Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'ddyauzsc' = '%APPDATA%\ddyauzsc.exe'
Creates or modifies the following files
- <SYSTEM32>\tasks\nvngxupdatecheckdaily_{78821544-1544-1544-1544-788215441544}
Malicious functions
Executes the following
- '%WINDIR%\syswow64\taskkill.exe' /F /PID 1040
Injects code into
the following system processes:
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe
the following user processes:
- iexplore.exe
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe
Searches for registry branches where third party applications store passwords
- [<HKCU>\Software\Martin Prikryl]
- [<HKLM>\Software\Wow6432Node\Martin Prikryl]
Reads files which store third party applications passwords
- %LOCALAPPDATA%\google\chrome\user data\default\cookies
- %APPDATA%\opera software\opera stable\login data
- %APPDATA%\thunderbird\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\web data
Modifies file system
Creates the following files
- %TEMP%\4dd3.tmp
- %TEMP%\6210.tmp
- %TEMP%\6221.tmp
- %TEMP%\6222.tmp
- %TEMP%\6233.tmp
- %TEMP%\6234.tmp
- %TEMP%\6273.tmp
- %TEMP%\6273.tmp-shm
- nul
- %APPDATA%\svchostw.exe
- %LOCALAPPDATA%low\fraqbc8wsa
- %LOCALAPPDATA%low\1xvpfvjcrg
- %LOCALAPPDATA%low\rywtiizs2t
- %LOCALAPPDATA%low\rqf69azbla
- %LOCALAPPDATA%low\x3cf3ednhm
- %LOCALAPPDATA%low\3solbph71y
- %LOCALAPPDATA%low\exuieaoeii
- %TEMP%\61ef.tmp
- %TEMP%\620f.tmp
- %TEMP%\61ee.tmp
- %TEMP%\60f3.tmp
- %TEMP%\60f2.tmp
- %APPDATA%\ibtrawb
- %TEMP%\1ba8.tmp.exe
- %TEMP%\232b.tmp.exe
- %TEMP%\29e2.tmp.exe
- %TEMP%\326f.tmp.exe
- %TEMP%\3956.tmp.exe
- %TEMP%\401d.tmp.exe
- %LOCALAPPDATA%low\gxix4a2dre
- %LOCALAPPDATA%low\sqlite3.dll
- %APPDATA%\ddyauzsc.exe
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
- %TEMP%\5e2f.tmp
- %TEMP%\5e2f.tmp-shm
- %TEMP%\60d1.tmp
- %TEMP%\60d2.tmp
- %APPDATA%\grssvfu
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %LOCALAPPDATA%low\bbsqwy6yhk
Sets the 'hidden' attribute to the following files
- %APPDATA%\grssvfu
- %APPDATA%\ibtrawb
Deletes the following files
- %TEMP%\3956.tmp.exe
- %LOCALAPPDATA%low\exuieaoeii
- %LOCALAPPDATA%low\3solbph71y
- %LOCALAPPDATA%low\x3cf3ednhm
- %LOCALAPPDATA%low\rqf69azbla
- %LOCALAPPDATA%low\rywtiizs2t
- %LOCALAPPDATA%low\1xvpfvjcrg
- %LOCALAPPDATA%low\fraqbc8wsa
- %TEMP%\6273.tmp
- %TEMP%\6273.tmp-shm
- %TEMP%\6234.tmp
- %TEMP%\6233.tmp
- %TEMP%\6222.tmp
- %TEMP%\6221.tmp
- %TEMP%\6210.tmp
- %TEMP%\620f.tmp
- %TEMP%\61ef.tmp
- %TEMP%\61ee.tmp
- %TEMP%\60f3.tmp
- %TEMP%\60f2.tmp
- %TEMP%\60d2.tmp
- %TEMP%\60d1.tmp
- %TEMP%\5e2f.tmp
- %TEMP%\5e2f.tmp-shm
- %LOCALAPPDATA%low\gxix4a2dre
- %LOCALAPPDATA%low\bbsqwy6yhk
Deletes itself.
Network activity
Connects to
- 'un###dhn.com':80
- 'er#####t-saarland.de':443
- 'ph.##c-argo.org':80
- 'so#i.pl':443
- 'fa#####wardesports.com':443
TCP
HTTP GET requests
- http://10############6831-service1002012510022020.space/reestr.exe
- http://21#.#.117.48/j537djjlhg763/taskhost.exe?nl##
- http://10############6831-service1002012510022020.space/raccon.exe
- http://21#.#.117.48/j537djjlhg763/update.php?nl##
- http://18#.#12.131.241/imsi.exe
- http://21#.#.117.48/j537djjlhg763/svchostw.exe
- http://45.##.241.182/gate/sqlite3.dll
- http://21#.#.117.48/j537djjlhg763/1.php?i=#######################
- http://45.##.241.182/gate/libs.zip
HTTP POST requests
- http://10###########lder1002002131-service1002.space/
- http://80###twife.com/xmlrpc.php
- http://na####alstrings.com/xmlrpc.php
- http://gr#####astermurah.com/xmlrpc.php
- http://it####rtsnepal.com/xmlrpc.php
- http://da########boroughsfirstlife.co.uk/xmlrpc.php
- http://si####adrianne.com/xmlrpc.php
- http://ik##iro.com/xmlrpc.php
- http://www.an###-ah.com/cms/xmlrpc.php
- http://sw###foxit.com/xmlrpc.php
- http://bl###nama.com/xmlrpc.php
- http://ti###norway.no/xmlrpc.php
- http://ho###-europe.ch/xmlrpc.php
- http://od####inners.co.uk/xmlrpc.php
- http://ex###didate.com/xmlrpc.php
- http://ta##na.fr/xmlrpc.php
- http://me####thlorch.com/xmlrpc.php
- http://mo####elianmeng.com/xmlrpc.php
- http://mi######-viborg-husflid.dk/xmlrpc.php
- http://pi####research.org/xmlrpc.php
- http://gr####acreativa.cl/xmlrpc.php
- http://te#####a-istanbul.com/xmlrpc.php
- http://ka###anew.com/xmlrpc.php
- http://cn##reza.cz/xmlrpc.php
- http://kw###movers.com/xmlrpc.php
- http://di####butormdf.com/xmlrpc.php
- http://fe######rlypsychosis.org/xmlrpc.php
- http://pr###news.net/xmlrpc.php
- http://www.ar###cafandb.it/xmlrpc.php
- http://bi###kirken.no/xmlrpc.php
- http://ps#7.fr/xmlrpc.php
- http://ds###kurs.de/xmlrpc.php
- http://we###truly.it/xmlrpc.php
- http://ja####classic.com/xmlrpc.php
- http://al#####oorsafrica.com/xmlrpc.php
- http://so########icresourceslimited.com.au/xmlrpc.php
- http://ei####in.gatech.edu/xmlrpc.php
- http://sh##das.in/xmlrpc.php
- http://ae#f.cn/xmlrpc.php
- http://bo###igi.com/xmlrpc.php
- http://me###hadteb.com/xmlrpc.php
- http://or###.nk.com.ua/xmlrpc.php
- http://ca###carmen.com/xmlrpc.php
- http://ge####gmill.co.uk/xmlrpc.php
- http://el###ilson.com/xmlrpc.php
- http://www.ba######echlerferrari.com/xmlrpc.php
- http://gj###.wpengine.com/xmlrpc.php
- http://pa##e.pl/xmlrpc.php
- http://ma####nrooijen.com/xmlrpc.php
- http://in########nalsalsashinescontest.com/xmlrpc.php
- http://45.##.241.182/gate/log.php
- http://10############6831-service1002012510022020.space/
- http://10##########older33417-01242510022020.space/
- http://no####atklubb.se/xmlrpc.php
- http://lo###tegal.id/xmlrpc.php
- http://se###trees.se/xmlrpc.php
- http://bi##i.xyz/xmlrpc.php
- http://my#######nairecottagecare.com/xmlrpc.php
- http://h-#a.nl/xmlrpc.php
- http://ya###ngliu.com/xmlrpc.php
- http://la####iabouix.com/xmlrpc.php
- http://xn#####hngare-w2ac.com/xmlrpc.php
- http://se######ancejobcenter.com/xmlrpc.php
- http://re####methink.fr/xmlrpc.php
- http://cb###-yy.com/wp/xmlrpc.php
- http://ne#.#ogow.pl/xmlrpc.php
- http://ma###ali.com/xmlrpc.php
- http://be###gunduz.com/xmlrpc.php
- http://no####nemovies.com/xmlrpc.php
- http://pr#####y360online.com/xmlrpc.php
- http://er###affer.com/xmlrpc.php
- http://ac###ance.com/xmlrpc.php
- http://www.mi####enardella.it/xmlrpc.php
- http://ea####brucebeef.ca/xmlrpc.php
UDP
- DNS ASK 10###########lder1002002131-service1002.space
- DNS ASK ru##ch.eu
- DNS ASK si####adrianne.com
- DNS ASK ta##na.fr
- DNS ASK da########boroughsfirstlife.co.uk
- DNS ASK gr#####astermurah.com
- DNS ASK an###lena.at
- DNS ASK al#####oorsafrica.com
- DNS ASK it####rtsnepal.com
- DNS ASK an###-ah.com
- DNS ASK na####alstrings.com
- DNS ASK ik##iro.com
- DNS ASK 80###twife.com
- DNS ASK xi###inuoma.lt
- DNS ASK we###truly.it
- DNS ASK lo###tegal.id
- DNS ASK mo####elianmeng.com
- DNS ASK nu###gkart.com
- DNS ASK vi##eb.com
- DNS ASK bl###nama.com
- DNS ASK od####inners.co.uk
- DNS ASK h-#a.nl
- DNS ASK pd##.com
- DNS ASK ly###rra.com
- DNS ASK sh##das.in
- DNS ASK ei####in.gatech.edu
- DNS ASK so########icresourceslimited.com.au
- DNS ASK ja####classic.com
- DNS ASK sw###qbi.com
- DNS ASK cl##d.ca
- DNS ASK fe#####ouce-laine.com
- DNS ASK ha###roehl.de
- DNS ASK ti###norway.no
- DNS ASK br######oilandgravel.com
- DNS ASK ho###-europe.ch
- DNS ASK ex###didate.com
- DNS ASK sw###foxit.com
- DNS ASK ca#####eriaeguren.es
- DNS ASK fo#####ngs-werkstatt.de
- DNS ASK im#####lhackspace.com
- DNS ASK fa#####wardesports.com
- DNS ASK ds###kurs.de
- DNS ASK sc####ijzfit6.pl
- DNS ASK pi####research.org
- DNS ASK tu##mer.com
- DNS ASK id##ew.sk
- DNS ASK fl###-back.eu
- DNS ASK no####atklubb.se
- DNS ASK ea####brucebeef.ca
- DNS ASK mi######-viborg-husflid.dk
- DNS ASK xt###erain.com
- DNS ASK vi###rmusik.com
- DNS ASK ph.##c-argo.org
- DNS ASK un###dhn.com
- DNS ASK er#####t-saarland.de
- DNS ASK he####nnovations.de
- DNS ASK np###bije.rs
- DNS ASK 14#2.cl
- DNS ASK so#i.pl
- DNS ASK th#.xyz
- DNS ASK me###erde.lu
- DNS ASK gr####acreativa.cl
- DNS ASK ps#7.fr
- DNS ASK ro#####ckchamber.org
- DNS ASK kw###movers.com
- DNS ASK lu######riphotography.com
- DNS ASK ra####yoolaws.com
- DNS ASK ma###slab.it
- DNS ASK fe######rlypsychosis.org
- DNS ASK bi###kirken.no
- DNS ASK ad###egels.be
- DNS ASK va###ghhuis.com
- DNS ASK di####butormdf.com
- DNS ASK wh####ishenergy.com
- DNS ASK ar###cafandb.it
- DNS ASK pr###news.net
- DNS ASK te#####a-istanbul.com
- DNS ASK cn##reza.cz
- DNS ASK ka###anew.com
- DNS ASK he#####nyonmarine.com
- DNS ASK 5k##ks.co
- DNS ASK la####iabouix.com
- DNS ASK ba###find.com
- DNS ASK bi#####gestorage.com.au
- DNS ASK ne##d.pl
- DNS ASK ma####nrooijen.com
- DNS ASK du###astop.de
- DNS ASK th####vintage.fr
- DNS ASK pi#####echromedur.fr
- DNS ASK ma##ry.info
- DNS ASK jo####sfitness.com
- DNS ASK ma#####ta.plmr.digital
- DNS ASK ae#f.cn
- DNS ASK nj##jn.com
- DNS ASK in###zuki.com
- DNS ASK 10####adgets.com
- DNS ASK th###py-sana.jp
- DNS ASK af#####60degrees.com
- DNS ASK pa##e.pl
- DNS ASK ba######echlerferrari.com
- DNS ASK in########nalsalsashinescontest.com
- DNS ASK xe##ode.com
- DNS ASK ma####ditcard.com
- DNS ASK 10##########older3100231-service1002.space
- DNS ASK 10###########lder1002002431-service1002.space
- DNS ASK 10###########lder1002002531-service1002.space
- DNS ASK 10##########older33417-01242510022020.space
- DNS ASK 10############5831-service1002012510022020.space
- DNS ASK 10############6831-service1002012510022020.space
- DNS ASK 10############7831-service1002012510022020.space
- DNS ASK 10###########lder1002002231-service1002.space
- DNS ASK te##te.in
- DNS ASK uu#.#hifink.ru
- DNS ASK bd#s.co
- DNS ASK k6###847.lib
- DNS ASK n2.##jndad.ru
- DNS ASK ca##ad.club
- DNS ASK co###urger.it
- DNS ASK ty##helo.be
- DNS ASK qz.##pcurnet.ru
- DNS ASK el###ilson.com
- DNS ASK bo###igi.com
- DNS ASK zw###zbuk.pl
- DNS ASK gj###.wpengine.com
- DNS ASK su####4x4hire.com
- DNS ASK ne#.#ogow.pl
- DNS ASK ac###ance.com
- DNS ASK no####nemovies.com
- DNS ASK er###affer.com
- DNS ASK cb###-yy.com
- DNS ASK me######entalclinic.co.uk
- DNS ASK sm####dankert.de
- DNS ASK yo#####eich-leben.de
- DNS ASK re####methink.fr
- DNS ASK se######ancejobcenter.com
- DNS ASK ca###nvoice.it
- DNS ASK co####eyaaron.com
- DNS ASK ya###ngliu.com
- DNS ASK kd##b.org
- DNS ASK pr#####y360online.com
- DNS ASK wa##vn.net
- DNS ASK ko##aika.fi
- DNS ASK be#####ndbalfestival.nl
- DNS ASK ma###ali.com
- DNS ASK ca###carmen.com
- DNS ASK ma####sports.com
- DNS ASK hk###tair.com
- DNS ASK be#####.homedec.club
- DNS ASK or###.nk.com.ua
- DNS ASK sh####fukuda.com
- DNS ASK ka####global.com
- DNS ASK ge####gmill.co.uk
- DNS ASK th##assa.ch
- DNS ASK my#######nairecottagecare.com
- DNS ASK gr###tube.com
- DNS ASK se###trees.se
- DNS ASK me####thlorch.com
- DNS ASK be###gunduz.com
- DNS ASK mi####enardella.it
- DNS ASK bi##i.xyz
- DNS ASK me###hadteb.com
- DNS ASK xn#####hngare-w2ac.com
- DNS ASK de#####romantico.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '%TEMP%\1ba8.tmp.exe'
- '%TEMP%\232b.tmp.exe'
- '%TEMP%\29e2.tmp.exe'
- '%TEMP%\326f.tmp.exe'
- '%TEMP%\3956.tmp.exe'
- '%TEMP%\401d.tmp.exe'
- '%APPDATA%\ddyauzsc.exe'
- '%APPDATA%\svchostw.exe'
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C ping 1.1.1.1 -n 1 -w -n 1 -w3000 > Nul & Del /f /q "%TEMP%\3956.tmp.exe"/f /q "(null)"
- '%WINDIR%\syswow64\ping.exe' 1.1.1.1 -n 1 -w -n 1 -w3000
- '%WINDIR%\syswow64\explorer.exe'
- '%WINDIR%\explorer.exe'
- '%WINDIR%\microsoft.net\framework\v4.0.30319\addinprocess32.exe'
- '%WINDIR%\syswow64\cmd.exe' /C taskkill /F /PID 1040 && choice /C Y /N /D Y /T 3 & Del "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
- '%WINDIR%\syswow64\choice.exe' /C Y /N /D Y /T 3
