Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Function Debugger Software Error Reports' = 'C:\iqr8nflrh1\opgiyge2pi9da.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Software Link Propagation Logs] 'ImagePath' = 'C:\iqr8nflrh1\opgiyge2pi9da.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Software Link Propagation Logs] 'Start' = '00000002'
Malicious functions:
Executes the following:
- 'C:\iqr8nflrh1\dgzp3hrq.exe' "c:\iqr8nflrh1\opgiyge2pi9da.exe"
- 'C:\iqr8nflrh1\opgiyge2pi9da.exe'
- 'C:\iqr8nflrh1\ztv0hx35pbo5a8sok0mav.exe'
Modifies file system:
Creates the following files:
- C:\iqr8nflrh1\opgiyge2pi9da.exe
- C:\iqr8nflrh1\dgzp3hrq.exe
- C:\iqr8nflrh1\cqrkgbv
- %WINDIR%\iqr8nflrh1\kgluhlc0djk
- C:\iqr8nflrh1\kgluhlc0djk
- C:\iqr8nflrh1\ztv0hx35pbo5a8sok0mav.exe
Sets the 'hidden' attribute to the following files:
- C:\iqr8nflrh1\dgzp3hrq.exe
- C:\iqr8nflrh1\opgiyge2pi9da.exe
Deletes the following files:
- C:\iqr8nflrh1\ztv0hx35pbo5a8sok0mav.exe
- %WINDIR%\iqr8nflrh1\kgluhlc0djk
Network activity:
Connects to:
- 'he######acristianson.net':80
- 'ge#####nesappington.net':80
- 'he#####tasappington.net':80
- 'ge######ecristianson.net':80
- 'gr######rchristopher.net':80
- 'ge#####neleonardson.net':80
- 'he#####taleonardson.net':80
- 'ge######echristopher.net':80
- 'je######ncristianson.net':80
- 'br#####tesappington.net':80
- 'je#####onsappington.net':80
- 'br######ecristianson.net':80
- 'he######achristopher.net':80
- 'br#####teleonardson.net':80
- 'je#####onleonardson.net':80
- 'sh######echristopher.net':80
- 'br######acristianson.net':80
- 'ga#####lasappington.net':80
- 'br#####iasappington.net':80
- 'ga######acristianson.net':80
- 'an######achristopher.net':80
- 'ga#####laleonardson.net':80
- 'br#####ialeonardson.net':80
- 'ga######achristopher.net':80
- 'gr######rcristianson.net':80
- 'sh#####lesappington.net':80
- 'gr#####orsappington.net':80
- 'sh######ecristianson.net':80
- 'br######achristopher.net':80
- 'sh#####leleonardson.net':80
- 'gr#####orleonardson.net':80
- 'br######echristopher.net':80
- 'si######rcristianson.net':80
- 'gr#####lesappington.net':80
- 'si#####ersappington.net':80
- 'gr######ecristianson.net':80
- 'he######nchristopher.net':80
- 'gr#####leleonardson.net':80
- 'si#####erleonardson.net':80
- 'gr######echristopher.net':80
- 'an#####laanastasia.net':80
- 'ga#####lekingsley.net':80
- 'an#####lakingsley.net':80
- 'ga#####leanastasia.net':80
- 'si######rchristopher.net':80
- 'ga#####leandriana.net':80
- 'an#####laandriana.net':80
- 'kr######echristopher.net':80
- 'th######acristianson.net':80
- 'ce#####nesappington.net':80
- 'th#####nasappington.net':80
- 'ce######ecristianson.net':80
- 'je######nchristopher.net':80
- 'ce#####neleonardson.net':80
- 'th#####naleonardson.net':80
- 'ce######echristopher.net':80
- 'he######ncristianson.net':80
- 'kr#####lesappington.net':80
- 'he#####onsappington.net':80
- 'kr######ecristianson.net':80
- 'th######achristopher.net':80
- 'kr#####leleonardson.net':80
- 'he#####onleonardson.net':80
TCP:
HTTP GET requests:
- http://he######acristianson.net/index.php
- http://ge#####nesappington.net/index.php
- http://he#####tasappington.net/index.php
- http://ge######ecristianson.net/index.php
- http://gr######rchristopher.net/index.php
- http://ge#####neleonardson.net/index.php
- http://he#####taleonardson.net/index.php
- http://ge######echristopher.net/index.php
- http://je######ncristianson.net/index.php
- http://br#####tesappington.net/index.php
- http://je#####onsappington.net/index.php
- http://br######ecristianson.net/index.php
- http://he######achristopher.net/index.php
- http://br#####teleonardson.net/index.php
- http://je#####onleonardson.net/index.php
- http://sh######echristopher.net/index.php
- http://br######acristianson.net/index.php
- http://ga#####lasappington.net/index.php
- http://br#####iasappington.net/index.php
- http://ga######acristianson.net/index.php
- http://an######achristopher.net/index.php
- http://ga#####laleonardson.net/index.php
- http://br#####ialeonardson.net/index.php
- http://ga######achristopher.net/index.php
- http://gr######rcristianson.net/index.php
- http://sh#####lesappington.net/index.php
- http://gr#####orsappington.net/index.php
- http://sh######ecristianson.net/index.php
- http://br######achristopher.net/index.php
- http://sh#####leleonardson.net/index.php
- http://gr#####orleonardson.net/index.php
- http://br######echristopher.net/index.php
- http://si######rcristianson.net/index.php
- http://gr#####lesappington.net/index.php
- http://si#####ersappington.net/index.php
- http://gr######ecristianson.net/index.php
- http://he######nchristopher.net/index.php
- http://gr#####leleonardson.net/index.php
- http://si#####erleonardson.net/index.php
- http://gr######echristopher.net/index.php
- http://an#####laanastasia.net/index.php
- http://ga#####lekingsley.net/index.php
- http://an#####lakingsley.net/index.php
- http://ga#####leanastasia.net/index.php
- http://si######rchristopher.net/index.php
- http://ga#####leandriana.net/index.php
- http://an#####laandriana.net/index.php
- http://kr######echristopher.net/index.php
- http://th######acristianson.net/index.php
- http://ce#####nesappington.net/index.php
- http://th#####nasappington.net/index.php
- http://ce######ecristianson.net/index.php
- http://je######nchristopher.net/index.php
- http://ce#####neleonardson.net/index.php
- http://th#####naleonardson.net/index.php
- http://ce######echristopher.net/index.php
- http://he######ncristianson.net/index.php
- http://kr#####lesappington.net/index.php
- http://he#####onsappington.net/index.php
- http://kr######ecristianson.net/index.php
- http://th######achristopher.net/index.php
- http://kr#####leleonardson.net/index.php
- http://he#####onleonardson.net/index.php
UDP:
- DNS ASK he######acristianson.net
- DNS ASK ge######ecristianson.net
- DNS ASK he#####tasappington.net
- DNS ASK ge#####nesappington.net
- DNS ASK gr######rchristopher.net
- DNS ASK sh######echristopher.net
- DNS ASK he#####taleonardson.net
- DNS ASK ge#####neleonardson.net
- DNS ASK je######ncristianson.net
- DNS ASK br######ecristianson.net
- DNS ASK je#####onsappington.net
- DNS ASK br#####tesappington.net
- DNS ASK he######achristopher.net
- DNS ASK ge######echristopher.net
- DNS ASK je#####onleonardson.net
- DNS ASK br#####teleonardson.net
- DNS ASK br######acristianson.net
- DNS ASK ga######acristianson.net
- DNS ASK br#####iasappington.net
- DNS ASK ga#####lasappington.net
- DNS ASK an######achristopher.net
- DNS ASK ga######echristopher.net
- DNS ASK br#####ialeonardson.net
- DNS ASK ga#####laleonardson.net
- DNS ASK gr######rcristianson.net
- DNS ASK sh######ecristianson.net
- DNS ASK gr#####orsappington.net
- DNS ASK sh#####lesappington.net
- DNS ASK br######achristopher.net
- DNS ASK ga######achristopher.net
- DNS ASK gr#####orleonardson.net
- DNS ASK sh#####leleonardson.net
- DNS ASK si######rcristianson.net
- DNS ASK gr######ecristianson.net
- DNS ASK si#####ersappington.net
- DNS ASK gr#####lesappington.net
- DNS ASK he######nchristopher.net
- DNS ASK kr######echristopher.net
- DNS ASK si#####erleonardson.net
- DNS ASK gr#####leleonardson.net
- DNS ASK an#####laanastasia.net
- DNS ASK ga#####leanastasia.net
- DNS ASK an#####lakingsley.net
- DNS ASK ga#####lekingsley.net
- DNS ASK si######rchristopher.net
- DNS ASK gr######echristopher.net
- DNS ASK an#####laandriana.net
- DNS ASK ga#####leandriana.net
- DNS ASK th######acristianson.net
- DNS ASK ce######ecristianson.net
- DNS ASK th#####nasappington.net
- DNS ASK ce#####nesappington.net
- DNS ASK je######nchristopher.net
- DNS ASK br######echristopher.net
- DNS ASK th#####naleonardson.net
- DNS ASK ce#####neleonardson.net
- DNS ASK he######ncristianson.net
- DNS ASK kr######ecristianson.net
- DNS ASK he#####onsappington.net
- DNS ASK kr#####lesappington.net
- DNS ASK th######achristopher.net
- DNS ASK ce######echristopher.net
- DNS ASK he#####onleonardson.net
- DNS ASK kr#####leleonardson.net
