Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\szlxkjbkro] 'ImagePath' = '<DRIVERS>\zgt9ucR.sys'
Creates the following services
- 'szlxkjbkro' <DRIVERS>\zgt9ucR.sys
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\dwm.exe
the following user processes:
- iexplore.exe
Hooks functions
in browsers
- firefox.exe process, mswsock.dll module
- firefox.exe process, nss3.dll module
- firefox.exe process, wininet.dll module
Terminates or attempts to terminate
the following user processes:
- iexplore.exe
Modifies file system
Creates the following files
- %WINDIR%\windowsshell6684.log
- %WINDIR%\windowsystemnewupdate226.log
- %WINDIR%\windowterminalvaild12.log
- <DRIVERS>\zgt9ucr.sys
- %WINDIR%\b7d8a\csrss.exe
- %ProgramFiles%\drweb\manifest.json
- %ProgramFiles%\drweb\background.js
- %ProgramFiles%\drweb\background.html
- %ProgramFiles%\drweb\jquery.min.js
- %ProgramFiles%\drweb\lib\content.js
- %ProgramFiles%\nod32kui\manifest.json
- %ProgramFiles%\nod32kui\background.js
- %ProgramFiles%\nod32kui\background.html
- %ProgramFiles%\nod32kui\jquery.min.js
- %ProgramFiles%\nod32kui\lib\content.js
Deletes the following files
- <DRIVERS>\zgt9ucr.sys
Deletes itself.
Network activity
Connects to
- 'bi#####i.28naicha.com':26281
- 'bi#####i.28naicha.com':26283
- 'bi#####i.28naicha.com':26282
- '10#.#50.57.11':80
- 'ba##u.com':443
- 'cd########yz.slt.sched.tdnsv8.com':80
- 'ap##.#ame.qq.com':80
- 'sp#.#aidu.com':80
- 'cl####.vbnm34567.xyz':8088
- 'nm#####.hjkl45678.xyz':80
- 'mp####.hjkl45678.xyz':80
- 'do##.onefast.cc':80
TCP
HTTP GET requests
- http://do##.onefast.cc/pgm/mpr/c995ec7fd4f57c0d/e6dbc24ba12a444e.zip
- http://do##.onefast.cc/cfg/cmc/sfbd.txt
- http://do##.onefast.cc/pgm/mds/422ed73a26bc994c/face66c3c8766717d00ff2449308f08ce3f16e91eab26e2f64.zip
- http://do##.onefast.cc/cfg/cmc/b2.txt
- http://11#.#29.100.93/report.php?da##############################################################################################################################################################...
- http://do##.onefast.cc/cfg/cmc/qzpass.txt
- http://1.###.175.101/report/report_data?da#######################################################################################################################################################...
- http://do##.onefast.cc/cfg/cmc/slfdm.txt
- http://do##.onefast.cc/pgm/mds/52408051d2c341e5/3fd88158fb5b2ae009bb1cdc128287d0567f235842d564fb64.zip
- http://do##.onefast.cc/pgm/mds/05631e93ccdb00ee/8f007cd4c25ecb565616f7afc35d8fb3b4ee4662670ddde464.zip
- http://1.###.175.101/report.php?ty###############################################################################################################################################################...
- http://do##.onefast.cc/cfg/pub/ps.json
- http://do##.onefast.cc/cfg/pub/ms.json
- http://do##.onefast.cc/cfg/user/c995ec7fd4f57c0d/e6dbc24ba12a444e.json
- http://do##.onefast.cc/cfg/cmc/blacklist.txt
- http://do##.onefast.cc/cfg/cmc/userpq.zip
- http://do##.onefast.cc/cfg/cmc/wea.txt
- http://do##.onefast.cc/cfg/cmc/chct.txt
Other
- 'bi#####i.28naicha.com':26281
- 'bi#####i.28naicha.com':26283
- 'bi#####i.28naicha.com':26282
- 'ba##u.com':443
UDP
- DNS ASK bi#####i.28naicha.com
- DNS ASK cz.###htgjdf.top
- DNS ASK zq.###lhhjty.top
- DNS ASK mp####.hjkl45678.xyz
- DNS ASK nm#####.hjkl45678.xyz
- DNS ASK 13##.##ljhryrtyr.top
- DNS ASK cl####.vbnm34567.xyz
- DNS ASK sp#.#aidu.com
- DNS ASK lo#.#nefast.cc
- DNS ASK cd########yz.slt.sched.tdnsv8.com
- DNS ASK do##.####ast.cc.cdn.dnsv1.com
- DNS ASK ba##u.com
- DNS ASK ap##.#ame.qq.com
- DNS ASK cf#######40b9826.vbnm34567.xyz
- DNS ASK do##.onefast.cc
- '<LOCALNET>.32.176':48711
- '<LOCALNET>.32.175':36388
- '<LOCALNET>.32.174':40453
- '<LOCALNET>.32.173':61154
- '<LOCALNET>.32.172':65219
- '<LOCALNET>.32.171':52896
- '<LOCALNET>.32.168':27832
- '<LOCALNET>.32.169':31897
- '<LOCALNET>.32.167':40279
- '<LOCALNET>.32.166':36214
- '<LOCALNET>.32.165':48405
- '<LOCALNET>.32.133':18843
- '<LOCALNET>.32.170':56961
- '<LOCALNET>.32.177':44646
- '<LOCALNET>.32.185':40474
- '<LOCALNET>.32.180':52927
- '<LOCALNET>.32.181':56990
- '<LOCALNET>.32.182':61181
- '<LOCALNET>.32.183':65244
- '<LOCALNET>.32.184':36411
- '<LOCALNET>.32.134':21185
- '<LOCALNET>.32.186':44665
- '<LOCALNET>.32.187':48728
- '<LOCALNET>.32.188':20407
- '<LOCALNET>.32.189':24470
- '<LOCALNET>.32.190':64910
- '<LOCALNET>.32.191':60847
- '<LOCALNET>.32.178':24457
- '<LOCALNET>.32.179':20392
- '<LOCALNET>.32.164':44340
- '<LOCALNET>.32.158':14827
- '<LOCALNET>.32.162':52722
- '255.255.255.255':18932
- '<LOCALNET>.32.136':29315
- '<LOCALNET>.32.137':25250
- '<LOCALNET>.32.138':37709
- '<LOCALNET>.32.139':33644
- '<LOCALNET>.32.140':35794
- '<LOCALNET>.32.141':39923
- '<LOCALNET>.32.142':43920
- '<LOCALNET>.32.143':48049
- '<LOCALNET>.32.144':52054
- '<LOCALNET>.32.145':56183
- '<LOCALNET>.32.146':60180
- '<LOCALNET>.32.161':64913
- '<LOCALNET>.32.163':56787
- '<LOCALNET>.32.147':64309
- '<LOCALNET>.32.150':47331
- '<LOCALNET>.32.151':43202
- '<LOCALNET>.32.152':39073
- '<LOCALNET>.32.153':34944
- '<LOCALNET>.32.154':63591
- '<LOCALNET>.32.155':59462
- '<LOCALNET>.32.156':55333
- '<LOCALNET>.32.157':51204
- '<LOCALNET>.32.193':52717
- '<LOCALNET>.32.159':10698
- '<LOCALNET>.32.160':60848
- '<LOCALNET>.32.192':56780
- '<LOCALNET>.32.148':12879
- '<LOCALNET>.32.149':17008
- '<LOCALNET>.32.132':12807
- '<LOCALNET>.32.203':11813
- '<LOCALNET>.32.198':31878
- '<LOCALNET>.32.230':19221
- '<LOCALNET>.32.231':23348
- '<LOCALNET>.32.232':27479
- '<LOCALNET>.32.233':31606
- '<LOCALNET>.32.234':13062
- '<LOCALNET>.32.235':17189
- '<LOCALNET>.32.236':11219
- '<LOCALNET>.32.237':15346
- '<LOCALNET>.32.238':51741
- '<LOCALNET>.32.239':55868
- '<LOCALNET>.32.240':53890
- '<LOCALNET>.32.227':12344
- '<LOCALNET>.32.241':49827
- '<LOCALNET>.32.229':59661
- '<LOCALNET>.32.243':58081
- '<LOCALNET>.32.245':33319
- '<LOCALNET>.32.246':45636
- '<LOCALNET>.32.247':41573
- '<LOCALNET>.32.248':21386
- '<LOCALNET>.32.249':17323
- '<LOCALNET>.32.250':57779
- '<LOCALNET>.32.251':61842
- '<LOCALNET>.32.252':49649
- '<LOCALNET>.32.253':53712
- '<LOCALNET>.32.254':41271
- '23#.#23.112.211':55438
- '<LOCALNET>.32.242':62144
- '<LOCALNET>.32.194':48394
- '<LOCALNET>.32.244':37382
- '<LOCALNET>.32.228':63788
- '<LOCALNET>.32.226':16471
- '<LOCALNET>.32.196':40264
- '<LOCALNET>.32.199':27815
- '<LOCALNET>.32.200':17851
- '<LOCALNET>.32.201':13788
- '<LOCALNET>.32.202':15876
- '<LOCALNET>.32.135':17120
- '<LOCALNET>.32.204':24258
- '<LOCALNET>.32.205':20195
- '<LOCALNET>.32.206':32384
- '<LOCALNET>.32.207':28321
- '<LOCALNET>.32.208':40782
- '<LOCALNET>.32.225':10369
- '<LOCALNET>.32.209':36719
- '<LOCALNET>.32.197':36201
- '<LOCALNET>.32.224':14496
- '<LOCALNET>.32.211':15702
- '<LOCALNET>.32.214':28147
- '<LOCALNET>.32.215':32210
- '<LOCALNET>.32.216':19889
- '<LOCALNET>.32.217':23952
- '<LOCALNET>.32.218':44159
- '<LOCALNET>.32.219':48222
- '<LOCALNET>.32.65':50172
- '<LOCALNET>.32.221':26629
- '<LOCALNET>.32.222':22630
- '<LOCALNET>.32.223':18503
- '<LOCALNET>.32.210':11639
- '<LOCALNET>.32.195':44331
- '<LOCALNET>.32.212':13482
- '<LOCALNET>.32.213':17545
- '<LOCALNET>.32.131':10713
- '<LOCALNET>.32.124':25072
- '<LOCALNET>.32.34':11304
- '<LOCALNET>.32.36':13279
- '<LOCALNET>.32.37':17344
- '<LOCALNET>.32.38':60836
- '<LOCALNET>.32.39':64901
- '<LOCALNET>.32.40':62779
- '<LOCALNET>.32.41':58650
- '<LOCALNET>.32.42':54649
- '<LOCALNET>.32.43':50520
- '<LOCALNET>.32.44':46527
- '<LOCALNET>.32.45':42398
- '<LOCALNET>.32.46':38397
- '<LOCALNET>.32.33':23759
- '<LOCALNET>.32.47':34268
- '<LOCALNET>.32.31':31885
- '<LOCALNET>.32.30':27820
- '<LOCALNET>.32.52':58952
- '<LOCALNET>.32.53':63081
- '<LOCALNET>.32.54':34446
- '<LOCALNET>.32.55':38575
- '<LOCALNET>.32.56':42700
- '<LOCALNET>.32.57':46829
- '<LOCALNET>.32.58':18178
- '<LOCALNET>.32.59':22307
- '<LOCALNET>.32.130':14778
- '<LOCALNET>.32.61':33656
- '<LOCALNET>.32.62':45851
- '<LOCALNET>.32.48':29747
- '<LOCALNET>.32.32':19694
- '<LOCALNET>.32.50':50698
- '<LOCALNET>.32.51':54827
- '<LOCALNET>.32.60':37721
- '<LOCALNET>.32.17':31273
- '<LOCALNET>.32.14':19018
- '<LOCALNET>.32.13':15021
- '<LOCALNET>.32.12':10892
- '<LOCALNET>.32.11':16996
- '<LOCALNET>.32.10':12867
- '<LOCALNET>.32.9':24080
- '<LOCALNET>.32.6':45055
- '<LOCALNET>.32.7':49118
- '<LOCALNET>.32.5':40860
- '<LOCALNET>.32.4':36797
- '<LOCALNET>.32.3':65370
- '<LOCALNET>.32.15':23147
- '<LOCALNET>.32.8':20017
- '<LOCALNET>.32.1':57112
- '<LOCALNET>.32.16':27144
- '<LOCALNET>.32.18':35782
- '<LOCALNET>.32.19':39911
- '<LOCALNET>.32.20':24477
- '<LOCALNET>.32.21':20412
- '<LOCALNET>.32.22':32735
- '<LOCALNET>.32.2':61307
- '<LOCALNET>.32.24':18062
- '<LOCALNET>.32.25':13997
- '<LOCALNET>.32.26':16219
- '<LOCALNET>.32.27':12154
- '<LOCALNET>.32.28':56981
- '<LOCALNET>.32.29':52916
- '<LOCALNET>.32.63':41786
- '<LOCALNET>.32.23':28670
- '<LOCALNET>.32.64':54237
- '<LOCALNET>.32.105':16168
- '<LOCALNET>.32.100':18198
- '<LOCALNET>.32.102':26452
- '<LOCALNET>.32.103':30581
- '<LOCALNET>.32.104':12039
- '<LOCALNET>.32.35':15369
- '<LOCALNET>.32.106':10192
- '<LOCALNET>.32.107':14321
- '<LOCALNET>.32.108':50718
- '<LOCALNET>.32.109':54847
- '<LOCALNET>.32.110':29735
- '<LOCALNET>.32.111':25606
- '<LOCALNET>.32.112':21605
- '<LOCALNET>.32.99':14787
- '<LOCALNET>.32.97':62336
- '<LOCALNET>.32.101':22327
- '<LOCALNET>.32.113':17476
- '<LOCALNET>.32.117':11317
- '<LOCALNET>.32.118':62767
- '<LOCALNET>.32.119':58638
- '<LOCALNET>.32.120':18665
- '<LOCALNET>.32.121':12629
- '<LOCALNET>.32.122':10411
- '<LOCALNET>.32.123':14476
- '<LOCALNET>.32.129':45149
- '<LOCALNET>.32.125':29137
- '<LOCALNET>.32.127':20883
- '<LOCALNET>.32.128':41084
- '<LOCALNET>.32.114':13475
- '<LOCALNET>.32.115':19447
- '<LOCALNET>.32.116':15446
- '<LOCALNET>.32.98':10724
- '<LOCALNET>.32.96':58273
- '<LOCALNET>.32.66':62367
- '<LOCALNET>.32.68':14790
- '<LOCALNET>.32.69':10725
- '<LOCALNET>.32.70':41064
- '<LOCALNET>.32.71':45129
- '<LOCALNET>.32.72':32810
- '<LOCALNET>.32.73':36875
- '<LOCALNET>.32.74':57580
- '<LOCALNET>.32.75':61645
- '<LOCALNET>.32.76':49326
- '<LOCALNET>.32.77':53391
- '<LOCALNET>.32.78':18645
- '<LOCALNET>.32.79':12609
- '<LOCALNET>.32.80':45142
- '<LOCALNET>.32.67':58302
- '<LOCALNET>.32.81':41079
- '<LOCALNET>.32.83':32821
- '<LOCALNET>.32.84':61650
- '<LOCALNET>.32.85':57587
- '<LOCALNET>.32.86':53392
- '<LOCALNET>.32.87':49329
- '<LOCALNET>.32.88':12638
- '<LOCALNET>.32.89':18676
- '<LOCALNET>.32.90':33639
- '<LOCALNET>.32.91':37702
- '<LOCALNET>.32.92':41765
- '<LOCALNET>.32.93':45828
- '<LOCALNET>.32.94':50147
- '<LOCALNET>.32.95':54210
- '<LOCALNET>.32.82':36884
- '<LOCALNET>.32.220':30756
- '<LOCALNET>.32.126':16818
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: 'ProgMan' WindowName: ''
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: ''
- ClassName: 'Dwm' WindowName: 'DWM Notification Window'
Creates and executes the following
- '%WINDIR%\b7d8a\csrss.exe'
- '<SYSTEM32>\ipconfig.exe' /flushdns' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c del <Full path to file> > nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\svchost.exe' c7kb4 CSAfMS
- '%WINDIR%\syswow64\cmd.exe' /c del <Full path to file> > nul
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\syswow64\svchost.exe"
- '<SYSTEM32>\ipconfig.exe' /flushdns
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\explorer.exe"
- '<SYSTEM32>\dxdiag.exe'
