Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\software\microsoft\windows\currentversion\run] 'BgkYkAMs.exe' = '%HOMEPATH%\qcgMoIYc\BgkYkAMs.exe'
- [<HKLM>\software\Wow6432Node\microsoft\windows\currentversion\run] 'cUcsEgAE.exe' = '%ALLUSERSPROFILE%\hgEUUkMo\cUcsEgAE.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,%ALLUSERSPROFILE%\hgEUUkMo\cUcsEgAE.exe,'
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = 'userinit.exe,%ALLUSERSPROFILE%\hgEUUkMo\cUcsEgAE.exe,'
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\zYoUIYCJ] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\zYoUIYCJ] 'ImagePath' = '%ALLUSERSPROFILE%\vUAsAQAI\ZIwkMIUI.exe'
Creates the following services
- 'zYoUIYCJ' %ALLUSERSPROFILE%\vUAsAQAI\ZIwkMIUI.exe
Infects the following executable files
- C:\far2\far.exe
- C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\setup.exe
- C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\dw20.exe
- %ALLUSERSPROFILE%\adobe\arm\s\10428\adobearmhelper.exe
- %ALLUSERSPROFILE%\adobe\setup\{ac76ba86-7ad7-1033-7b44-ac0f074e4100}\setup.exe
Modifies file system
Creates the following files
- %HOMEPATH%\qcgmoiyc\bgkykams
- %ALLUSERSPROFILE%\hgeuukmo\cucsegae
- %HOMEPATH%\qcgmoiyc\bgkykams.exe
- %ALLUSERSPROFILE%\hgeuukmo\cucsegae.exe
- %ALLUSERSPROFILE%\vuasaqai\ziwkmiui.exe
- %ALLUSERSPROFILE%\jisa.txt
- %HOMEPATH%\qcgmoiyc\zwwm.exe
- %HOMEPATH%\qcgmoiyc\dkqe.exe
- %WINDIR%\syswow64\config\systemprofile\qcgmoiyc\bgkykams
- %HOMEPATH%\qcgmoiyc\aqey.exe
- %HOMEPATH%\qcgmoiyc\skaa.exe
- %TEMP%\fcgyskkw.bat
- <PATH_SAMPLE>
- %HOMEPATH%\qcgmoiyc\nkkw.exe
- %HOMEPATH%\qcgmoiyc\bqug.exe
- %ALLUSERSPROFILE%\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Deletes the following files
- %HOMEPATH%\qcgmoiyc\zwwm.exe
- %HOMEPATH%\qcgmoiyc\dkqe.exe
- %HOMEPATH%\qcgmoiyc\aqey.exe
- %HOMEPATH%\qcgmoiyc\skaa.exe
- %TEMP%\fcgyskkw.bat
- %HOMEPATH%\qcgmoiyc\nkkw.exe
- %HOMEPATH%\qcgmoiyc\bqug.exe
Network activity
Connects to
- 'google.com':80
TCP
HTTP GET requests
- / via google.com
UDP
- DNS ASK google.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'cUcsEgAE.exe'
- ClassName: '' WindowName: 'Microsoft Windows'
Creates and executes the following
- '%HOMEPATH%\qcgmoiyc\bgkykams.exe'
- '%ALLUSERSPROFILE%\hgeuukmo\cucsegae.exe'
- '%ALLUSERSPROFILE%\vuasaqai\ziwkmiui.exe'
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f' (with hidden window)
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c "<PATH_SAMPLE>"
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
- '%WINDIR%\syswow64\reg.exe' add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
- '%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
