Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Human BitLocker Remote Block Credential' = '<SYSTEM32>\gkwyhup.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Secondary Firewall Backup Audio Debugger] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Creates and executes the following:
- '%WINDIR%\Temp\b8afzl45g7iw.exe' -r 39185 tcp
- '%WINDIR%\Temp\b8afzl4nidiw.exe' -r 41100 tcp
- '<SYSTEM32>\zkggapxrk.exe' "<SYSTEM32>\gkwyhup.exe"
- '%TEMP%\b8afzl41m6iwy5id1lus.exe'
- '<SYSTEM32>\gkwyhup.exe'
Modifies file system :
Creates the following files:
- <SYSTEM32>\ksqbbjyeewzsy\cfg
- <SYSTEM32>\ksqbbjyeewzsy\run
- %WINDIR%\Temp\b8afzl45g7iw.exe
- <SYSTEM32>\ksqbbjyeewzsy\por
- %WINDIR%\Temp\b8afzl4nidiw.exe
- <SYSTEM32>\ksqbbjyeewzsy\rng
- %TEMP%\b8afzl41m6iwy5id1lus.exe
- <SYSTEM32>\ksqbbjyeewzsy\tst
- <SYSTEM32>\ksqbbjyeewzsy\etc
- <SYSTEM32>\zkggapxrk.exe
- <SYSTEM32>\gkwyhup.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\zkggapxrk.exe
- <SYSTEM32>\gkwyhup.exe
Deletes the following files:
- %WINDIR%\Temp\b8afzl45g7iw.exe
- %WINDIR%\Temp\b8afzl4nidiw.exe
- <DRIVERS>\etc\hosts
- %TEMP%\b8afzl41m6iwy5id1lus.exe
Substitutes the HOSTS file.
Network activity:
Connects to:
- 'tr###usual.net':80
- 'ta###loor.net':80
- 'tr###could.net':80
- 'yo###sual.net':80
- 'wa###hade.net':80
- 'ta###ross.net':80
- 'wa###loor.net':80
- 'ta###hade.net':80
- 'lr###usual.net':80
- 'yo###rave.net':80
- 'lr###could.net':80
- 'vi###sual.net':80
- 'tr###teach.net':80
- 'yo###ould.net':80
- 'tr###grave.net':80
- 'yo###each.net':80
- 'da###ekilai.com':80
- 'ta###fruit.net':80
- 'pi###cross.net':80
- 'la###onea.com':80
- 'fr###secas.com':80
- 'ka####ndertu.com':80
- 'st###march.net':80
- 'ju###ray.net':80
- 'wa###hrew.net':80
- 'mu###loor.net':80
- 'wa###ross.net':80
- 'ta###hrew.net':80
- 'pi###shade.net':80
- 'mu###ross.net':80
- 'pi###floor.net':80
- 'mu###hade.net':80
TCP:
HTTP GET requests:
- tr###usual.net/forum/search.php?me#########################################
- ta###loor.net/forum/search.php?me#########################################
- tr###could.net/forum/search.php?me#########################################
- yo###sual.net/forum/search.php?me#########################################
- wa###hade.net/forum/search.php?me#########################################
- ta###ross.net/forum/search.php?me#########################################
- wa###loor.net/forum/search.php?me#########################################
- ta###hade.net/forum/search.php?me#########################################
- lr###usual.net/forum/search.php?me#########################################
- yo###rave.net/forum/search.php?me#########################################
- lr###could.net/forum/search.php?me#########################################
- vi###sual.net/forum/search.php?me#########################################
- tr###teach.net/forum/search.php?me#########################################
- yo###ould.net/forum/search.php?me#########################################
- tr###grave.net/forum/search.php?me#########################################
- yo###each.net/forum/search.php?me#########################################
- da###ekilai.com/forum/search.php?me#########################################
- ta###fruit.net/forum/search.php?me#########################################
- pi###cross.net/forum/search.php?me#########################################
- la###onea.com/forum/search.php?me#########################################
- fr###secas.com/forum/search.php?me#########################################
- ka####ndertu.com/forum/search.php?me#########################################
- st###march.net/forum/search.php?me#########################################
- ju###ray.net/forum/search.php?me#########################################
- wa###hrew.net/forum/search.php?me#########################################
- mu###loor.net/forum/search.php?me#########################################
- wa###ross.net/forum/search.php?me#########################################
- ta###hrew.net/forum/search.php?me#########################################
- pi###shade.net/forum/search.php?me#########################################
- mu###ross.net/forum/search.php?me#########################################
- pi###floor.net/forum/search.php?me#########################################
- mu###hade.net/forum/search.php?me#########################################
UDP:
- DNS ASK tr###usual.net
- DNS ASK ta###loor.net
- DNS ASK tr###could.net
- DNS ASK yo###sual.net
- DNS ASK wa###hade.net
- DNS ASK ta###ross.net
- DNS ASK wa###loor.net
- DNS ASK ta###hade.net
- DNS ASK yo###ould.net
- DNS ASK vi###sual.net
- DNS ASK lr###usual.net
- DNS ASK vi###ould.net
- DNS ASK lr###could.net
- DNS ASK yo###each.net
- DNS ASK tr###teach.net
- DNS ASK yo###rave.net
- DNS ASK tr###grave.net
- DNS ASK da###ekilai.com
- DNS ASK ta###fruit.net
- DNS ASK pi###cross.net
- DNS ASK la###onea.com
- DNS ASK fr###secas.com
- DNS ASK ka####ndertu.com
- DNS ASK st###march.net
- DNS ASK ju###ray.net
- DNS ASK wa###hrew.net
- DNS ASK mu###loor.net
- DNS ASK wa###ross.net
- DNS ASK ta###hrew.net
- DNS ASK pi###shade.net
- DNS ASK mu###ross.net
- DNS ASK pi###floor.net
- DNS ASK mu###hade.net
- '23#.#55.255.250':1900
