Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Desktop Publication Now Process Shadow PC' = '<SYSTEM32>\zihnehan.exe'
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\Font Experience WWAN Cryptographic] 'ImagePath' = '<SYSTEM32>\zihnehan.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\Font Experience WWAN Cryptographic] 'Start' = '00000002'
Malicious functions:
To complicate detection of its presence in the operating system,
blocks the following features:
- Windows Security Center
Executes the following:
- '%WINDIR%\Temp\qugarpm22p2gozhrf.exe' -r 43836 tcp
- '%WINDIR%\Temp\qugarppjn908ozhrf.exe' -r 33114 tcp
- '%WINDIR%\Temp\qugarplba816ozhrf.exe' -r 38980 tcp
- '%WINDIR%\Temp\qugarpft3edkozhrf.exe' -r 45240 tcp
- '%WINDIR%\Temp\qugarplw852eozhrf.exe' -r 39072 tcp
- '%WINDIR%\Temp\qugarptvq7deozhrf.exe' -r 50763 tcp
- '%WINDIR%\Temp\qugarpsmbzz5ozhrf.exe' -r 48884 tcp
- '%WINDIR%\Temp\qugarp3w38vaozhrf.exe' -r 34433 tcp
- '%WINDIR%\Temp\qugarpogtnsjozhrf.exe' -r 52424 tcp
- '<SYSTEM32>\sjlxaxzxid.exe' "<SYSTEM32>\zihnehan.exe"
- '%WINDIR%\Temp\qugarpln7sozhrf.exe' -r 23543 tcp
- '%TEMP%\qugarp9l6g37ozhrfvqpcq1.exe'
- '<SYSTEM32>\zihnehan.exe'
- '%WINDIR%\Temp\qugarpp9cojjozhrf.exe' -r 34578 tcp
- '%WINDIR%\Temp\qugarpgcyy4eozhrf.exe' -r 27112 tcp
- '%WINDIR%\Temp\qugarpgcuqcwozhrf.exe' -r 28137 tcp
- '%WINDIR%\Temp\qugarp51hd0cozhrf.exe' -r 24123 tcp
- '%WINDIR%\Temp\qugarpvmdkq0ozhrf.exe' -r 21760 tcp
Modifies file system:
Creates the following files:
- %WINDIR%\Temp\qugarpft3edkozhrf.exe
- %WINDIR%\Temp\qugarpm22p2gozhrf.exe
- %WINDIR%\Temp\qugarplba816ozhrf.exe
- %WINDIR%\Temp\qugarpgcyy4eozhrf.exe
- %WINDIR%\Temp\qugarpgcuqcwozhrf.exe
- %WINDIR%\Temp\qugarppjn908ozhrf.exe
- %WINDIR%\Temp\qugarptvq7deozhrf.exe
- %WINDIR%\Temp\qugarpsmbzz5ozhrf.exe
- %WINDIR%\Temp\qugarpogtnsjozhrf.exe
- %WINDIR%\Temp\qugarplw852eozhrf.exe
- %WINDIR%\Temp\qugarp3w38vaozhrf.exe
- <SYSTEM32>\sjlxaxzxid.exe
- <SYSTEM32>\otcpthofnbv\rng
- <SYSTEM32>\zihnehan.exe
- <SYSTEM32>\otcpthofnbv\tst
- %TEMP%\qugarp9l6g37ozhrfvqpcq1.exe
- <SYSTEM32>\otcpthofnbv\run
- %WINDIR%\Temp\qugarp51hd0cozhrf.exe
- %WINDIR%\Temp\qugarpvmdkq0ozhrf.exe
- %WINDIR%\Temp\qugarpp9cojjozhrf.exe
- <SYSTEM32>\otcpthofnbv\cfg
- %WINDIR%\Temp\qugarpln7sozhrf.exe
Sets the 'hidden' attribute to the following files:
- <SYSTEM32>\sjlxaxzxid.exe
- <SYSTEM32>\zihnehan.exe
Deletes the following files:
- %WINDIR%\Temp\qugarppjn908ozhrf.exe
- %WINDIR%\Temp\qugarpm22p2gozhrf.exe
- %WINDIR%\Temp\qugarpft3edkozhrf.exe
- %WINDIR%\Temp\qugarplw852eozhrf.exe
- %WINDIR%\Temp\qugarptvq7deozhrf.exe
- %WINDIR%\Temp\qugarpogtnsjozhrf.exe
- %WINDIR%\Temp\qugarp3w38vaozhrf.exe
- %WINDIR%\Temp\qugarplba816ozhrf.exe
- %WINDIR%\Temp\qugarpp9cojjozhrf.exe
- %WINDIR%\Temp\qugarpln7sozhrf.exe
- %TEMP%\qugarp9l6g37ozhrfvqpcq1.exe
- %WINDIR%\Temp\qugarp51hd0cozhrf.exe
- %WINDIR%\Temp\qugarpgcuqcwozhrf.exe
- %WINDIR%\Temp\qugarpgcyy4eozhrf.exe
- %WINDIR%\Temp\qugarpvmdkq0ozhrf.exe
Network activity:
Connects to:
- 'mi####pecial.net':80
- 'ri###nstorm.net':80
- 'do####object.net':80
- 'br###nthird.net':80
TCP:
HTTP GET requests:
- http://mi####pecial.net/index.php
- http://ri###nstorm.net/index.php
- http://do####object.net/index.php
- http://br###nthird.net/index.php
UDP:
- DNS ASK mi####pecial.net
- DNS ASK ri###nstorm.net
- DNS ASK du#####llamartinson.net
- DNS ASK do####object.net
- DNS ASK br###nthird.net
- '23#.#55.255.250':1900
