Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\Presentation BranchCache Adapter] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\Presentation BranchCache Adapter] 'ImagePath' = 'C:\inyyqkwqfpgqum\fgjpraqvl.exe'
Creates the following services
- 'Presentation BranchCache Adapter' C:\inyyqkwqfpgqum\fgjpraqvl.exe
Modifies file system
Creates the following files
- %WINDIR%\inyyqkwqfpgqum\amlvxfbucjbn
- C:\inyyqkwqfpgqum\amlvxfbucjbn
- C:\inyyqkwqfpgqum\xsyyem4gbbr5vevtrcm3.exe
- C:\inyyqkwqfpgqum\fgjpraqvl.exe
- C:\inyyqkwqfpgqum\wwyauwdy.exe
- C:\inyyqkwqfpgqum\btcdso5fp
Sets the 'hidden' attribute to the following files
- C:\inyyqkwqfpgqum\fgjpraqvl.exe
- C:\inyyqkwqfpgqum\wwyauwdy.exe
Network activity
Connects to
- 'br####spring.net':80
- 're####spring.net':80
- 'de####success.net':80
- 'st###spring.net':80
- 'bu####ngguard.net':80
- 'mi####traight.net':80
- 'pr###yguard.net':80
- 'br###nfence.net':80
TCP
HTTP GET requests
- http://br####spring.net/index.php
- http://de####success.net/index.php
- http://st###spring.net/index.php
- http://bu####ngguard.net/index.php
- http://mi####traight.net/index.php
- http://pr###yguard.net/index.php
- http://br###nfence.net/index.php
UDP
- DNS ASK fe####spring.net
- DNS ASK do####spring.net
- DNS ASK fe####success.net
- DNS ASK do####success.net
- DNS ASK fe####banker.net
- DNS ASK do####banker.net
- DNS ASK br###nfound.net
- DNS ASK re###tfound.net
- DNS ASK br####spring.net
- DNS ASK re####spring.net
- DNS ASK br####success.net
- DNS ASK re####success.net
- DNS ASK br####banker.net
- DNS ASK re####banker.net
- DNS ASK pr####efound.net
- DNS ASK de###efound.net
- DNS ASK pr####espring.net
- DNS ASK de####spring.net
- DNS ASK pr####esuccess.net
- DNS ASK de####success.net
- DNS ASK pr####ebanker.net
- DNS ASK de####banker.net
- DNS ASK st####thfound.net
- DNS ASK st###found.net
- DNS ASK st####thspring.net
- DNS ASK st###spring.net
- DNS ASK st####thsuccess.net
- DNS ASK st####uccess.net
- DNS ASK st####thbanker.net
- DNS ASK st###banker.net
- DNS ASK mo#####tairplane.net
- DNS ASK ou####eairplane.net
- DNS ASK mo#####tstraight.net
- DNS ASK ou####estraight.net
- DNS ASK mo####ntguard.net
- DNS ASK ou####eguard.net
- DNS ASK mo####ntfence.net
- DNS ASK ou####efence.net
- DNS ASK bu#####gairplane.net
- DNS ASK ev####gairplane.net
- DNS ASK bu#####gstraight.net
- DNS ASK ev####gstraight.net
- DNS ASK bu####ngguard.net
- DNS ASK ev####gguard.net
- DNS ASK bu####ngfence.net
- DNS ASK ev####gfence.net
- DNS ASK st####irplane.net
- DNS ASK mi####irplane.net
- DNS ASK st####traight.net
- DNS ASK mi####traight.net
- DNS ASK st###guard.net
- DNS ASK mi###guard.net
- DNS ASK st###fence.net
- DNS ASK mi###fence.net
- DNS ASK do####airplane.net
- DNS ASK pr####airplane.net
- DNS ASK do####straight.net
- DNS ASK pr####straight.net
- DNS ASK do###rguard.net
- DNS ASK pr###yguard.net
- DNS ASK do###rfence.net
- DNS ASK pr###yfence.net
- DNS ASK fe####airplane.net
- DNS ASK fe####straight.net
- DNS ASK fe###wguard.net
- DNS ASK do###eguard.net
- DNS ASK fe###wfence.net
- DNS ASK do###efence.net
- DNS ASK br####airplane.net
- DNS ASK re####airplane.net
- DNS ASK br####straight.net
- DNS ASK re####straight.net
- DNS ASK br###nguard.net
- DNS ASK re###tguard.net
- DNS ASK br###nfence.net
- DNS ASK re###tfence.net
- DNS ASK pr####eairplane.net
- DNS ASK de####airplane.net
- DNS ASK pr####estraight.net
- DNS ASK de####straight.net
- DNS ASK pr####eguard.net
- DNS ASK de###eguard.net
- DNS ASK pr####efence.net
Miscellaneous
Creates and executes the following
- 'C:\inyyqkwqfpgqum\xsyyem4gbbr5vevtrcm3.exe'
- 'C:\inyyqkwqfpgqum\fgjpraqvl.exe'
- 'C:\inyyqkwqfpgqum\wwyauwdy.exe' "c:\inyyqkwqfpgqum\fgjpraqvl.exe"
