Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\FWP7M1NFsorifn] 'ImagePath' = '<DRIVERS>\vOUGKTIOSX.sys'
- [HKLM\System\CurrentControlSet\Services\kHEId32IujkEkf] 'ImagePath' = '<DRIVERS>\dh64wboVt0.lad'
- [HKLM\System\CurrentControlSet\Services\QS7QK89ZfcHbZn] 'ImagePath' = '<SYSTEM32>\4F6MVi3hkfBHW4.sys'
- [HKLM\System\CurrentControlSet\Services\W1Ae93qqB3] 'ImagePath' = '<SYSTEM32>\HtOEg0hrjL.pvo'
- [HKLM\System\CurrentControlSet\Services\p1cJr3tDqkuL] 'ImagePath' = '%WINDIR%\UOEK7fVnuNxHO.sys'
- [HKLM\System\CurrentControlSet\Services\gRFBDc3nZDvza] 'ImagePath' = '<DRIVERS>\GZxyqGKWHWogLc.sys'
- [HKLM\System\CurrentControlSet\Services\tTt8sYuB] 'ImagePath' = '<DRIVERS>\Ly522cbkj.sys'
- [HKLM\System\CurrentControlSet\Services\ruXgBW8qLv] 'ImagePath' = '<DRIVERS>\gBQ43HDvThp09j.sys'
Creates the following services
- 'FWP7M1NFsorifn' <DRIVERS>\vOUGKTIOSX.sys
- 'kHEId32IujkEkf' <DRIVERS>\dh64wboVt0.lad
- 'QS7QK89ZfcHbZn' <SYSTEM32>\4F6MVi3hkfBHW4.sys
- 'W1Ae93qqB3' <SYSTEM32>\HtOEg0hrjL.pvo
- 'p1cJr3tDqkuL' %WINDIR%\UOEK7fVnuNxHO.sys
- 'gRFBDc3nZDvza' <DRIVERS>\GZxyqGKWHWogLc.sys
- 'tTt8sYuB' <DRIVERS>\Ly522cbkj.sys
- 'ruXgBW8qLv' <DRIVERS>\gBQ43HDvThp09j.sys
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
the following user processes:
- iexplore.exe
- firefox.exe
- secinit.exe
Hooks functions
in browsers
- firefox.exe process, nss3.dll module
- firefox.exe process, wininet.dll module
- firefox.exe process, mswsock.dll module
Modifies file system
Creates the following files
- %WINDIR%\syswow64\drivers\vougktiosx.sys
- %WINDIR%\syswow64\drivers\dh64wbovt0.lad
- %WINDIR%\syswow64\4f6mvi3hkfbhw4.sys
- %WINDIR%\syswow64\htoeg0hrjl.pvo
- %WINDIR%\uoek7fvnunxho.sys
- %WINDIR%\fonts\secinit.exe
- <DRIVERS>\gzxyqgkwhwoglc.sys
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\cp7zct.cat
- <DRIVERS>\ly522cbkj.sys
- <DRIVERS>\gbq43hdvthp09j.sys
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\35b01d.cat
- %ProgramFiles%\microsoft analysis services\manifest.json
- %ProgramFiles%\microsoft analysis services\479ebc.js
- %ProgramFiles%\microsoft analysis services\59866b.html
- %ProgramFiles%\microsoft analysis services\6b6e1a.js
- %ProgramFiles%\microsoft analysis services\lib\7d55c9.js
- %WINDIR%\2cf1f\csrss.exe
Deletes the following files
- %WINDIR%\syswow64\drivers\vougktiosx.sys
- %WINDIR%\syswow64\drivers\dh64wbovt0.lad
- %WINDIR%\syswow64\4f6mvi3hkfbhw4.sys
- %WINDIR%\syswow64\htoeg0hrjl.pvo
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\cp7zct.cat
- <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\35b01d.cat
Deletes itself.
Network activity
Connects to
- 'dn#.#lidns.com':443
- 'dn#.#lidns.com':80
- 'xc#.#ycsl.top':80
- 'ap##.#ame.qq.com':80
- 'sp#.#aidu.com':80
- 'xc#.#ycsl.top':443
TCP
HTTP GET requests
- http://dn#.#lidns.com/resolve?na#######################
- http://dn#.#lidns.com/resolve?na########################
- http://xc#.#eaya.site/pgm/mpr/c995ec7fd4f57c0d/e691ad375852f8cd.zip.md5.txt
- http://xc#.#eaya.site/pgm/mpr/c995ec7fd4f57c0d/e691ad375852f8cd.zip
- http://xc#.#ycsl.top/pgm/mpr/c995ec7fd4f57c0d/e691ad375852f8cd.zip.md5.txt
- http://xc#.#ycsl.top/pgm/mpr/c995ec7fd4f57c0d/e691ad375852f8cd.zip
- http://xc#.#ycsl.top/cfg/cmc/ping.txt
- http://xc#.#ycsl.top/cfg/cmc/userchange.txt
- http://xc#.#ycsl.top/cfg/cmc/userpq.zip
- http://ap##.#ame.qq.com/comm-htdocs/ip/get_ip.php
- http://sp#.#aidu.com/8aQDcjqpAAV3otqbppnN2DJv/api.php?qu############################################################
- http://xc#.#ycsl.top/cfg/cmc/blacklist.txt
- http://xc#.#ycsl.top/cfg/user/c995ec7fd4f57c0d/e691ad375852f8cd.json
- http://xc#.#ycsl.top/cfg/pub/ms.json
- http://xc#.#ycsl.top/cfg/pub/ps.json
- http://xc#.#ycsl.top/pgm/mds/263f90e315e63f39/b6fb7e65ccbfa908dc128dfb61a1a9185f00d45ce902f1f164.zip
- http://xc#.#ycsl.top/pgm/mds/a7e45213b3380c84/77750770f7220a1d890f0bc2cfbdd31effe1f5af9791012564.zip
- http://xc#.#ycsl.top/pgm/mds/21daadc79a923587/a117bad625beeffcdc128dfb61a1a918bc723c40f252941b64.zip
- http://xc#.#ycsl.top/pgm/mds/00ed36f35c33f9c5/be60c2ecfc190e4cf0fc9f7fe5b2f4cf811c04596514ee2064.zip
- http://xc#.#ycsl.top/pgm/mds/fdd349d7eaf04acc/26a3a60a23f651b1081a33a6f0e71eee54328b36243992f464.zip
- http://xc#.#ycsl.top/cfg/cmc/slfdm.txt
- http://nr#.#ycsl.top/report/report_data?da#######################################################################################################################################################...
- http://xc#.#ycsl.top/cfg/cmc/ppmldb
- http://xc#.#ycsl.top/cfg/cmc/b2.txt
- http://dn#.#lidns.com/resolve?na############
- http://xc#.#ycsl.top/pgm/mds/f30c73dccf55f69e/0201f919f6e83121081a33a6f0e71eee09bb87916a55ba2564.zip
- http://xc#.#ycsl.top/cfg/cmc/sfbd.txt
- http://dn#.#lidns.com/resolve?na###########
- http://xc#.#ycsl.top/pgm/mds/890fbd89be47b7a4/9cd12d886d5d27933b350c0cdfc7c7bca94692aafccfc26c64.zip
- http://22#.5.5.5/resolve?na###########
- http://xc#.#ycsl.top/cfg/cmc/ggtbd.txt
- http://dn#.#lidns.com/resolve?na###############
- http://xc#.#ycsl.top/cfg/cmc/oypass.txt
- http://xc#.#ycsl.top/cfg/cmc/wea.txt
- http://xc#.#ycsl.top/cfg/cmc/chct.txt
Other
- 'dn#.#lidns.com':443
- 'xc#.#ycsl.top':443
UDP
- DNS ASK xc#.#ycsl.top
- DNS ASK dn#.#lidns.com
- DNS ASK xc#.#eaya.site
- DNS ASK ap##.#ame.qq.com
- DNS ASK sp#.#aidu.com
- '23#.#23.112.211':51701
- '23#.2.2.2':18804
Miscellaneous
Adds a root certificate
Creates and executes the following
- '%WINDIR%\fonts\secinit.exe'
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "<Full path to file>"
- '%WINDIR%\syswow64\timeout.exe' /t 1
- '%WINDIR%\syswow64\cmd.exe' /c timeout /t 1 & del /Q /F "<Full path to file>"' (with hidden window)
