll
- <Current directory>\aad371739\bb98e337\i03d9e\1984sn8up.dll
- <Current directory>\aad371739\bb98e337\d466e91f74\e838tk4ut.dll
- <Current directory>\aad371739\ja1b9af
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012025032220250323\index.dat
- %ProgramFiles(x86)%\opera\b5b1e5be05c.exe
- <Current directory>\aad371739\d172be1\5ececykg6.dll
- %TEMP%\etilqs_1oxcz6morgk9chc
Deletes the following files
- %LOCALAPPDATA%\microsoft\windows\history\history.ie5\mshist012025032220250323\index.dat
- <DRIVERS>\etc\hosts
Network activity
Connects to
- 'si###torage.com':80
- 'co##.54kefu.net':443
- 'co##.54kefu.net':80
- 'zh###ifz.com':80
- 'ya###.opera.com':80
- 're###.opera.com':80
- 'si#####ck2.opera.com':80
- 'am##on.com':443
- 'am##on.com':80
- 'en.###ipedia.org':443
- 'en.###ipedia.org':80
- 'se####.yahoo.com':443
- 'du###uckgo.com':443
- 'se####.yahoo.com':80
- 'x1.#.lencr.org':80
- 'bing.com':80
- 'au######te.geo.opera.com':443
- 'au######te.geo.opera.com':80
- 'si###loud.net':80
- 'si###torage.cn':80
- 'mi#####.zhuzaifz.com':80
- 'iq##i.com':80
- 'so##u.com':80
- 'qq.com':80
- '18#.#54.116.116':80
- 'si##.com.cn':80
- '11#.#9.29.29':80
- '11#.#14.114.114':80
- 'so##.com':80
- 'google.com':80
- 'sd#####es.operacdn.com':443
TCP
HTTP GET requests
- http://si###torage.com/question/data.txt
- http://www.zh###ifz.com/skin/def_purple/top_bg.gif
- http://www.zh###ifz.com/upFiles/infoImg/2022022774376993.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2020111234356845.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2020111234352573.gif
- http://www.zh###ifz.com/upFiles/infoImg/2015040842551017.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2015040842585721.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2015041140767297.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2015041140842845.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2015042139671369.jpg
- http://www.zh###ifz.com/skin/def_purple/top_menuBg.gif
- http://www.zh###ifz.com/upFiles/infoImg/2015042139728165.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2015052437828201.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2015052437878965.jpg
- http://co##.54kefu.net/kefu/js/160/459360.js
- http://www.zh###ifz.com/upFiles/infoImg/2016042934503081.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2016042934558205.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2016050336345313.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2016050336429721.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2016051744156769.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2016051744226193.jpg
- http://www.zh###ifz.com/upFiles/infoImg/2015042139792837.jpg
- http://x1.#.lencr.org/
- http://si###torage.cn/question/B64d.rar
- http://www.zh###ifz.com/skin/def_purple/top_searchBtn.gif
- http://re###.opera.com/speeddials/partner/wikipedia_org_us
- http://re###.opera.com/speeddials/partner/youtube
- http://re###.opera.com/speeddials/partner/product
- http://re###.opera.com/speeddials/partner/booking_com_us
- http://re###.opera.com/speeddials/partner/twitter_us
- http://re###.opera.com/speeddials/partner/yahoo
- http://re###.opera.com/speeddials/partner/ebay_us
- http://re###.opera.com/speeddials/partner/amazon_us
- http://si###torage.com/question/B64d.rar
- http://www.zh###ifz.com/upFiles/images/2014081146792373.jpg
- http://si###loud.net/question/B64d
- http://www.zh###ifz.com/skin/def_purple/bottom_logo.gif
- http://www.zh###ifz.com/skin/def_purple/item2.gif
- http://www.zh###ifz.com/skin/def_purple/arrow3.gif
- http://www.zh###ifz.com/skin/def_purple/item.gif
- http://www.zh###ifz.com/skin/def_purple/index_recom.gif
- http://www.zh###ifz.com/skin/def_purple/arrow1.gif
- http://www.zh###ifz.com/skin/def_purple/index_new.gif
- http://www.zh###ifz.com/skin/def_purple/arrow2.gif
- http://www.zh###ifz.com/skin/def_purple/index_announ.gif
- http://www.zh###ifz.com/skin/def_purple/top_menuDz.gif
- http://www.zh###ifz.com/skin/def_purple/top_searchDz.gif
- http://www.zh###ifz.com/inc_img/rss.gif
- http://en.###ipedia.org/favicon.ico
- http://www.google.com/favicon.ico
- http://au######te.geo.opera.com/geolocation/
- http://si###torage.cn/question/vc8
- http://si###torage.com/question/vc8
- http://si###loud.net/question/vc8
- http://18#.#54.116.116/d?dn##############
- http://11#.#9.29.29/d?dn##############
- http://si###loud.net/question/2025-03-23/03_31
- http://18#.#54.116.116/d?dn###############
- http://www.bing.com/s/a/bing_p.ico
- http://11#.#9.29.29/d?dn###############
- http://si###torage.cn/question/data.txt
- http://www.so##u.com/
- http://si###torage.com/question/2025-03-23/03_31
- http://www.iq##i.com/
- http://18#.#54.116.116/d?dn################
- http://www.qq.com/
- http://www.si##.com.cn/
- http://11#.#9.29.29/d?dn################
- http://www.so##.com/
- http://si###torage.cn/question/2025-03-23/03_31
- http://re###.opera.com/favicon.ico
- http://www.zh###ifz.com/js/top.js?v=###
- http://si###loud.net/question/data.txt
- http://www.zh###ifz.com/js/inc/common.js?v=###
- http://www.zh###ifz.com/js/inc/jquery1.8.2.js?v=########
- http://www.zh###ifz.com/tools/flashImgTrun/swf.js
- http://www.zh###ifz.com/skin/navMenu11.css
- http://www.zh###ifz.com/skin/def_purple/style4.css
- http://www.zh###ifz.com/cache/ads.js?v=##############
- http://www.zh###ifz.com/configJs.asp?we#############
- http://www.zh###ifz.com/
- http://si###loud.net/question/PrsProt64.rar
- http://www.zh###ifz.com/js/index.js?v=########
- http://ya###.opera.com/favicon.ico
- http://si###torage.cn/question/PrsProt64.rar
- http://re###.opera.com/speeddials/partner/facebook
- http://si###torage.cn/question/B64d
- http://si#####ck2.opera.com/?ho####################################################
- http://si###torage.com/question/B64d
- http://si###torage.com/question/PrsProt64.rar
- http://re###.opera.com/www.opera.com/firstrun/
- http://si#####ck2.opera.com/?ho###################################################
- http://www.am##on.com/favicon.ico
- http://se####.yahoo.com/favicon.ico
- http://si###loud.net/question/B64d.rar
Other
- 'au######te.geo.opera.com':443
- 'du###uckgo.com':443
- 'se####.yahoo.com':443
- 'en.###ipedia.org':443
- 'am##on.com':443
- 'ya###.opera.com':443
- 'co##.54kefu.net':443
- 'bing.com':443
- 'op##a.com':443
UDP
- DNS ASK si###torage.com
- DNS ASK co##.54kefu.net
- DNS ASK zh###ifz.com
- DNS ASK op##a.com
- DNS ASK ya###.opera.com
- DNS ASK fa###ook.com
- DNS ASK re###.opera.com
- DNS ASK si#####ck2.opera.com
- DNS ASK en.###ipedia.org
- DNS ASK bi##.#ikimedia.org
- DNS ASK bing.com
- DNS ASK am##on.com
- DNS ASK du###uckgo.com
- DNS ASK se####.yahoo.com
- DNS ASK au######te.geo.opera.com
- DNS ASK google.com
- DNS ASK si###loud.net
- DNS ASK si###torage.cn
- DNS ASK qq.com
- DNS ASK so##u.com
- DNS ASK si##.com.cn
- DNS ASK iq##i.com
- DNS ASK so##.com
- DNS ASK mi#####.zhuzaifz.com
- DNS ASK x1.#.lencr.org
- DNS ASK sd#####es.operacdn.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
- ClassName: 'Opera_MessageWindow' WindowName: '%APPDATA%\Opera Software\Opera Stable'
Creates and executes the following
- '%ProgramFiles(x86)%\opera\b5b1e5be05c.exe' WfCSJx8rJXYkfB+SfCuDeDx7JntO
Executes the following
- '%ProgramFiles(x86)%\opera\launcher.exe' -noautoupdate -- "http://www.zhuzaifz.com/"
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.15.1346915919\712063256" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.12.2018296753\150782783" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.11.348618335\2119860055" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.10.2123224342\1510871310" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.9.1450488043\369907869" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.8.1783797751\644966904" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.7.1717320389\731093108" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\B5B1E5BE05C /f
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.6.1434836924\1817463975" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera_crashreporter.exe' --type=utility --channel="1560.4.691034405\1476190588" --lang=en-US --no-sandbox --enable-proprietary-media-types-playback /prefetch:-645351001 /crash-reporter-parent-id=2784
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.4.691034405\1476190588" --lang=en-US --no-sandbox --enable-proprietary-media-types-playback /prefetch:-645351001
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=renderer --alt-high-dpi-setting=96 --disable-direct-npapi-requests --enable-deferred-image-decoding --lang=en-US --enable-proprietary-media-types-playback --extension-process --enable-we...
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=renderer --alt-high-dpi-setting=96 --disable-direct-npapi-requests --enable-deferred-image-decoding --lang=en-US --enable-proprietary-media-types-playback --disable-client-side-phishing-...
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=gpu-process --channel="1560.0.85703504\188574724" --enable-proprietary-media-types-playback --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,19,42 --gpu-vendor-id=0x0000 --gpu-d...
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera_crashreporter.exe' -noautoupdate --ran-launcher -- http://www.zhuzaifz.com/ /crash-reporter-parent-id=1560
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' -noautoupdate --ran-launcher -- http://www.zhuzaifz.com/
- '%ProgramFiles(x86)%\opera\29.0.1795.47\opera.exe' --type=utility --channel="1560.5.571131335\337696663" --lang=en-US --enable-proprietary-media-types-playback --ignored=" --type=renderer " /prefetch:-645351001
- '%WINDIR%\syswow64\reg.exe' delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\B5B1E5BE05C /f' (with hidden window)
