Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\tSN2SpN5Xt] 'ImagePath' = '%WINDIR%\syswow64\6HqsxlSTgu.sys'
- [<HKLM>\System\CurrentControlSet\Services\FFflieiin] 'ImagePath' = '%WINDIR%\SysWOW64\drivers\FFflieiin.sys'
Creates the following services
- 'tSN2SpN5Xt' %WINDIR%\syswow64\6HqsxlSTgu.sys
- 'FFflieiin' %WINDIR%\SysWOW64\drivers\FFflieiin.sys
Malicious functions
Terminates or attempts to terminate
the following user processes:
- iexplore.exe
Registers file system filter
- [<HKLM>\System\CurrentControlSet\Services\FFflieiin] 'Group' = 'FSFilter Activity Monitor'
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system
Creates the following files
- %WINDIR%\susroqdc.dll
- %TEMP%\cdd11c73kkepdqrds\ãà å®åãГГ¦.exe
- %TEMP%\cdd11c73kkepdqrds\6g1m.exe
- %TEMP%\cdd11c73kkepdqrds\ãà å®åãГГ¦.ico
- %TEMP%\cdd11c73kkepdqrds\ãà å®åãГГ¦.png
- %LOCALAPPDATA%\icon_cdd11c73\log.txt
- %TEMP%\cdd11c73kkepdqrds\gamelauncher.dll
- %TEMP%\cdd11c73kkepdqrds\pin.exe
- %TEMP%\cdd11c73kkepdqrds\checker.dll
- %WINDIR%\syswow64\drivers\ffflieiin.sys
- %TEMP%\cdd11c73kkepdqrds\h0u8.dll
- %TEMP%\icon.exe
- %TEMP%\cdd11c73kkepdqrds\rcxb2ab.tmp
- %TEMP%\csrss.exe
- %HOMEPATH%\desktop\±¬âêè«¿ª999òú.lnk
- %ALLUSERSPROFILE%\sphxyuw\wtxncj.exe
- %ALLUSERSPROFILE%\sphxyuw\hywhxnh.exe
- %WINDIR%\gbkkordb\gcjqbcie.ico
- %ALLUSERSPROFILE%\yrwflcbb.ico
- %WINDIR%\temp\udd9c8c.tmp
- %WINDIR%\syswow64\6hqsxlstgu.sys
- %WINDIR%\gbkkordb\dmejkrl.dll
- %WINDIR%\log1.txt
- %WINDIR%\gbkkordb\bjxcrow.dll
- %WINDIR%\gbkkordb\dwdwbe.dll
- %ALLUSERSPROFILE%\sphxyuw\oeqkbn.exe
- %HOMEPATH%\desktop\ãà å®åãГГ¦.lnk
Sets the 'hidden' attribute to the following files
- %WINDIR%\log1.txt
Deletes the following files
- %WINDIR%\susroqdc.dll
- %WINDIR%\gbkkordb\bjxcrow.dll
- %WINDIR%\gbkkordb\dmejkrl.dll
- %WINDIR%\temp\udd9c8c.tmp
- %WINDIR%\syswow64\6hqsxlstgu.sys
- %ALLUSERSPROFILE%\yrwflcbb.ico
- %WINDIR%\gbkkordb\dwdwbe.dll
- %ALLUSERSPROFILE%\sphxyuw\oeqkbn.exe
- %TEMP%\cdd11c73kkepdqrds\ãà å®åãГГ¦.png
Moves the following files
- from %WINDIR%\gbkkordb\dmejkrl.dll to %WINDIR%\gbkkordb\yflctjklo.dll
- from %TEMP%\cdd11c73kkepdqrds\rcxb2ab.tmp to %TEMP%\cdd11c73kkepdqrds\ãà å®åãГГ¦.exe
Substitutes the following files
- %WINDIR%\gbkkordb\dmejkrl.dll
Network activity
TCP
HTTP GET requests
- http://ud#.#xwan.com/index/getcfg?id######
- http://dl#.#xwan.com/d2/CDClient.dll
- http://dl#.#xwan.com/d2/x64.dll
- http://mg.#636.com/web/upload/ico/b114be2e-d11b-4aa0-94c0-26116bea6035.ico
- http://d.###youxi7.com/yx/cjzg/wd_37cs/524332/dqwg_wqe.exe
- http://in##.#orkday360.cn/20201028180059.exe
- http://pu##.#eymoney.cn/api?q=############################################################
- http://e.###geana.com/pubg/union_plugin_bc29f13f2cd78151342eb14bd11bc889_DaiDai_1.0.16.1_D808B5625G8E_1603854474.exe
- http://ds##.stnts.com/?op########################################################################################################################################################################...
- http://yo#####engine.stnts.com/v2/icon?ci##########################################################################################################
- http://yo######sp-res.stnts.com/v1/upload/20200821/UNXCI50MZW.png
- http://yo######sp-res.stnts.com/v1/upload/20201028/mXpH2HbE6b.exe
- http://yo####-d.stnts.com/dv.gif?tk#####################################################################################################################################################
HTTP POST requests
- http://ds##.#oolsabc.cn/?op###############
UDP
- DNS ASK ud#.#xwan.com
- DNS ASK dl#.#xwan.com
- DNS ASK mg.#636.com
- DNS ASK d.###youxi7.com
- DNS ASK in##.#orkday360.cn
- DNS ASK ds##.#oolsabc.cn
- DNS ASK pu##.#eymoney.cn
- DNS ASK ds##.stnts.com
- DNS ASK e.###geana.com
- DNS ASK yo#####engine.stnts.com
- DNS ASK yo######sp-res.stnts.com
- DNS ASK yo####-d.stnts.com
- '255.255.255.255':50569
- '255.255.255.255':11111
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: 'STATIC' WindowName: '7A0D1006E41A3006E92470'
- ClassName: 'STATIC' WindowName: '7F175008BE3EA008BD7C51'
- ClassName: 'Progman' WindowName: 'Program Manager'
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: 'FolderView'
- ClassName: 'TApplication' WindowName: 'eyoorun'
Creates and executes the following
- '%ALLUSERSPROFILE%\sphxyuw\oeqkbn.exe'
- '%TEMP%\csrss.exe'
- '%TEMP%\icon.exe'
- '%TEMP%\csrss.exe' ' (with hidden window)
- '%TEMP%\icon.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del /q "%ALLUSERSPROFILE%\SpHxYuW\oEQKBn.exe"' (with hidden window)
Executes the following
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%TEMP%\csrss.exe"
- '%WINDIR%\syswow64\cmd.exe' /c del /q "%ALLUSERSPROFILE%\SpHxYuW\oEQKBn.exe"
- '%WINDIR%\syswow64\rundll32.exe' %TEMP%\CDD11C73kkePDqrDs\h0u8.dll, Monitor eyJiYXJJRCI6IjAwMDAwMDAwIiwib3JpZ2luUGF0aCI6IkM6XFxVc2Vyc1xcdXNlclxcQXBwRGF0YVxcTG9jYWxcXFRlbXBcXGljb24uZXhlIiwiaWNvbkluZm8iOlsiQzpcXFVzZXJzXFx1c2VyXF...
