Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Call Transaction Encrypting Policy Player' = 'C:\leurfk6jluyrz\xaplviqbgf.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Auto Problem Keying Connectivity] 'ImagePath' = 'C:\leurfk6jluyrz\xaplviqbgf.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Auto Problem Keying Connectivity] 'Start' = '00000002'
Modifies file system:
Creates the following files:
- C:\leurfk6jluyrz\xaplviqbgf.exe
- C:\leurfk6jluyrz\brgouhzabea.exe
- C:\leurfk6jluyrz\aifjyjdfb
- %WINDIR%\leurfk6jluyrz\m0eoceisir
- C:\leurfk6jluyrz\m0eoceisir
- C:\leurfk6jluyrz\encihbt2furwweabr4g.exe
Sets the 'hidden' attribute to the following files:
- C:\leurfk6jluyrz\brgouhzabea.exe
- C:\leurfk6jluyrz\xaplviqbgf.exe
Deletes the following files:
- C:\leurfk6jluyrz\encihbt2furwweabr4g.exe
- %WINDIR%\leurfk6jluyrz\m0eoceisir
Substitutes the following files:
- %WINDIR%\leurfk6jluyrz\m0eoceisir
Network activity:
Connects to:
- 'am#####nebernadine.net':80
- 'al#####raanderson.net':80
- 'ma#####naanderson.net':80
- 'ce#####nebernadine.net':80
- 'am#####neanastacia.net':80
- 'ce#####necharisma.net':80
- 'am#####necharisma.net':80
- 'al#####rabernadine.net':80
- 'ma#####nabernadine.net':80
- 'al#####eranderson.net':80
- 'ma#####nacharisma.net':80
- 'al#####raanastacia.net':80
- 'ma#####naanastacia.net':80
- 'al#####racharisma.net':80
- 'ch#####neanderson.net':80
- 'sh#####leanastacia.net':80
- 'ch#####neanastacia.net':80
- 'sh#####leanderson.net':80
- 'ar#####ldcharisma.net':80
- 'za#####ahbernadine.net':80
- 'ar#####ldbernadine.net':80
- 'ce#####neanderson.net':80
- 'am#####neanderson.net':80
- 'ce#####neanastacia.net':80
- 'ch#####nebernadine.net':80
- 'sh#####lecharisma.net':80
- 'ch#####necharisma.net':80
- 'sh#####lebernadine.net':80
- 'an#####lemillicent.net':80
- 'gu#####enchastity.net':80
- 'an#####lechastity.net':80
- 'gu#####enmillicent.net':80
- 'gw#####reernestine.net':80
- 'gu#####entennyson.net':80
- 'an#####letennyson.net':80
- 'ch#####lemillicent.net':80
- 'ge#####namillicent.net':80
- 'ch#####lechastity.net':80
- 'ge#####natennyson.net':80
- 'gu#####enernestine.net':80
- 'an#####leernestine.net':80
- 'ch#####letennyson.net':80
- 'ka#####necharisma.net':80
- 'al#####erbernadine.net':80
- 'ka#####nebernadine.net':80
- 'al#####ercharisma.net':80
- 'ka#####neanderson.net':80
- 'al#####eranastacia.net':80
- 'ka#####neanastacia.net':80
- 'ch#####anchastity.net':80
- 'gw#####rechastity.net':80
- 'ch#####anernestine.net':80
- 'gw#####remillicent.net':80
- 'ch#####antennyson.net':80
- 'gw#####retennyson.net':80
- 'ch#####anmillicent.net':80
TCP:
HTTP GET requests:
- http://am#####nebernadine.net/index.php
- http://al#####raanderson.net/index.php
- http://ma#####naanderson.net/index.php
- http://ce#####nebernadine.net/index.php
- http://am#####neanastacia.net/index.php
- http://ce#####necharisma.net/index.php
- http://am#####necharisma.net/index.php
- http://al#####rabernadine.net/index.php
- http://ma#####nabernadine.net/index.php
- http://al#####eranderson.net/index.php
- http://ma#####nacharisma.net/index.php
- http://al#####raanastacia.net/index.php
- http://ma#####naanastacia.net/index.php
- http://al#####racharisma.net/index.php
- http://ch#####neanderson.net/index.php
- http://sh#####leanastacia.net/index.php
- http://ch#####neanastacia.net/index.php
- http://sh#####leanderson.net/index.php
- http://ar#####ldcharisma.net/index.php
- http://za#####ahbernadine.net/index.php
- http://ar#####ldbernadine.net/index.php
- http://ce#####neanderson.net/index.php
- http://am#####neanderson.net/index.php
- http://ce#####neanastacia.net/index.php
- http://ch#####nebernadine.net/index.php
- http://sh#####lecharisma.net/index.php
- http://ch#####necharisma.net/index.php
- http://sh#####lebernadine.net/index.php
- http://an#####lemillicent.net/index.php
- http://gu#####enchastity.net/index.php
- http://an#####lechastity.net/index.php
- http://gu#####enmillicent.net/index.php
- http://gw#####reernestine.net/index.php
- http://gu#####entennyson.net/index.php
- http://an#####letennyson.net/index.php
- http://ch#####lemillicent.net/index.php
- http://ge#####namillicent.net/index.php
- http://ch#####lechastity.net/index.php
- http://ge#####natennyson.net/index.php
- http://gu#####enernestine.net/index.php
- http://an#####leernestine.net/index.php
- http://ch#####letennyson.net/index.php
- http://ka#####necharisma.net/index.php
- http://al#####erbernadine.net/index.php
- http://ka#####nebernadine.net/index.php
- http://al#####ercharisma.net/index.php
- http://ka#####neanderson.net/index.php
- http://al#####eranastacia.net/index.php
- http://ka#####neanastacia.net/index.php
- http://ch#####anchastity.net/index.php
- http://gw#####rechastity.net/index.php
- http://ch#####anernestine.net/index.php
- http://gw#####remillicent.net/index.php
- http://ch#####antennyson.net/index.php
- http://gw#####retennyson.net/index.php
- http://ch#####anmillicent.net/index.php
UDP:
- DNS ASK ce#####nebernadine.net
- DNS ASK am#####nebernadine.net
- DNS ASK al#####raanderson.net
- DNS ASK am#####necharisma.net
- DNS ASK ce#####neanastacia.net
- DNS ASK am#####neanastacia.net
- DNS ASK ce#####necharisma.net
- DNS ASK ma#####nacharisma.net
- DNS ASK al#####rabernadine.net
- DNS ASK ma#####nabernadine.net
- DNS ASK al#####racharisma.net
- DNS ASK ma#####naanderson.net
- DNS ASK al#####raanastacia.net
- DNS ASK ma#####naanastacia.net
- DNS ASK sh#####leanderson.net
- DNS ASK ch#####neanderson.net
- DNS ASK sh#####leanastacia.net
- DNS ASK ar#####ldbernadine.net
- DNS ASK za#####ahcharisma.net
- DNS ASK ar#####ldcharisma.net
- DNS ASK za#####ahbernadine.net
- DNS ASK ch#####nebernadine.net
- DNS ASK ce#####neanderson.net
- DNS ASK am#####neanderson.net
- DNS ASK sh#####lebernadine.net
- DNS ASK ch#####neanastacia.net
- DNS ASK sh#####lecharisma.net
- DNS ASK ch#####necharisma.net
- DNS ASK al#####eranderson.net
- DNS ASK an#####lemillicent.net
- DNS ASK gu#####enchastity.net
- DNS ASK an#####lechastity.net
- DNS ASK gu#####enmillicent.net
- DNS ASK gw#####reernestine.net
- DNS ASK gu#####entennyson.net
- DNS ASK an#####letennyson.net
- DNS ASK ch#####lemillicent.net
- DNS ASK ge#####namillicent.net
- DNS ASK ch#####lechastity.net
- DNS ASK ge#####natennyson.net
- DNS ASK gu#####enernestine.net
- DNS ASK an#####leernestine.net
- DNS ASK ch#####letennyson.net
- DNS ASK ka#####necharisma.net
- DNS ASK al#####erbernadine.net
- DNS ASK ka#####nebernadine.net
- DNS ASK al#####ercharisma.net
- DNS ASK ka#####neanderson.net
- DNS ASK al#####eranastacia.net
- DNS ASK ka#####neanastacia.net
- DNS ASK ch#####anchastity.net
- DNS ASK gw#####rechastity.net
- DNS ASK ch#####anernestine.net
- DNS ASK gw#####remillicent.net
- DNS ASK ch#####antennyson.net
- DNS ASK gw#####retennyson.net
- DNS ASK ch#####anmillicent.net
Miscellaneous:
Creates and executes the following:
- 'C:\leurfk6jluyrz\brgouhzabea.exe' "c:\leurfk6jluyrz\xaplviqbgf.exe"
- 'C:\leurfk6jluyrz\xaplviqbgf.exe'
- 'C:\leurfk6jluyrz\encihbt2furwweabr4g.exe'
