Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'MciGkrwk' = '<LS_APPDATA>\eyqtaont\mcigkrwk.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Userinit' = '<SYSTEM32>\userinit.exe,,<LS_APPDATA>\eyqtaont\mcigkrwk.exe'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\mcigkrwk.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'
To complicate detection of its presence in the operating system,
blocks the following features:
- User Account Control (UAC)
- Windows Security Center
Creates and executes the following:
- '%TEMP%\ekdbmtyq.exe' admin
- '%TEMP%\ekdbmtyq.exe' elevate
Executes the following:
- '<SYSTEM32>\svchost.exe'
Hooks the following functions in System Service Descriptor Table (SSDT):
- NtOpenKey, handler: tqgnnosw.sys
- NtCreateKey, handler: tqgnnosw.sys
Modifies file system :
Creates the following files:
- %TEMP%\tqgnnosw.sys
- %WINDIR%\Temp\6decd52f
- %WINDIR%\Temp\7fffffb1
- <LS_APPDATA>\eyqtaont\mcigkrwk.exe
- %TEMP%\ekdbmtyq.exe
- %ALLUSERSPROFILE%\Application Data\bjdwbfvf.log
- <LS_APPDATA>\niuydqre.log
Sets the 'hidden' attribute to the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\mcigkrwk.exe
Deletes the following files:
- %TEMP%\tqgnnosw.sys
Network activity:
Connects to:
- 'rk####wmesvwhpc.com':443
- 'sq#####qksckbfrs.com':443
- 'nh###mmg.com':443
- 'wx###fvmqi.com':443
- 'pm####uvmfmcajv.com':443
- '74.##5.232.51':80
- 'ax####yldgeq.com':443
- 'ro####fvclppad.com':443
- 'rw#####huiiucxkfckw.com':443
- 'ue#####jiyxnnvws.com':443
- 'ax####njgrnryt.com':443
UDP:
- DNS ASK ni###bpyig.com
- DNS ASK gh####xplacpt.com
- DNS ASK dt###nnah.com
- DNS ASK rr####myfdrlks.com
- DNS ASK hh#####sbelfwlxywl.com
- DNS ASK ul###fcxfe.com
- DNS ASK je####jagfudj.com
- DNS ASK iy#####ycqvlnrun.com
- DNS ASK sx#####atcldovjljo.com
- DNS ASK oy###kdshy.com
- DNS ASK df#####cgpxdafddnx.com
- DNS ASK ao###touhnv.com
- DNS ASK fu###raut.com
- DNS ASK ed###jyun.com
- DNS ASK lm###eowe.com
- DNS ASK qc#####funtohovjf.com
- DNS ASK aj####etyjkj.com
- DNS ASK ff#####dkpvknrckkog.com
- DNS ASK tb###fsef.com
- DNS ASK wr####jkdhvlw.com
- DNS ASK lh####dlqexik.com
- DNS ASK wm####ffbjsj.com
- DNS ASK kg####finlkn.com
- DNS ASK by###ajwmkl.com
- DNS ASK im####ikfcdp.com
- DNS ASK bing.com
- DNS ASK km####hxqkpop.com
- DNS ASK qd#####cnhbucojk.com
- DNS ASK ex###wbvrb.com
- DNS ASK gv###wrivm.com
- DNS ASK wi####evntsw.com
- DNS ASK sl####fnacvbyj.com
- DNS ASK yn####gopbbplsi.com
- DNS ASK fl###wxtbhv.com
- DNS ASK yy###oxpn.com
- DNS ASK yw####yyvempl.com
- DNS ASK qj#####hlkrkmdbe.com
- DNS ASK cx####xbujjcrxs.com
- DNS ASK gt###tnv.com
- DNS ASK rw####skwvtnfcx.com
- DNS ASK av#####asuslrxswsyp.com
- DNS ASK gv####qxpyrb.com
- DNS ASK vu####rewjwl.com
- DNS ASK yw####qktqxsxkt.com
- DNS ASK wx###fvmqi.com
- DNS ASK nb#####emrpedccrcyp.com
- DNS ASK ij###lsdiw.com
- DNS ASK jh###brcyo.com
- DNS ASK xy####vhkvbje.com
- DNS ASK mg###qfisg.com
- DNS ASK dh#####shdrvpcpp.com
- DNS ASK ax####njgrnryt.com
- DNS ASK ue#####jiyxnnvws.com
- DNS ASK rw#####huiiucxkfckw.com
- DNS ASK ro####fvclppad.com
- DNS ASK ax####yldgeq.com
- DNS ASK nh###mmg.com
- DNS ASK pm####uvmfmcajv.com
- DNS ASK rk####wmesvwhpc.com
- DNS ASK google.com
- DNS ASK sq#####qksckbfrs.com
- DNS ASK sd####elyqary.com
- DNS ASK fu###rdol.com
- DNS ASK tg####ausony.com
- DNS ASK eu###cxqqyg.com
- DNS ASK bo###bjn.com
- DNS ASK fh####ytwhsr.com
- DNS ASK ne###fyokt.com
- DNS ASK ra###hgme.com
- DNS ASK mf###dcelh.com
- DNS ASK ad####bhiwoccqa.com
- DNS ASK in#####lbqalsalowfq.com
- DNS ASK kk###xbsc.com
- DNS ASK hx####mmtdqqvo.com
- DNS ASK jp###ajhhv.com
- DNS ASK nq###nrafsi.com
- DNS ASK tx###wwxfam.com
- DNS ASK vj#####jtbobafxmc.com
- DNS ASK ys###rulyic.com
- DNS ASK ee####jommryy.com
- DNS ASK cn###bnssw.com
- DNS ASK dt#####icjkdetclt.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'Indicator' WindowName: ''
