Technical Information
To ensure autorun and distribution
Creates the following services
- [<HKLM>\SYSTEM\CurrentControlSet\Services\dllhostLOG] 'ImagePath' = '%WINDIR%\dllhostLOG.sys'
- [<HKLM>\System\CurrentControlSet\Services\yknqjqu] 'ImagePath' = '<SYSTEM32>\WJMwHjP.sys'
- [<HKLM>\System\CurrentControlSet\Services\zlorkra] 'ImagePath' = '<SYSTEM32>\rRmCnnU.sys'
Malicious functions
Injects code into
the following system processes:
- %WINDIR%\syswow64\dllhost.exe
- <SYSTEM32>\taskhost.exe
- <SYSTEM32>\services.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\syswow64\dllhost.exe
Registers file system filter
- [<HKLM>\SYSTEM\CurrentControlSet\Services\dllhostLOG] 'Group' = 'FSFilter Top'
Searches for windows to
detect analytical utilities:
- ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
Modifies settings of Windows Internet Explorer
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 'WarnonBadCertRecving' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1609' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] '1609' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1609' = '00000000'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] '1609' = '00000000'
Modifies file system
Creates the following files
- %WINDIR%\facklog.log
- %APPDATA%\ekrsmy\tmnryoold.exe
- %APPDATA%\ekrsmy\tmnryo.exe
- %APPDATA%\tencent\qq\rbjd.tmp
- %APPDATA%\tencent\qq\wxgg.tmp
- %APPDATA%\tencent\qq\config.ini
- <SYSTEM32>\bent.exe
- %APPDATA%\ekrsmy\wxpp32.tmp
- %APPDATA%\ekrsmy\wxpp64.tmp
- %APPDATA%\ekrsmy\winh32.dll
- %WINDIR%\syswow64\fackxfirewall.exe
- %APPDATA%\ekrsmy\winh64.dll
- %APPDATA%\ekrsmy\unhk64.tmp
- <SYSTEM32>\wjmwhjp.sys
- <SYSTEM32>\wjmwhjp.sys.xbak
- %WINDIR%\temp\bbimage.manifest
- %WINDIR%\temp\uddb903.tmp
- <SYSTEM32>\rrmcnnu.sys
- <SYSTEM32>\rrmcnnu.sys.xbak
- <SYSTEM32>\vxlsoqj.dll
- %APPDATA%\ekrsmy\qesoxe.xml
- <SYSTEM32>\gt_ielock.dll
- %WINDIR%\run.bat
- %TEMP%\ten\gtx.dll
- %WINDIR%\utppboejbpukp\bthftdtask.exe
- %WINDIR%\logfile\20191111\app_info.log
- %WINDIR%\fconfig\glw_log.txt
- %WINDIR%\fconfig\wd_log.txt
- %WINDIR%\fconfig\safe_log.txt
- %WINDIR%\locklog.log
- %WINDIR%\syswow64\fsocket.dll
- %TEMP%\templog.log
- %WINDIR%\dllhostlog.sys
- %WINDIR%\syswow64\bak_ntdll.dll
- %WINDIR%\temp\udd2b68.tmp
- <SYSTEM32>\subdb\cert.db
- %APPDATA%\ekrsmy\unhk.tmp
- %TEMP%\fpatch.log
- %WINDIR%\pyo7cum\bhshuu.dll
- %WINDIR%\pyo7cum\tdljfa.exe
- %WINDIR%\pyo7cum\ivxkcr.dll
- %WINDIR%\c8dt0hz.dll
- %LOCALAPPDATA%\scccon.ini
- <SYSTEM32>\gsvyryq.txt
- %TEMP%\rxfm.tmp
- %TEMP%\svchstold.exe
- %TEMP%\bthftdtask.exe
- %WINDIR%\fconfig\wx_log.txt
- %WINDIR%\syswow64\tmp5871219.dat
- <SYSTEM32>\subdb\trust ca
Deletes the following files
- %WINDIR%\temp\udd2b68.tmp
- %WINDIR%\temp\uddb903.tmp
- %APPDATA%\ekrsmy\tmnryo.exe
- %APPDATA%\ekrsmy\tmnryoold.exe
- %TEMP%\ten\gtx.dll
- %TEMP%\rxfm.tmp
- %TEMP%\bthftdtask.exe
- %TEMP%\svchstold.exe
- <SYSTEM32>\wjmwhjp.sys
- %WINDIR%\pyo7cum\bhshuu.dll
- %WINDIR%\syswow64\tmp5871219.dat
- %WINDIR%\fconfig\wx_log.txt
- %WINDIR%\fconfig\wd_log.txt
- %WINDIR%\fconfig\safe_log.txt
- %WINDIR%\fconfig\glw_log.txt
- %WINDIR%\syswow64\fackxfirewall.exe
- %WINDIR%\dllhostlog.sys
- %WINDIR%\pyo7cum\ivxkcr.dll
- <SYSTEM32>\rrmcnnu.sys
Moves the following files
- from %WINDIR%\utppboejbpukp\bthftdtask.exe to %WINDIR%\utppboejbpukp\bthftdtask--.exe
Substitutes the following files
- %WINDIR%\dllhostlog.sys
- %WINDIR%\syswow64\tmp5871219.dat
Modifies the HOSTS file.
Network activity
TCP
HTTP GET requests
- http://www.ba##u.com/
- http://www.fa##ad.com/wxcfg.html
- http://www.fa##ad.com/wxhome.html
- http://cf#.#jslm.cn/cfg.php?pl################################################
- http://yj.#jslm.cn/upload/fPBcztLVlCnAilST
- http://yj.#jslm.cn/upload/iWo1OtTZuPgXvLs9
- http://yj.#jslm.cn/upload/EnvReport.bin
- http://cf#.#jslm.cn/mac.php?Mj##############################################################################
- http://ap#.c7.gg/api.php?fo#######################################################################################
- http://lo#.#oomeng.com/home/?us##################################################################
UDP
- DNS ASK fa##ad1.com
- DNS ASK ap#.c7.gg
- DNS ASK yj.#jslm.cn
- DNS ASK cf#.#jslm.cn
- DNS ASK lo#.#oomeng.com
- DNS ASK fa####.###-cn-shenzhen.aliyuncs.com
- DNS ASK ba##u.com
- DNS ASK fa##ad.com
- '<LOCALNET>.45.189':3254
- '<LOCALNET>.45.188':3254
- '<LOCALNET>.45.187':3254
- '<LOCALNET>.45.186':3254
- '<LOCALNET>.45.185':3254
- '<LOCALNET>.45.184':3254
- '<LOCALNET>.45.180':3254
- '<LOCALNET>.45.182':3254
- '<LOCALNET>.45.181':3254
- '<LOCALNET>.45.190':3254
- '<LOCALNET>.45.179':3254
- '<LOCALNET>.45.178':3254
- '<LOCALNET>.45.183':3254
- '<LOCALNET>.45.175':3254
- '<LOCALNET>.45.194':3254
- '<LOCALNET>.45.192':3254
- '<LOCALNET>.45.193':3254
- '<LOCALNET>.45.176':3254
- '<LOCALNET>.45.195':3254
- '<LOCALNET>.45.196':3254
- '<LOCALNET>.45.197':3254
- '<LOCALNET>.45.198':3254
- '<LOCALNET>.45.199':3254
- '<LOCALNET>.45.200':3254
- '<LOCALNET>.45.201':3254
- '<LOCALNET>.45.202':3254
- '<LOCALNET>.45.203':3254
- '255.255.255.255':49861
- '<LOCALNET>.45.191':3254
- '<LOCALNET>.45.174':3254
- '<LOCALNET>.45.172':3254
- '<LOCALNET>.45.160':3254
- '<LOCALNET>.45.146':3254
- '<LOCALNET>.45.147':3254
- '<LOCALNET>.45.148':3254
- '<LOCALNET>.45.149':3254
- '<LOCALNET>.45.150':3254
- '<LOCALNET>.45.151':3254
- '<LOCALNET>.45.152':3254
- '<LOCALNET>.45.153':3254
- '<LOCALNET>.45.154':3254
- '<LOCALNET>.45.155':3254
- '<LOCALNET>.45.156':3254
- '<LOCALNET>.45.157':3254
- '<LOCALNET>.45.158':3254
- '<LOCALNET>.45.204':3254
- '<LOCALNET>.45.145':3254
- '<LOCALNET>.45.161':3254
- '<LOCALNET>.45.162':3254
- '<LOCALNET>.45.163':3254
- '<LOCALNET>.45.164':3254
- '<LOCALNET>.45.165':3254
- '<LOCALNET>.45.166':3254
- '<LOCALNET>.45.167':3254
- '<LOCALNET>.45.168':3254
- '<LOCALNET>.45.169':3254
- '<LOCALNET>.45.170':3254
- '<LOCALNET>.45.171':3254
- '<LOCALNET>.45.177':3254
- '<LOCALNET>.45.173':3254
- '<LOCALNET>.45.159':3254
- '<LOCALNET>.45.205':3254
- '<LOCALNET>.45.210':3254
- '<LOCALNET>.45.144':3254
- '<LOCALNET>.45.242':3254
- '<LOCALNET>.45.243':3254
- '<LOCALNET>.45.244':3254
- '<LOCALNET>.45.245':3254
- '<LOCALNET>.45.246':3254
- '<LOCALNET>.45.247':3254
- '<LOCALNET>.45.248':3254
- '<LOCALNET>.45.249':3254
- '<LOCALNET>.45.250':3254
- '<LOCALNET>.45.251':3254
- '<LOCALNET>.45.252':3254
- '<LOCALNET>.45.253':3254
- '<LOCALNET>.45.240':3254
- '<LOCALNET>.45.241':3254
- '<LOCALNET>.45.254':3254
- '<LOCALNET>.45.3':3254
- '<LOCALNET>.45.4':3254
- '<LOCALNET>.45.5':3254
- '<LOCALNET>.45.6':3254
- '<LOCALNET>.45.7':3254
- '<LOCALNET>.45.8':3254
- '<LOCALNET>.45.9':3254
- '<LOCALNET>.45.10':3254
- '<LOCALNET>.45.11':3254
- '<LOCALNET>.45.12':3254
- '<LOCALNET>.45.13':3254
- '<LOCALNET>.45.14':3254
- '<LOCALNET>.45.1':3254
- '<LOCALNET>.45.2':3254
- '<LOCALNET>.45.239':3254
- '<LOCALNET>.45.238':3254
- '<LOCALNET>.45.237':3254
- '<LOCALNET>.45.209':3254
- '<LOCALNET>.45.206':3254
- '<LOCALNET>.45.211':3254
- '<LOCALNET>.45.212':3254
- '<LOCALNET>.45.213':3254
- '<LOCALNET>.45.214':3254
- '<LOCALNET>.45.215':3254
- '<LOCALNET>.45.216':3254
- '<LOCALNET>.45.217':3254
- '<LOCALNET>.45.218':3254
- '<LOCALNET>.45.219':3254
- '<LOCALNET>.45.220':3254
- '<LOCALNET>.45.221':3254
- '<LOCALNET>.45.208':3254
- '<LOCALNET>.45.222':3254
- '<LOCALNET>.45.224':3254
- '<LOCALNET>.45.225':3254
- '<LOCALNET>.45.226':3254
- '<LOCALNET>.45.227':3254
- '<LOCALNET>.45.228':3254
- '<LOCALNET>.45.229':3254
- '<LOCALNET>.45.230':3254
- '<LOCALNET>.45.231':3254
- '<LOCALNET>.45.232':3254
- '<LOCALNET>.45.233':3254
- '<LOCALNET>.45.234':3254
- '<LOCALNET>.45.142':3254
- '<LOCALNET>.45.236':3254
- '<LOCALNET>.45.223':3254
- '<LOCALNET>.45.207':3254
- '<LOCALNET>.45.235':3254
- '<LOCALNET>.45.15':59118
- '<LOCALNET>.45.78':3254
- '<LOCALNET>.45.48':3254
- '<LOCALNET>.45.49':3254
- '<LOCALNET>.45.50':3254
- '<LOCALNET>.45.51':3254
- '<LOCALNET>.45.52':3254
- '<LOCALNET>.45.53':3254
- '<LOCALNET>.45.54':3254
- '<LOCALNET>.45.55':3254
- '<LOCALNET>.45.56':3254
- '<LOCALNET>.45.57':3254
- '<LOCALNET>.45.58':3254
- '<LOCALNET>.45.59':3254
- '<LOCALNET>.45.60':3254
- '<LOCALNET>.45.62':3254
- '<LOCALNET>.45.76':3254
- '<LOCALNET>.45.63':3254
- '<LOCALNET>.45.64':3254
- '<LOCALNET>.45.65':3254
- '<LOCALNET>.45.66':3254
- '<LOCALNET>.45.67':3254
- '<LOCALNET>.45.68':3254
- '<LOCALNET>.45.69':3254
- '<LOCALNET>.45.70':3254
- '<LOCALNET>.45.71':3254
- '<LOCALNET>.45.72':3254
- '<LOCALNET>.45.73':3254
- '<LOCALNET>.45.30':3254
- '<LOCALNET>.45.75':3254
- '<LOCALNET>.45.47':3254
- '<LOCALNET>.45.61':3254
- '<LOCALNET>.45.74':3254
- '<LOCALNET>.45.29':3254
- '<LOCALNET>.45.27':3254
- '<LOCALNET>.45.26':3254
- '<LOCALNET>.45.25':3254
- '<LOCALNET>.45.24':3254
- '<LOCALNET>.45.23':3254
- '<LOCALNET>.45.22':3254
- '<LOCALNET>.45.18':3254
- '<LOCALNET>.45.20':3254
- '<LOCALNET>.45.19':3254
- '<LOCALNET>.45.28':3254
- '<LOCALNET>.45.17':3254
- '<LOCALNET>.45.16':3254
- '<LOCALNET>.45.21':3254
- '<LOCALNET>.45.46':3254
- '<LOCALNET>.45.45':3254
- '<LOCALNET>.45.31':3254
- '<LOCALNET>.45.32':3254
- '<LOCALNET>.45.44':3254
- '<LOCALNET>.45.34':3254
- '<LOCALNET>.45.35':3254
- '<LOCALNET>.45.36':3254
- '<LOCALNET>.45.37':3254
- '<LOCALNET>.45.38':3254
- '<LOCALNET>.45.39':3254
- '<LOCALNET>.45.40':3254
- '<LOCALNET>.45.41':3254
- '<LOCALNET>.45.42':3254
- '<LOCALNET>.45.43':3254
- '<LOCALNET>.45.33':3254
- '<LOCALNET>.45.77':3254
- '<LOCALNET>.45.114':3254
- '<LOCALNET>.45.79':3254
- '<LOCALNET>.45.141':3254
- '<LOCALNET>.45.115':3254
- '<LOCALNET>.45.116':3254
- '<LOCALNET>.45.117':3254
- '<LOCALNET>.45.118':3254
- '<LOCALNET>.45.119':3254
- '<LOCALNET>.45.120':3254
- '<LOCALNET>.45.121':3254
- '<LOCALNET>.45.122':3254
- '<LOCALNET>.45.123':3254
- '<LOCALNET>.45.124':3254
- '<LOCALNET>.45.125':3254
- '<LOCALNET>.45.112':3254
- '<LOCALNET>.45.113':3254
- '<LOCALNET>.45.126':3254
- '<LOCALNET>.45.129':3254
- '<LOCALNET>.45.130':3254
- '<LOCALNET>.45.131':3254
- '<LOCALNET>.45.132':3254
- '<LOCALNET>.45.133':3254
- '<LOCALNET>.45.134':3254
- '<LOCALNET>.45.135':3254
- '<LOCALNET>.45.136':3254
- '<LOCALNET>.45.137':3254
- '<LOCALNET>.45.138':3254
- '<LOCALNET>.45.139':3254
- '255.255.255.255':1435
- '<LOCALNET>.45.127':3254
- '<LOCALNET>.45.128':3254
- '<LOCALNET>.45.111':3254
- '<LOCALNET>.45.110':3254
- '<LOCALNET>.45.109':3254
- '<LOCALNET>.45.81':3254
- '<LOCALNET>.45.82':3254
- '<LOCALNET>.45.83':3254
- '<LOCALNET>.45.84':3254
- '<LOCALNET>.45.85':3254
- '<LOCALNET>.45.86':3254
- '<LOCALNET>.45.87':3254
- '<LOCALNET>.45.88':3254
- '<LOCALNET>.45.89':3254
- '<LOCALNET>.45.90':3254
- '<LOCALNET>.45.91':3254
- '<LOCALNET>.45.92':3254
- '<LOCALNET>.45.93':3254
- '<LOCALNET>.45.80':3254
- '<LOCALNET>.45.94':3254
- '<LOCALNET>.45.96':3254
- '<LOCALNET>.45.97':3254
- '<LOCALNET>.45.98':3254
- '<LOCALNET>.45.99':3254
- '<LOCALNET>.45.100':3254
- '<LOCALNET>.45.101':3254
- '<LOCALNET>.45.102':3254
- '<LOCALNET>.45.103':3254
- '<LOCALNET>.45.104':3254
- '<LOCALNET>.45.105':3254
- '<LOCALNET>.45.106':3254
- '<LOCALNET>.45.107':3254
- '<LOCALNET>.45.108':3254
- '<LOCALNET>.45.95':3254
- '<LOCALNET>.45.143':3254
- '<LOCALNET>.45.140':3254
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: '' WindowName: 'Process Monitor'
- ClassName: '' WindowName: '»ðÈÞ½£-»¥ÁªÍø°²È«·ÖÎöÈГВјГѕ'
- ClassName: '' WindowName: 'Malware Defender'
- ClassName: 'MalwareDefenderWndClass' WindowName: ''
- ClassName: 'dbgviewClass' WindowName: ''
- ClassName: '' WindowName: 'SRSniffer'
- ClassName: '' WindowName: 'Fiddler'
- ClassName: '' WindowName: '·â°üÖúÊÖ'
- ClassName: '' WindowName: 'SmartSniff'
- ClassName: 'TfrmNoDiskHelper' WindowName: ''
- ClassName: 'CabinetWClass' WindowName: ''
- ClassName: 'Mp4PlayerWndUi' WindowName: 'WMPlayerAd'
- ClassName: 'ClientLockUi' WindowName: 'LockScreen'
- ClassName: 'FeeMainClass' WindowName: 'Pubwin OL'
- ClassName: 'wkeWebWindow' WindowName: 'wkeWebWindow'
- ClassName: '' WindowName: 'MsgDebugView'
Creates and executes the following
- '%WINDIR%\syswow64\fackxfirewall.exe'
- '%WINDIR%\pyo7cum\tdljfa.exe' /s66 /s1066 /disico /klhjk /klxb /replxb /psvr /aliasno /nreplie /nreplsg /pburl /nclrnet /pid:90181-04001 /HOME:https://www.23##.com/?90######### /sid:1cacc5674c8a4d2bb6ce272145e31e51 /mac:2...
- '%WINDIR%\utppboejbpukp\bthftdtask.exe'
- '%APPDATA%\ekrsmy\tmnryo.exe'
- '%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p everyone:F' (with hidden window)
- '%WINDIR%\syswow64\fackxfirewall.exe' ' (with hidden window)
- '%WINDIR%\utppboejbpukp\bthftdtask.exe' ' (with hidden window)
- '<SYSTEM32>\services.exe' ' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c %WINDIR%\run.bat' (with hidden window)
- '%APPDATA%\ekrsmy\tmnryo.exe' ' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cacls.exe' <DRIVERS>\etc\hosts /e /t /p everyone:F
- '%WINDIR%\syswow64\dllhost.exe' FackAD 36987
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 2 "<Full path to file>"
- '<SYSTEM32>\services.exe'
- '<SYSTEM32>\cmd.exe' /c %WINDIR%\run.bat
- '<SYSTEM32>\cmd.exe' /c dir "%HOMEPATH%\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
- '<SYSTEM32>\cmd.exe' /c dir "%LOCALAPPDATA%\Mozilla\Firefox\Profiles\*.default" /B
