Technical Information
To ensure autorun and distribution
Sets the following service settings
- [HKLM\System\CurrentControlSet\Services\fmlZBRzyOF] 'ImagePath' = '%WINDIR%\syswow64\8gqyRUvCbO.sys'
- [HKLM\System\CurrentControlSet\Services\cyRedirect] 'Start' = '00000001'
- [HKLM\System\CurrentControlSet\Services\cyRedirect] 'ImagePath' = 'system32\drivers\cyRedirect.sys'
Creates the following services
- 'fmlZBRzyOF' %WINDIR%\syswow64\8gqyRUvCbO.sys
- 'cyRedirect' system32\drivers\cyRedirect.sys
Malicious functions
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system
Creates the following files
- D:\windows\rscst.dll
- D:\windows\powgq\dtprd\ca.srl
- D:\windows\powgq\dtprd\encryptapi.dll
- D:\windows\powgq\dtprd\iframe.html
- D:\users\user\ntuser.dat
- D:\windows\powgq\dtprd\libcrypto-1_1.dll
- D:\windows\system32\winevt\logs\microsoft-windows-networkprofile%4operational.evtx
- D:\windows\powgq\dtprd\libcurl.dll
- D:\windows\powgq\dtprd\libssl-1_1.dll
- D:\windows\powgq\dtprd\nfapi.dll
- D:\windows\powgq\dtprd\openssl.exe
- D:\windows\powgq\dtprd\redirect.ini
- D:\windows\powgq\dtprd\server.csr
- D:\windows\powgq\dtprd\ca.crt
- D:\windows\powgq\dtprd\ca.key
- D:\windows\powgq\dtprd\server.key
- D:\windows\system32\drivers\cyredirect.sys
- D:\windows\powgq\hgjjsh\3.gif
- D:\windows\temp\uddf90f.tmp
- D:\windows\powgq\dtprd\log\rd_[2023-04-16-19.15.25].log
- dycontrolcyredirect
- D:\users\user\appdata\roaming\redirect\config.zip
- D:\windows\powgq\hgjjsh\4.gif
- D:\windows\system32\winevt\logs\microsoft-windows-windows firewall with advanced security%4firewall.evtx
- D:\programdata\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.3.gthr
- D:\programdata\microsoft\search\data\applications\windows\gatherlogs\systemindex\systemindex.3.crwl
- D:\windows\powgq\hgjjsh\5.gif
- D:\windows\powgq\hgjjsh\6.png
- D:\windows\system32\winevt\logs\application.evtx
- D:\windows\powgq\hgjjsh\2.png
- D:\windows\powgq\dtprd\drivers\win7\cyredirect.sys
- D:\windows\powgq\dtprd\drivers\win10\cyredirect.sys
- D:\windows\powgq\dtprd\zlibwapi.dll
- D:\users\user\appdata\local\microsoft\windows\usrclass.dat
- D:\windows\powgq\txchx.dll
- D:\windows\powgq\tnvci.dll
- D:\windows\log1.txt
- D:\windows\powgq\kjcrc.dll
- D:\system volume information\syscache.hve.log1
- D:\system volume information\syscache.hve
- D:\windows\syswow64\8gqyruvcbo.sys
- D:\windows\system32\config\system.log1
- D:\windows\system32\config\system
- D:\windows\temp\udd8fa2.tmp
- D:\users\user\favorites\links\web slice gallery.url
- D:\windows\powgq\hgjjsh\twehq.png
- D:\users\user\appdata\local\microsoft\windows\usrclass.dat.log1
- D:\windows\powgq\pxcdr.exe
- D:\users\public\desktop\firefox.lnk
- D:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\google chrome.lnk
- D:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk
- D:\windows\serviceprofiles\localservice\appdata\local\lastalive0.dat
- D:\windows\system32\config\software.log1
- D:\windows\system32\config\software
- D:\users\user\appdata\roaming\mozilla\firefox\profiles\0j9e9tku.default-release\sitesecurityservicestate.txt
- D:\windows\system32\winevt\logs\system.evtx
- D:\windows\system32\winevt\logs\security.evtx
- D:\windows\powgq\hgjjsh\1.png
- D:\windows\appcompat\programs\recentfilecache.bcf
- D:\users\user\ntuser.dat.log1
- D:\windows\powgq\dtprd\tprd.exe
- D:\users\user\desktop\google chrome.lnk
- D:\windows\serviceprofiles\localservice\appdata\local\lastalive1.dat
- D:\windows\powgq\hgjjsh\7.gif
Sets the 'hidden' attribute to the following files
- D:\windows\log1.txt
Deletes the following files
- D:\windows\rscst.dll
- D:\windows\powgq\tnvci.dll
- D:\windows\powgq\kjcrc.dll
- D:\windows\temp\udd8fa2.tmp
- D:\windows\syswow64\8gqyruvcbo.sys
- D:\windows\powgq\txchx.dll
- D:\windows\powgq\hgjjsh\twehq.png
- D:\windows\powgq\pxcdr.exe
- D:\windows\temp\uddf90f.tmp
- D:\users\user\appdata\roaming\redirect\config.zip
Substitutes the following files
- D:\windows\powgq\kjcrc.dll
- D:\windows\powgq\pxcdr.exe
Network activity
Connects to
- 'ud#.#xwan.com':80
- 'dl#.#xwan.com':80
- 'mg.#636.com':80
- 're####ct.5636.com':80
TCP
HTTP GET requests
- http://ud#.#xwan.com/index/getcfg?id######
- http://dl#.#xwan.com/d2/CDClient.dll
- http://dl#.#xwan.com/d2/x64.dll
- http://dl#.#xwan.com/d2/yxtc.dat
- http://dl#.#xwan.com/d2/tprd.exe
- http://mg.#636.com/web/upload/ico/f3b76bcb-4678-4fff-be72-4e400fd0eafa.png
- http://mg.#636.com/web/upload/ico/5aabe2a9-2377-4a88-b329-77490428d103.png
- http://mg.#636.com/web/upload/ico/7d4e133c-9b96-4c7c-aebd-5d05d43eadd0.gif
- http://re####ct.5636.com/config.gz?m=################################
- http://mg.#636.com/web/upload/ico/2805ab14-528e-4966-b733-1501af517ff5.gif
- http://mg.#636.com/web/upload/ico/2cd5597b-0c6f-4d0f-9f7a-4e73ca405787.gif
- http://mg.#636.com/web/upload/ico/835935be-cfbd-4542-9ed6-5eacb43a8d9c.png
- http://mg.#636.com/web/upload/ico/02a2295e-a634-4f9a-949b-a4ea996fe6dd.gif
HTTP POST requests
- http://re####ct.5636.com/ini
- http://re####ct.5636.com/log
- http://re####ct.5636.com/hbt
Other
- 'localhost':49158
- '34.##1.73.144':443
- '34.##0.144.191':443
- '35.##1.9.150':443
UDP
- DNS ASK ud#.#xwan.com
- DNS ASK dl#.#xwan.com
- DNS ASK mg.#636.com
- DNS ASK re####ct.5636.com
- '255.255.255.255':60613
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: 'STATIC' WindowName: '5813300E9036600E916CC0'
- ClassName: 'STATIC' WindowName: '09499000E1923100E32562'
- ClassName: 'Progman' WindowName: 'Program Manager'
- ClassName: 'SHELLDLL_DefView' WindowName: ''
- ClassName: 'SysListView32' WindowName: 'FolderView'
- ClassName: 'TApplication' WindowName: 'eyoorun'
- ClassName: 'EDIT' WindowName: ''
Creates and executes the following
- 'D:\windows\powgq\dtprd\tprd.exe'
- 'D:\windows\syswow64\cmd.exe' rmdir /s /q "C:\Users\user\AppData\Roaming\redirect"' (with hidden window)
